From abhi.raghav007 at gmail.com  Wed May  1 02:59:42 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Wed, 1 May 2019 12:29:42 +0530
Subject: [keycloak-user] Keycloak cluster setup on Openshift
In-Reply-To: <CAP45m-ZywB1dt8GLf=Fz02KTA0Jzwgs3JsrngeLz9VHTv=98xg@mail.gmail.com>
References: <CAP45m-ZywB1dt8GLf=Fz02KTA0Jzwgs3JsrngeLz9VHTv=98xg@mail.gmail.com>
Message-ID: <CAJmz6fvnmQma-tO_oxBmF0VnjV3UC=+pOjL_2b_FUgL-RFiODA@mail.gmail.com>

I too experienced such error which says " ISPN000197: Error updating
cluster member list:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 2 from one of the node.... "

But not on Openshift but on a different container orchestration framework
with Keycloak 4.8.3.Final. Then Sebastian Laskawiec suggested me to try the
same setup on 5.0.0 as there are lot of fixes in jgroups 4.0.15 which is
released with WILDFLY15. For me it worked.

I would suggest you to go for 5.0.0 and see if it works.

- Best Regards
   Abhishek








On Tue, Apr 30, 2019 at 3:52 PM Jon Huang <chttl582 at gmail.com> wrote:

> Dear Keycloakers
>
> On my local environment, I set up Keycloak cluster with multi-cast and it's
> OK.
> However, there are some issues which might be related to infinispan when I
> migrate to Openshift with KUBE_PING.
> (btw, I tested with Keycloak version: 4.8.1 docker version)
>
> I put detail log in attachment and hope it helps. (log below is abstract
> version)
> It seems that infinispan timeout and not working correctly (which works in
> my local environment though)
> Does anyone have same experience on Openshift?
> Thanks
>
> *Firstly, node 1 detected node2*
> [org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN000094: Received
> new cluster view for channel ejb: [kc-22-qzws9|5] (2) [kc-22-qzws9,
> kc-22-wf2pf]
> [org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN100000: Node
> kc-22-wf2pf joined the cluster
> [org.infinispan.CLUSTER] (remote-thread--p13-t6) [Context=loginFailures]
> ISPN100002: Starting rebalance with members [kc-22-qzws9, kc-22-wf2pf],
> phase READ_OLD_WRITE_ALL, topology id 2
> ...
> *Then some error happened*
> *[log from node1:]*
> [org.infinispan.topology.ClusterTopologyManagerImpl]
> (transport-thread--p24-t3) ISPN000197: Error updating cluster member list:
> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
> waiting for responses for request 2 from kc-22-wf2pf
> at
>
> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
> at
>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
> at
>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> ... 1 more
> [org.infinispan.statetransfer.StateConsumerImpl] (transport-thread--p16-t9)
> ISPN000208: No live owners found for segments {0-255} of cache
> clientSessions. Excluded owners: []
> *[log from node2:]*
> [org.jboss.msc.service.fail] (ServerService Thread Pool -- 58) MSC000001:
> Failed to start service
> org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
> org.jboss.msc.service.StartException in service
> org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
> org.infinispan.commons.CacheException: Unable to invoke method public void
>
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
> at
>
> org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
> at
>
> org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
> ...
> Caused by: org.infinispan.commons.CacheException: Unable to invoke method
> public void
>
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
> at
>
> org.infinispan.commons.util.SecurityActions.lambda$invokeAccessibly$0(SecurityActions.java:83)
> at
>
> org.infinispan.commons.util.SecurityActions.doPrivileged(SecurityActions.java:71)
> at
>
> org.infinispan.commons.util.SecurityActions.invokeAccessibly(SecurityActions.java:76)
> at
>
> org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:185)
> ... 7 more
> Caused by: org.infinispan.commons.CacheException: Initial state transfer
> timed out for cache offlineClientSessions on kc-22-wf2pf
> at
>
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:233)
> ... 30 more
> [org.jboss.as.controller.management-operation] (Controller Boot Thread)
> WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "infinispan"),
>     ("cache-container" => "keycloak"),
>     ("replicated-cache" => "work")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
> org.wildfly.clustering.infinispan.cache.keycloak.work" =>
> "org.infinispan.commons.CacheException: Unable to invoke method public void
>
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void
>
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
>     Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache work on kc-22-wf2pf"}}
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chttl582 at gmail.com  Wed May  1 03:14:04 2019
From: chttl582 at gmail.com (Jon Huang)
Date: Wed, 1 May 2019 15:14:04 +0800
Subject: [keycloak-user] Keycloak cluster setup on Openshift
In-Reply-To: <CAJmz6fvnmQma-tO_oxBmF0VnjV3UC=+pOjL_2b_FUgL-RFiODA@mail.gmail.com>
References: <CAP45m-ZywB1dt8GLf=Fz02KTA0Jzwgs3JsrngeLz9VHTv=98xg@mail.gmail.com>
	<CAJmz6fvnmQma-tO_oxBmF0VnjV3UC=+pOjL_2b_FUgL-RFiODA@mail.gmail.com>
Message-ID: <CAP45m-YNtMp_yh=DdZkxVAx0cEfoHQwFKBrsLShRBiFk8jdmMw@mail.gmail.com>

Dear Abhishek

Big thanks for your prompt reply.
I'll try to get a newer Keycloak version and test again.
Regards

abhishek raghav <abhi.raghav007 at gmail.com> ? 2019?5?1? ?? ??2:59???

> I too experienced such error which says " ISPN000197: Error updating
> cluster member list:
> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
> waiting for responses for request 2 from one of the node.... "
>
> But not on Openshift but on a different container orchestration framework
> with Keycloak 4.8.3.Final. Then Sebastian Laskawiec suggested me to try the
> same setup on 5.0.0 as there are lot of fixes in jgroups 4.0.15 which is
> released with WILDFLY15. For me it worked.
>
> I would suggest you to go for 5.0.0 and see if it works.
>
> - Best Regards
>    Abhishek
>
>
>
>
>
>
>
>
> On Tue, Apr 30, 2019 at 3:52 PM Jon Huang <chttl582 at gmail.com> wrote:
>
>> Dear Keycloakers
>>
>> On my local environment, I set up Keycloak cluster with multi-cast and
>> it's
>> OK.
>> However, there are some issues which might be related to infinispan when I
>> migrate to Openshift with KUBE_PING.
>> (btw, I tested with Keycloak version: 4.8.1 docker version)
>>
>> I put detail log in attachment and hope it helps. (log below is abstract
>> version)
>> It seems that infinispan timeout and not working correctly (which works in
>> my local environment though)
>> Does anyone have same experience on Openshift?
>> Thanks
>>
>> *Firstly, node 1 detected node2*
>> [org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN000094: Received
>> new cluster view for channel ejb: [kc-22-qzws9|5] (2) [kc-22-qzws9,
>> kc-22-wf2pf]
>> [org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN100000: Node
>> kc-22-wf2pf joined the cluster
>> [org.infinispan.CLUSTER] (remote-thread--p13-t6) [Context=loginFailures]
>> ISPN100002: Starting rebalance with members [kc-22-qzws9, kc-22-wf2pf],
>> phase READ_OLD_WRITE_ALL, topology id 2
>> ...
>> *Then some error happened*
>> *[log from node1:]*
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p24-t3) ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 2 from kc-22-wf2pf
>> at
>>
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>> at
>>
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>> at
>>
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> ... 1 more
>> [org.infinispan.statetransfer.StateConsumerImpl]
>> (transport-thread--p16-t9)
>> ISPN000208: No live owners found for segments {0-255} of cache
>> clientSessions. Excluded owners: []
>> *[log from node2:]*
>> [org.jboss.msc.service.fail] (ServerService Thread Pool -- 58) MSC000001:
>> Failed to start service
>> org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
>> org.jboss.msc.service.StartException in service
>> org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
>> org.infinispan.commons.CacheException: Unable to invoke method public void
>>
>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
>> throws java.lang.Exception on object of type StateTransferManagerImpl
>> at
>>
>> org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
>> at
>>
>> org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
>> ...
>> Caused by: org.infinispan.commons.CacheException: Unable to invoke method
>> public void
>>
>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
>> throws java.lang.Exception on object of type StateTransferManagerImpl
>> at
>>
>> org.infinispan.commons.util.SecurityActions.lambda$invokeAccessibly$0(SecurityActions.java:83)
>> at
>>
>> org.infinispan.commons.util.SecurityActions.doPrivileged(SecurityActions.java:71)
>> at
>>
>> org.infinispan.commons.util.SecurityActions.invokeAccessibly(SecurityActions.java:76)
>> at
>>
>> org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:185)
>> ... 7 more
>> Caused by: org.infinispan.commons.CacheException: Initial state transfer
>> timed out for cache offlineClientSessions on kc-22-wf2pf
>> at
>>
>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:233)
>> ... 30 more
>> [org.jboss.as.controller.management-operation] (Controller Boot Thread)
>> WFLYCTL0013: Operation ("add") failed - address: ([
>>     ("subsystem" => "infinispan"),
>>     ("cache-container" => "keycloak"),
>>     ("replicated-cache" => "work")
>> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
>> org.wildfly.clustering.infinispan.cache.keycloak.work" =>
>> "org.infinispan.commons.CacheException: Unable to invoke method public
>> void
>>
>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
>> throws java.lang.Exception on object of type StateTransferManagerImpl
>>     Caused by: org.infinispan.commons.CacheException: Unable to invoke
>> method public void
>>
>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
>> throws java.lang.Exception on object of type StateTransferManagerImpl
>>     Caused by: org.infinispan.commons.CacheException: Initial state
>> transfer timed out for cache work on kc-22-wf2pf"}}
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From aechols at bfcsaz.com  Wed May  1 13:11:15 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Wed, 1 May 2019 10:11:15 -0700
Subject: [keycloak-user] Accounts Logs
Message-ID: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>

Hello All,

I'm been pulling my hair out on this one. I setup a DEV instance of
Keycloak to test some theming and one thing I've noticed, is that when
using a realms account page, Logs is disabled in DEV

I can't figure out how to disable that in my PROD instance. I'd like to
hide that for all users, as my users won't understand what any of that
means.

Currently in PROD, when going to any users account page you see the
following layout:

* Account
* Password
* Authenticator
* Sessions
* Applications
* Logs

In DEV, I see:

* Account
* Password
* Authenticator
* Sessions
* Applications

That's what I'd like to see in PROD as well. I'm hoping it's something
simple I'm missing. Thanks in advance. :)
--
Aaron Echols

From pavel.masloff at gmail.com  Wed May  1 16:49:31 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Wed, 1 May 2019 22:49:31 +0200
Subject: [keycloak-user] 401 causes CORS error
Message-ID: <CAF9aV_rZMPnN=tq4ihRsMcLXzbm2NrkRY=EAvoWUXhhE6GixvQ@mail.gmail.com>

Hi all,

I've observed this issue for a long time now. Standard scenario: a backend
app secured with Springboot Adapter + a frontend app which uses keycloak.js
library. Two clients are configured (*public* for token acquisition + *bearer
only* for REST calls).

Allowed CORS origins are set to * (Web Origins field for the public client).
application.properties has *keycloak.cors *set to *true*. REST controller
has *@CrossOrigin *annotation.

Everything works as expected. Until: the frontend app sends an erroneous
token in the Authorization header (e.g.: "Bearer blablabla"). As a result,
I get a CORS error, which says:

*Access to XMLHttpRequest at 'https://xxxxxx.herokuapp.com/items
<https://xxxxxx.herokuapp.com/items>' from origin 'http://localhost:1234
<http://localhost:1234>' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested resource.*

[image: Screenshot 2019-05-01 at 22.31.40.png]

If I look at the preflight request though, then the
*Access-Control-Allow-Origin* header is indeed set.
[image: Screenshot 2019-05-01 at 22.37.16.png]

Why that error message then? I must admit this confused me multiple times,
as I thought that I had issues with CORS. Also the frontend logic is
undermined, as I should include a custom interceptor (which I don't want to
do heheh). I tried both 4.8.3.Final and 5.0.0 - same result.

Any ideas? Thanks in advance!


Regards,
Pavel Maslov, MS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2019-05-01 at 22.31.40.png
Type: image/png
Size: 64766 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190501/a5d88afb/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2019-05-01 at 22.37.16.png
Type: image/png
Size: 113215 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190501/a5d88afb/attachment-0003.png 

From ssancheti at mail.com  Wed May  1 17:48:26 2019
From: ssancheti at mail.com (Sandeep Sancheti)
Date: Wed, 1 May 2019 23:48:26 +0200
Subject: [keycloak-user] Self Service Password Expiry Reset
Message-ID: <trinity-9d0a2526-ec66-4efa-91fa-23845c64cf48-1556747306860@3c-app-mailcom-lxa03>


From erangac at gmail.com  Thu May  2 00:29:46 2019
From: erangac at gmail.com (Eranga Samararathna)
Date: Thu, 2 May 2019 09:59:46 +0530
Subject: [keycloak-user] Generate password reset URL
In-Reply-To: <CAAhNFmgzmEWgvp+Rkg-TLmbVNFwXqQeGj2fnzANicUrxJCucBA@mail.gmail.com>
References: <CAAhNFmgzmEWgvp+Rkg-TLmbVNFwXqQeGj2fnzANicUrxJCucBA@mail.gmail.com>
Message-ID: <CAAhNFmg3uSse3mUko+PiEDwGhx9kf4XpbigyWj2E-PMFT3roGw@mail.gmail.com>

I want to send Keycloak user reset password email from my web app without
using Keycloak SMTP configuration. For that I am trying to generate the
reset password link but I am not sure how to generate the code in URL. Are
there any API call to generate action code or full reset password URL ?
Keycloak generate something like below. I need to generate same. That's the
objective.

https://server.com/auth/realms/xxx/login-actions/action-token?key=ffdfdfdfd

From gary at apnic.net  Thu May  2 02:18:06 2019
From: gary at apnic.net (Gary Kennedy)
Date: Thu, 2 May 2019 06:18:06 +0000
Subject: [keycloak-user] Service account token mappers?
Message-ID: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>

I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).

I don't want user tokens generated through the client to have the claim (unless absolutely necessary).

How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?

If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.

(Keycloak 4.8.2)

Cheers,
Gary

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190502/1b76fe20/attachment.bin 

From testoauth55 at gmail.com  Thu May  2 03:40:10 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 2 May 2019 13:10:10 +0530
Subject: [keycloak-user] Unable to integrate SAML 2 provider -
	Pingfederate
In-Reply-To: <CANAVTmPHs7ZE1zOUTJ8BqNWJWwVZY1mOWTvcmfOdYrd5wPn_vQ@mail.gmail.com>
References: <CANAVTmPHs7ZE1zOUTJ8BqNWJWwVZY1mOWTvcmfOdYrd5wPn_vQ@mail.gmail.com>
Message-ID: <CANAVTmNgRn406Wv-dNi+N7C+-6cfX8T4fK8aE8psqeEPMZoiWg@mail.gmail.com>

Any idea whether PingFederate integration is supported by keycloak? Any
documentation for integrating PingFederate with keycloak?

On Wed, May 1, 2019 at 9:05 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> I have successfully integrated OKTA as SAML 2 provider.
> Now I am trying to integrate Pingfederate as SAML 2 provider. Pingfederate
> successfully redirctes back to keycloak :
> ( <myhost>/auth/realms/<myRealm>/broker/pingfed/endpoint )
>
> But keycloak gives following error trace:
>
> 2019-04-30 13:27:23,196 ERROR
> [org.keycloak.services.error.KeycloakErrorHandler] (default task-3)
> Uncaught server error:
> org.keycloak.broker.provider.IdentityBrokerException: Could not process
> response from SAML identity provider.
> at
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:450)
> at
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:485)
> at
> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:243)
> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365)
> at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
> at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.NullPointerException
>
>
>

From j9dy1g at gmail.com  Thu May  2 05:02:34 2019
From: j9dy1g at gmail.com (Jody H)
Date: Thu, 2 May 2019 11:02:34 +0200
Subject: [keycloak-user] Keycloak in HA mode on Kubernetes fails with
 "invalid_code" when requesting tokens
In-Reply-To: <CADqF5bdbXD51t_7nQ+irYe=+bXHSADioJgX9+50zUUTUwTe+pA@mail.gmail.com>
References: <CADqF5bd_1iuwaGSXAF5FPxKms8NtnTjAuhVxdyD5mRkNQJRNJw@mail.gmail.com>
	<CAOHSYr4ZOZp2OA2kaMC_d+5GX2MYgbH7R0X-yVHuj0u+V7eqSg@mail.gmail.com>
	<CADqF5bdbXD51t_7nQ+irYe=+bXHSADioJgX9+50zUUTUwTe+pA@mail.gmail.com>
Message-ID: <CADqF5bfQLiCBoqncecodi=9BMs46E2fmerDjCi9_yca5nFLGcQ@mail.gmail.com>

Hi,

we still could not figure out how to fix this. Some further input would be
great.

Thanks!
Jody

Am Do., 25. Apr. 2019 um 11:58 Uhr schrieb Jody H <j9dy1g at gmail.com>:

> Hi,
> the Helm chart has not yet switched to KUBE_PING, it is using DNS_PING
> with a headless service in Kubernetes.
> A snippet from the statefulset.yaml:
> - name: JGROUPS_DISCOVERY_PROTOCOL
> value: "dns.DNS_PING"
> - name: JGROUPS_DISCOVERY_PROPERTIES
> value: "dns_query={{ template "keycloak.fullname" . }}-headless.{{
> .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
>
>
> In the logs, here of node keycloak-0, it looks like the nodes join the
> cluster successfully?
> 15:23:52,017 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000078: Starting JGroups channel ejb
> 15:23:52,017 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000078: Starting JGroups channel ejb
> 15:23:52,020 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-1)
> ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
> (3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
> 15:23:52,020 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
> ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
> (3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
> 15:23:52,028 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel ejb local address is iam-keycloak-0,
> physical addresses are [10.xxx.x.149:7600]
> 15:23:52,028 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
> physical addresses are [10.xxx.x.149:7600]
> 15:23:52,084 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000078: Starting JGroups channel ejb
> 15:23:52,084 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
> ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
> (3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
> 15:23:52,085 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
> physical addresses are [10.xxx.x.149:7600]
> 15:23:52,090 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000078: Starting JGroups channel ejb
> 15:23:52,091 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-1)
> ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
> (3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
> 15:23:52,092 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-1) ISPN000079: Channel ejb local address is iam-keycloak-0,
> physical addresses are [10.xxx.x.149:7600]
> 15:23:52,118 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000078: Starting JGroups channel ejb
> 15:23:52,118 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
> ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
> (3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
> 15:23:52,119 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
> thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
> physical addresses are [10.xxx.x.149:7600]
> 15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 57) WFLYCLINF0002: Started authorization cache from keycloak
> container
> 15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 56) WFLYCLINF0002: Started realms cache from keycloak
> container
> 15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 61) WFLYCLINF0002: Started users cache from keycloak
> container
> 15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started keys cache from keycloak container
> 15:23:52,587 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started clientSessions cache from
> keycloak container
> 15:23:52,588 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 53) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 52) WFLYCLINF0002: Started work cache from keycloak container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 58) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 59) WFLYCLINF0002: Started authenticationSessions cache from
> keycloak container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 55) WFLYCLINF0002: Started actionTokens cache from keycloak
> container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 60) WFLYCLINF0002: Started offlineClientSessions cache from
> keycloak container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 54) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started client-mappings cache from ejb
> container
> 15:23:53,596 INFO  [org.keycloak.services] (ServerService Thread Pool --
> 64) KC-SERVICES0001: Loading config from standalone.xml or domain.xml
> 15:23:53,926 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started realmRevisions cache from
> keycloak container
> 15:23:53,930 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started userRevisions cache from keycloak
> container
> 15:23:53,934 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started authorizationRevisions cache from
> keycloak container
>
> I can see that the Helm chart also sets these clustering values when in HA
> mode (
> https://github.com/helm/charts/blob/master/stable/keycloak/values.yaml#L148-L149
> -->
> https://github.com/helm/charts/blob/master/stable/keycloak/scripts/ha.cli
> ):
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners,
> value=${env.CACHE_OWNERS:2})
>
> /subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp)
>
> Not sure about the default value of "2" for the CACHE_OWNERS part. The ENV
> variable CACHE_OWNERS is not set in the default values.yaml so the value
> I'm currently using is 2 as well.
> Because I have a 3 instance cluster, wouldn't I be better off with a value
> of "3" in all of those configurations?
>
> Any further ideas? How did you fix the issue in your configuration?
> Thanks
>
>
> Am Mi., 24. Apr. 2019 um 19:44 Uhr schrieb ??? <liqiang at fit2cloud.com>:
>
>> Hi,
>>
>> I met the exactly same issue before long but I didn't use kube_ping.
>> I suppose your pods didn't well clustered, to verify this you can check
>> the logs which will
>>  show you all numbers in the cluster.
>>
>> BTW this repo might give you some clue.
>> https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
>>
>>
>>
>>
>> Jody H <j9dy1g at gmail.com>?2019?4?25? ????1:07???
>>
>>> Hi,
>>>
>>> we have some trouble to generate tokens with the authentication code flow
>>> in our Keycloak 5.0.0 cluster.
>>> Some information about the cluster:
>>> 1) We have a cluster with 3 instances in Kubernetes, deployed by the
>>> Keycloak Helm Chart (
>>> https://github.com/helm/charts/tree/master/stable/keycloak)
>>> 2) I can see that some Infinispan stuff is going on in the logs when the
>>> cluster is starting up. I have checked that the shell script that is
>>> executed on startup contains the " -c standalone-ha.xml" switch. I can
>>> not
>>> find any mentions of the string "standalone-ha.xml" in the log output
>>> though.
>>> 3) Our cluster is loadbalanced with a HAProxy
>>> 4) The webservice we want to access is secured by Keycloak Gatekeeper (
>>> https://github.com/keycloak/keycloak-gatekeeper)
>>>
>>> When using a browser to log in to keycloak-secured websites (i.e.
>>> websites
>>> that use the keycloak cluster to perform the OIDC authentication code
>>> flow
>>> and authenticate our users), we did not see problems so far. The keycloak
>>> gatekeeper "proxy" is redirecting to keycloak when no cookie is present
>>> for
>>> login, trading in the code for id, access and refresh tokens and passing
>>> the access_token to the reverse-proxied website after successful login.
>>>
>>> To test our APIs we would like to use Postman.
>>> However, when using Postman with its built-in OAuth 2.0 authentication,
>>> we
>>> see a problem that is reproducible on 4 laptops which are in the same LAN
>>> as the keycloak cluster. Postman can request access tokens by using the
>>> authentication code flow in its GUI. In Postmans "Get New Access Token"
>>> window, we use these settings:
>>> 1. callback url: the same redirect_uri that is pointing to the Keycloak
>>> gatekeeper callback endpoint (/oauth/callback endpoint)
>>> 2. auth url:
>>>
>>> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
>>> 3. access token url:
>>>
>>> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
>>> 4. client-id: client-id from Keycloak
>>> 5. client-secet: client-secret from Keycloak
>>> 6. scope: openid
>>> 7. Client Authentication: "Send as Basic Auth header"
>>>
>>> When clicking the "Request Token" button in Postman, we receive the error
>>> "invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
>>> button, sometimes it works but most of the time it does not. For another
>>> laptop which is connected via VPN and thus has a higher latency, the
>>> requests work just fine.
>>>
>>> I am thinking about the following:
>>> Is it possible that the initial request is sent to keycloak-0, then
>>> returned to the client (postman) and then immediately sent back to the
>>> loadbalancer-url to trade in the code for tokens... and then hits another
>>> instance due to loadbalancing, for example keycloak-1, which has no
>>> information about the authentication process that was initiated on
>>> keycloak-0? The invalid_code error is returned after just 4 milliseconds,
>>> which is rather fast. Maybe the cluster is not properly synchronizing in
>>> time? Any idea on how to fix this?
>>>
>>> Thanks
>>> Jody
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> ???
>>
>> ?????, FIT2CLOUD
>>
>> http://fit2cloud.com | Mobile +86-18701062478 <%2B86-17710309880>
>>
>> ???????????7????????A?715?
>>
>>
>> ????????????????????? ??? ? ??? ? ???
>>
>

From mrestelli at cuebiq.com  Thu May  2 08:52:04 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Thu, 2 May 2019 14:52:04 +0200
Subject: [keycloak-user] Infinispan MBean Null Pointer Exception
Message-ID: <CAHpjjTarDw01rnU0szKKOEtOLZFSpeZRdL7fipsWZ4FsjGWKnw@mail.gmail.com>

Hi all,
We're encountering a NullPointerException during our scraping of JMX
Metrics in Keycloak. More precisely:

- We're exporting the jmx via Prometheus Exporter Agent (javaagent)
- Our additional run params are the following:
"-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager
-Xbootclasspath/p:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.7.Final.jar
-Xbootclasspath/p:$JBOSS_HOME/modules/system/layers/base/org/wildfly/common/main/wildfly-common-1.4.0.Final.jar
-javaagent:/opt/jboss/keycloak/jmx_prometheus_javaagent.jar=18080:/home/config.yaml"

- Everytime Prometheus scrapes on the 18080 port, we encounter a lot of
Null pointer exceptions related to LockingMetric.java. See the following
error:

 12:42:08,318 ERROR [org.jboss.as.controller.management-operation]
(pool-1-thread-3) WFLYCTL0013: Operation ("read-attribute") failed -
address: ([
keycloak_1  |     ("subsystem" => "infinispan"),
keycloak_1  |     ("cache-container" => "keycloak"),
keycloak_1  |     ("local-cache" => "users"),
keycloak_1  |     ("component" => "locking")
keycloak_1  | ]): java.lang.NullPointerException
keycloak_1  | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetric$1.execute(LockingMetric.java:41)
keycloak_1  | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetric$1.execute(LockingMetric.java:38)
keycloak_1  | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetricExecutor.execute(LockingMetricExecutor.java:46)
keycloak_1  | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetricExecutor.execute(LockingMetricExecutor.java:37)
keycloak_1  | at
org.jboss.as.clustering.controller.MetricHandler.executeRuntimeStep(MetricHandler.java:75)
keycloak_1  | at
org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:59)
keycloak_1  | at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
keycloak_1  | at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
keycloak_1  | at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
keycloak_1  | at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411)
keycloak_1  | at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:423)
keycloak_1  | at
org.jboss.as.controller.ModelControllerImpl.lambda$execute$0(ModelControllerImpl.java:227)
keycloak_1  | at
org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:265)
keycloak_1  | at
org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:231)
keycloak_1  | at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:227)
keycloak_1  | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.execute(ModelControllerMBeanHelper.java:555)
keycloak_1  | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.getAttribute(ModelControllerMBeanHelper.java:316)
keycloak_1  | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.getAttributes(ModelControllerMBeanHelper.java:294)
keycloak_1  | at
org.jboss.as.jmx.model.ModelControllerMBeanServerPlugin.getAttributes(ModelControllerMBeanServerPlugin.java:146)
keycloak_1  | at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttributes(PluggableMBeanServerImpl.java:416)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.scrapeBean(JmxScraper.java:151)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.doScrape(JmxScraper.java:117)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxCollector.collect(JmxCollector.java:460)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.findNextElement(CollectorRegistry.java:183)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:216)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:137)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.client.exporter.common.TextFormat.write004(TextFormat.java:22)
keycloak_1  | at
io.prometheus.jmx.shaded.io.prometheus.client.exporter.HTTPServer$HTTPMetricHandler.handle(HTTPServer.java:59)
keycloak_1  | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
keycloak_1  | at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
keycloak_1  | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
keycloak_1  | at
sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)
keycloak_1  | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
keycloak_1  | at
sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
keycloak_1  | at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
keycloak_1  | at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
keycloak_1  | at java.lang.Thread.run(Thread.java:748)


We're getting this error on Keycloak 6.0.0, 5.0.0 and 4.8.3Final versions
(we didn't try with previous versions). Is there something we're missing?

Thank you in advance,
Matteo

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From minne.sebastien at gmail.com  Thu May  2 09:54:03 2019
From: minne.sebastien at gmail.com (=?UTF-8?Q?S=C3=A9bastien_Minne?=)
Date: Thu, 2 May 2019 15:54:03 +0200
Subject: [keycloak-user] Keycloak with loadbalancer managing SSL
Message-ID: <CAGKV-3+nOy2unF52Y_Wq1v70ckg5x58Vt2Royrc2-r8-dc2tyg@mail.gmail.com>

Hi Everyone,

I'm trying to install a Keycloak cluster which is behind a loadbalancer.
This load balancer expose a certificate.

It seems that my keycloak (jboss) is also exposing a certificate, but I
can't find where it comes from.

First question :
- To me it sounds like a bad idea to have a certificate on the loadbalancer
and another one on the JBoss. right ?
- How can I disable the jboss certificate (or use the one exposed by the
loadbalancer)

Thanks

From fabrice.geslin-prestataire at laposte.fr  Thu May  2 11:00:38 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Thu, 2 May 2019 15:00:38 +0000
Subject: [keycloak-user] How to dynamically trigger a custom required
 action in a flow ?
In-Reply-To: <CAMZCGg_9q7qpvgoT-mmLB65tY4xyFzkf523vumeTmBS0e-V6wQ@mail.gmail.com>
References: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<CAMZCGg_8e5QaYChOheSvLOmf9-gxHTbc1-5Q2r0+gGkV4X=H_Q@mail.gmail.com>
	<AM6PR01MB4359416150CC096CB704866DBB3A0@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>,
	<CAMZCGg_9q7qpvgoT-mmLB65tY4xyFzkf523vumeTmBS0e-V6wQ@mail.gmail.com>
Message-ID: <AM6PR01MB43599DF55D93B43CCEE5D3D8BB340@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Hi S?bastien,

JIRA https://issues.jboss.org/browse/KEYCLOAK-10182 created accordingly.

Regards,

Fabrice Geslin

Groupe La Poste
________________________________
De : Sebastien Blanc <sblanc at redhat.com>
Envoy? : mardi 30 avril 2019 10:19
? : GESLIN Fabrice
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] How to dynamically trigger a custom required action in a flow ?

If you believe their is a inconsistency please open a JIRA, tbh I don't know that much about the implementation details of this part.
You probably have but worth asking : have you set the priority of your custom required action ? I can see that "Update password" has prio 30 , so your custom action should be >30 (0 is the highest priority) if you want it to be run after.
And regarding sort by names and priority, if I look at the implementation of the comparator it looks like it first sort by prio and after that by name (if they have the same prio).




On Tue, Apr 30, 2019 at 9:43 AM GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr<mailto:fabrice.geslin-prestataire at laposte.fr>> wrote:

Hi S?bastien,



We?ve finally found the addRequiredAction() function with the String parameter and it works.



But we felt into a new issue due to the fact that the required actions are sometime handled sorted and sometime not sorted.



For instance, at the end of the authentication flow processing, when the required actions are processed, they are treated in an arbitrary order that doesn?t even correspond to the order in which they were added.  In Keycloak release 4.8.3.FINAL, The call stack leads to line 893 of org.keycloak.services.managers.AuthenticationManager that is:



    public static String nextRequiredAction(final KeycloakSession session, final AuthenticationSessionModel authSession,

                                            final ClientConnection clientConnection,

                                            final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) {

        final RealmModel realm = authSession.getRealm();

        final UserModel user = authSession.getAuthenticatedUser();

        final ClientModel client = authSession.getClient();



        evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);



        if (!user.getRequiredActions().isEmpty()) {

            return user.getRequiredActions().iterator().next();

        }

        if (!authSession.getRequiredActions().isEmpty()) {

            return authSession.getRequiredActions().iterator().next();

        }



This causes the user to be redirected to the URI of the required action that has been arbitrarily selected. But when the browser GET the corresponding URI, the call stack reaches line 1045 of org.keycloak.services.managers.AuthenticationManager where the required actions are sorted according to their priorities or their names (?!?):



    protected static Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession,

                                               HttpRequest request, EventBuilder event, RealmModel realm, UserModel user,

                                               Set<String> requiredActions) {



        List<RequiredActionProviderModel> sortedRequiredActions = sortRequiredActionsByPriority(realm, requiredActions);



        for (RequiredActionProviderModel model : sortedRequiredActions) {

            RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());

            if (factory == null) {

                throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");

            }

            RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);

            RequiredActionProvider actionProvider = null;

            try {

                actionProvider = createRequiredAction(context);

            } catch (AuthenticationFlowException e) {

                if (e.getResponse() != null) {

                    return e.getResponse();

                }

                throw e;

            }

            actionProvider.requiredActionChallenge(context);



The side effect of this inconsistency is that in our case, where we?ve added a custom required action after the UPDATE_PASSWORD required action to the reset credential flow, the user is first redirected to the URI of our custom action (which is not what we expected) AND the form that is challenged to the user once redirected is the one from the UPDATE_PASSWORD action !



The question is how can we have the required actions that are added to a flow be processed according to the order in which they are added ?



Regards,



Fabrice Geslin



Groupe La Poste



De : Sebastien Blanc [mailto:sblanc at redhat.com<mailto:sblanc at redhat.com>]
Envoy? : lundi 29 avril 2019 14:35
? : GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr<mailto:fabrice.geslin-prestataire at laposte.fr>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] How to dynamically trigger a custom required action in a flow ?



Hi,



When you says it does not accept it, you have an exception at runtime ? Because you have addRequiredAction(String string)



On Mon, Apr 29, 2019 at 12:13 PM GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr<mailto:fabrice.geslin-prestataire at laposte.fr>> wrote:

Hi,

We're trying to trigger a custom required action  as part of the reset credential.

For this we plan to mimic the implementation of the authenticate method of the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java :

    @Override
    public void authenticate(AuthenticationFlowContext context) {
        if (context.getExecution().isRequired() ||
                (context.getExecution().isOptional() &&
                        configuredFor(context))) {
            context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        context.success();
    }


But the question is what value should we pass to the addRequiredAction() ?

This method seems to only accept the predefined required actions mapped to the values from the  UserModel.RequiredAction enum.

Any help is welcome .

Fabrice Geslin

Groupe La Poste

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

From jan.lengenfeld at gbtec.de  Thu May  2 11:41:55 2019
From: jan.lengenfeld at gbtec.de (Lengenfeld, Jan)
Date: Thu, 2 May 2019 15:41:55 +0000
Subject: [keycloak-user] Query for a specific page from "get members of
	group" REST API
Message-ID: <8cf8d0f41f2543f3a5489bac97a3139a@gbtec.de>

Hi all,


is there a way get the total amount of pages from the API "GET /{realm}/groups/{id}/members" (Get users Returns a list of users, filtered according to query parameters)?


As I see it, I can only specify an offset and a page size and get an JSON array of UserRepresentations. But there is no max count or "maximum pages" value that is returned. That way I cannot query for a specific page.


Am I missing something or is there another way to obtain this information?


Best regards


Jan Lengenfeld

From craig at baseventure.com  Thu May  2 13:18:58 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 2 May 2019 12:18:58 -0500
Subject: [keycloak-user] Possible to override single messages in theme?
Message-ID: <CAPVdwjp+L2aq_TFBfRwndGm3R4bxQ5FMp8BHMd2Eauf6006zbA@mail.gmail.com>

Is is possible to override a single message in a theme or is it necessary
to essentially copy the entire messages file and alter the message within
that?

=================================
*Craig Setera*

*Chief Technology Officer*

From craig at baseventure.com  Thu May  2 14:38:43 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 2 May 2019 13:38:43 -0500
Subject: [keycloak-user] Possible to override single messages in theme?
In-Reply-To: <CAPVdwjp+L2aq_TFBfRwndGm3R4bxQ5FMp8BHMd2Eauf6006zbA@mail.gmail.com>
References: <CAPVdwjp+L2aq_TFBfRwndGm3R4bxQ5FMp8BHMd2Eauf6006zbA@mail.gmail.com>
Message-ID: <CAPVdwjr37u6z84NBbjRU19Aeci8dOfYSQYLLQKtd9_M18i-Ybg@mail.gmail.com>

It seems I answered my own question.  I had not properly disabled themes
caching to see the changes occur.

=================================
*Craig Setera*

*Chief Technology Officer*




On Thu, May 2, 2019 at 12:18 PM Craig Setera <craig at baseventure.com> wrote:

> Is is possible to override a single message in a theme or is it necessary
> to essentially copy the entire messages file and alter the message within
> that?
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
>
>
>

From demetrio at carretti.pro  Thu May  2 16:21:33 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Thu, 02 May 2019 23:21:33 +0300
Subject: [keycloak-user] Accounts Logs
In-Reply-To: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
References: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
Message-ID: <1556828493.3581.1.camel@carretti.pro>

Hi Aaron,

Here you go: Events -> Config -> Login Events Settings -> Save Events = OFF

Visibility of the logs section in the Account UI directly depends on this setting [1].

[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java#L175

Cheers,
Dmitry

On Wed, 2019-05-01 at 10:11 -0700, Aaron Echols wrote:
> Hello All,
> 
> I'm been pulling my hair out on this one. I setup a DEV instance of
> Keycloak to test some theming and one thing I've noticed, is that when
> using a realms account page, Logs is disabled in DEV
> 
> I can't figure out how to disable that in my PROD instance. I'd like to
> hide that for all users, as my users won't understand what any of that
> means.
> 
> Currently in PROD, when going to any users account page you see the
> following layout:
> 
> * Account
> * Password
> * Authenticator
> * Sessions
> * Applications
> * Logs
> 
> In DEV, I see:
> 
> * Account
> * Password
> * Authenticator
> * Sessions
> * Applications
> 
> That's what I'd like to see in PROD as well. I'm hoping it's something
> simple I'm missing. Thanks in advance. :)
> --
> Aaron Echols
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From aechols at bfcsaz.com  Thu May  2 16:31:06 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 2 May 2019 13:31:06 -0700
Subject: [keycloak-user] Accounts Logs
In-Reply-To: <1556828493.3581.1.camel@carretti.pro>
References: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
	<1556828493.3581.1.camel@carretti.pro>
Message-ID: <CAHj77GXqRg2Ya4xtUYKTkqOtgzMzhUu9Fcx1qM-+S46Cmbv-qA@mail.gmail.com>

Thanks Dmitry!

There is no way to hide it in the UI without disabling it the login events?
Seems like it kind of defeats the purpose of login events and being able to
track a hacked account, etc.

Thanks again :)
--
Aaron Echols

On Thu, May 2, 2019 at 1:21 PM Dmitry Telegin <demetrio at carretti.pro> wrote:

> Hi Aaron,
>
> Here you go: Events -> Config -> Login Events Settings -> Save Events = OFF
>
> Visibility of the logs section in the Account UI directly depends on this
> setting [1].
>
> [1]
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java#L175
>
> Cheers,
> Dmitry
>
> On Wed, 2019-05-01 at 10:11 -0700, Aaron Echols wrote:
> > Hello All,
> >
> > I'm been pulling my hair out on this one. I setup a DEV instance of
> > Keycloak to test some theming and one thing I've noticed, is that when
> > using a realms account page, Logs is disabled in DEV
> >
> > I can't figure out how to disable that in my PROD instance. I'd like to
> > hide that for all users, as my users won't understand what any of that
> > means.
> >
> > Currently in PROD, when going to any users account page you see the
> > following layout:
> >
> > * Account
> > * Password
> > * Authenticator
> > * Sessions
> > * Applications
> > * Logs
> >
> > In DEV, I see:
> >
> > * Account
> > * Password
> > * Authenticator
> > * Sessions
> > * Applications
> >
> > That's what I'd like to see in PROD as well. I'm hoping it's something
> > simple I'm missing. Thanks in advance. :)
> > --
> > Aaron Echols
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From demetrio at carretti.pro  Thu May  2 17:03:25 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 03 May 2019 00:03:25 +0300
Subject: [keycloak-user] Accounts Logs
In-Reply-To: <CAHj77GXqRg2Ya4xtUYKTkqOtgzMzhUu9Fcx1qM-+S46Cmbv-qA@mail.gmail.com>
References: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
	<1556828493.3581.1.camel@carretti.pro>
	<CAHj77GXqRg2Ya4xtUYKTkqOtgzMzhUu9Fcx1qM-+S46Cmbv-qA@mail.gmail.com>
Message-ID: <1556831005.3581.3.camel@carretti.pro>

You're welcome :)

You can definitely hide this section using custom account theme (by overriding account/template.ftl), but you will also need to prohibit access to the actual URL (/auth/realms/{realm}/account/log), using e.g. Undertow rules. I know this sounds like a hack, and I hope this will be addressed in the forthcoming React.js rewrite of the account console.

Alternatively, you could disable event store in Keycloak and set up event listener to forward events to Logstash/Splunk or similar system, which will also give you more powerful and versatile analysis.

Cheers,
Dmitry

On Thu, 2019-05-02 at 13:31 -0700, Aaron Echols wrote:
> Thanks Dmitry!
> 
> There is no way to hide it in the UI without disabling it the login events? Seems like it kind of defeats?the purpose of login events and being able to track a hacked account, etc.
> 
> Thanks again :)
> --
> Aaron?Echols
> 
> > On Thu, May 2, 2019 at 1:21 PM Dmitry Telegin <demetrio at carretti.pro> wrote:
> > Hi Aaron,
> > 
> > Here you go: Events -> Config -> Login Events Settings -> Save Events = OFF
> > 
> > Visibility of the logs section in the Account UI directly depends on this setting [1].
> > 
> > [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java#L175
> > 
> > Cheers,
> > Dmitry
> > 
> > On Wed, 2019-05-01 at 10:11 -0700, Aaron Echols wrote:
> > > Hello All,
> > >?
> > > I'm been pulling my hair out on this one. I setup a DEV instance of
> > > Keycloak to test some theming and one thing I've noticed, is that when
> > > using a realms account page, Logs is disabled in DEV
> > >?
> > > I can't figure out how to disable that in my PROD instance. I'd like to
> > > hide that for all users, as my users won't understand what any of that
> > > means.
> > >?
> > > Currently in PROD, when going to any users account page you see the
> > > following layout:
> > >?
> > > * Account
> > > * Password
> > > * Authenticator
> > > * Sessions
> > > * Applications
> > > * Logs
> > >?
> > > In DEV, I see:
> > >?
> > > * Account
> > > * Password
> > > * Authenticator
> > > * Sessions
> > > * Applications
> > >?
> > > That's what I'd like to see in PROD as well. I'm hoping it's something
> > > simple I'm missing. Thanks in advance. :)
> > > --
> > > Aaron Echols
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 


From demetrio at carretti.pro  Thu May  2 17:10:15 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 03 May 2019 00:10:15 +0300
Subject: [keycloak-user] Unable to integrate SAML 2 provider -
 Pingfederate
In-Reply-To: <CANAVTmNgRn406Wv-dNi+N7C+-6cfX8T4fK8aE8psqeEPMZoiWg@mail.gmail.com>
References: <CANAVTmPHs7ZE1zOUTJ8BqNWJWwVZY1mOWTvcmfOdYrd5wPn_vQ@mail.gmail.com>
	<CANAVTmNgRn406Wv-dNi+N7C+-6cfX8T4fK8aE8psqeEPMZoiWg@mail.gmail.com>
Message-ID: <1556831415.3581.5.camel@carretti.pro>

Hi Bruce,

>From my practice I can confirm that Keycloak works with PingFederate pretty well.

Below that "Caused by: java.lang.NullPointerException", do you see anything related to java.util.regex.Matcher? If so, you're probably trying IdP-initiated SSO from Ping to Keycloak, which needs to be set up differently [1] (look for "When using identity brokering")

[1] https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login

Cheers,
Dmitry

On Thu, 2019-05-02 at 13:10 +0530, Bruce Wings wrote:
> Any idea whether PingFederate integration is supported by keycloak? Any
> documentation for integrating PingFederate with keycloak?
> 
> > On Wed, May 1, 2019 at 9:05 AM Bruce Wings <testoauth55 at gmail.com> wrote:
> 
> > I have successfully integrated OKTA as SAML 2 provider.
> > Now I am trying to integrate Pingfederate as SAML 2 provider. Pingfederate
> > successfully redirctes back to keycloak :
> > ( <myhost>/auth/realms/<myRealm>/broker/pingfed/endpoint )
> > 
> > But keycloak gives following error trace:
> > 
> > 2019-04-30 13:27:23,196 ERROR
> > [org.keycloak.services.error.KeycloakErrorHandler] (default task-3)
> > Uncaught server error:
> > org.keycloak.broker.provider.IdentityBrokerException: Could not process
> > response from SAML identity provider.
> > at
> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:450)
> > at
> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:485)
> > at
> > org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:243)
> > at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at
> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367)
> > at
> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> > at
> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
> > at
> > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
> > at
> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
> > at
> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > at
> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > at
> > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > at
> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > at
> > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > at
> > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > at
> > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > at
> > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > at
> > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > at
> > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > at
> > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > at
> > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > at
> > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > at
> > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > at
> > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > at
> > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > at
> > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > at
> > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > at
> > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > at
> > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> > at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > at
> > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > at
> > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> > at
> > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> > at
> > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> > at
> > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: java.lang.NullPointerException
> > 
> > 
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From aechols at bfcsaz.com  Thu May  2 18:16:32 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 2 May 2019 15:16:32 -0700
Subject: [keycloak-user] Accounts Logs
In-Reply-To: <1556831005.3581.3.camel@carretti.pro>
References: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
	<1556828493.3581.1.camel@carretti.pro>
	<CAHj77GXqRg2Ya4xtUYKTkqOtgzMzhUu9Fcx1qM-+S46Cmbv-qA@mail.gmail.com>
	<1556831005.3581.3.camel@carretti.pro>
Message-ID: <CAHj77GU_k5a6b5Ex0OVeWj28jcy8KMWtEx5rMdtd6wOe22Ab_A@mail.gmail.com>

Makes sense. I'm working on setting some instances for sending syslogs to,
so that should work. Thanks :)
--
Aaron Echols

On Thu, May 2, 2019 at 2:03 PM Dmitry Telegin <demetrio at carretti.pro> wrote:

> You're welcome :)
>
> You can definitely hide this section using custom account theme (by
> overriding account/template.ftl), but you will also need to prohibit access
> to the actual URL (/auth/realms/{realm}/account/log), using e.g. Undertow
> rules. I know this sounds like a hack, and I hope this will be addressed in
> the forthcoming React.js rewrite of the account console.
>
> Alternatively, you could disable event store in Keycloak and set up event
> listener to forward events to Logstash/Splunk or similar system, which will
> also give you more powerful and versatile analysis.
>
> Cheers,
> Dmitry
>
> On Thu, 2019-05-02 at 13:31 -0700, Aaron Echols wrote:
> > Thanks Dmitry!
> >
> > There is no way to hide it in the UI without disabling it the login
> events? Seems like it kind of defeats the purpose of login events and being
> able to track a hacked account, etc.
> >
> > Thanks again :)
> > --
> > Aaron Echols
> >
> > > On Thu, May 2, 2019 at 1:21 PM Dmitry Telegin <demetrio at carretti.pro>
> wrote:
> > > Hi Aaron,
> > >
> > > Here you go: Events -> Config -> Login Events Settings -> Save Events
> = OFF
> > >
> > > Visibility of the logs section in the Account UI directly depends on
> this setting [1].
> > >
> > > [1]
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java#L175
> > >
> > > Cheers,
> > > Dmitry
> > >
> > > On Wed, 2019-05-01 at 10:11 -0700, Aaron Echols wrote:
> > > > Hello All,
> > > >
> > > > I'm been pulling my hair out on this one. I setup a DEV instance of
> > > > Keycloak to test some theming and one thing I've noticed, is that
> when
> > > > using a realms account page, Logs is disabled in DEV
> > > >
> > > > I can't figure out how to disable that in my PROD instance. I'd like
> to
> > > > hide that for all users, as my users won't understand what any of
> that
> > > > means.
> > > >
> > > > Currently in PROD, when going to any users account page you see the
> > > > following layout:
> > > >
> > > > * Account
> > > > * Password
> > > > * Authenticator
> > > > * Sessions
> > > > * Applications
> > > > * Logs
> > > >
> > > > In DEV, I see:
> > > >
> > > > * Account
> > > > * Password
> > > > * Authenticator
> > > > * Sessions
> > > > * Applications
> > > >
> > > > That's what I'd like to see in PROD as well. I'm hoping it's
> something
> > > > simple I'm missing. Thanks in advance. :)
> > > > --
> > > > Aaron Echols
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>
>

From demetrio at carretti.pro  Thu May  2 18:38:11 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 03 May 2019 01:38:11 +0300
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
Message-ID: <1556836691.3581.8.camel@carretti.pro>

Hi Gary,

To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?

If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".

Cheers,
Dmitry

On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
> 
> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
> 
> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
> 
> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
> 
> (Keycloak 4.8.2)
> 
> Cheers,
> Gary
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dwayne at conscia.co  Thu May  2 22:33:03 2019
From: dwayne at conscia.co (Dwayne Remekie)
Date: Thu, 2 May 2019 22:33:03 -0400
Subject: [keycloak-user] Accessing Token information within a JavaScript
	Policy
Message-ID: <678AA82E-48AA-4F64-8EAA-F33D7EAD653B@conscia.co>

Hi all,

Consider the following token:

{
  "jti": "25954de5-9855-43ce-95f1-34af085a572d",
  "exp": 1556850119,
  "nbf": 0,
  "iat": 1556849819,
  "aud": "msa",
  "sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
  "typ": "Bearer",
  "azp": "msa",
  "auth_time": 0,
  "session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "authorization": {
    "permissions": [
      {
        "scopes": [
          "data-collection:edit"
        ],
        "claims": {
          "nm": [
            "Beniah R"
          ],
          "gdData": [
            ""
          ],
          "gdSize": [
            "3"
          ],
          "gdTemp": [
            "org.keycloak.authorization.attribute.Attributes$Entry at 6bef60cb"
          ]
        }
      }
    ]
  },
  "scope": "profile drs2_security email myscope",
  "email_verified": true,
  "groupDetails": [
    {
      "name": "ug1",
      "customerCode": "cust-a",
      "repositoryAdmin": [
        "cust-a/repo-a/*",
        "cust-a/repo-b/*"
      ],
      "repositoryEditor": [
        "cust-a/repo-d/*",
        "cust-a/repo-d/*"
      ]
    },
    {
      "name": "ug2",
      "customerCode": "cust-a",
      "collectionEditor": [
        "cust-a/repo-c/coll-a",
        "cust-a/repo-c/coll-b"
      ],
      "collectionReader": [
        "cust-a/repo-b/coll-x"
      ]
    }
  ],
  "name": "Beniah R"
}

Consider the following JS Policy.

var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var identity = context.getIdentity();
var attributes = identity.getAttributes();

var nm = attributes.getValue('name');
permission.addClaim('nm', nm.asString(0));

var groupDetails = attributes.getValue('groupDetails');
permission.addClaim('gdTemp', groupDetails);
permission.addClaim('gdSize', groupDetails.size());
permission.addClaim('gdData', groupDetails.asString(0));


The code above is successfully able to access the ?name? property from the token (see ?nm? in the authorization section). However, I cannot figure out how to access the objects within the ?groupDetails? array. I can see that the type of object is "org.keycloak.authorization.attribute.Attributes$Entry? which has methods to fetch Dates, doubles, Strings, etc., but no method to return an object.


Thanks for your help.





From safwen.benjha at gmail.com  Fri May  3 03:04:39 2019
From: safwen.benjha at gmail.com (Safouan BEN JHA)
Date: Fri, 3 May 2019 09:04:39 +0200
Subject: [keycloak-user] How to reduce the size of the access/refresh tokens
	in Keycloak?
Message-ID: <CAKZoCXUHdEAnWSb0yAw9zZtGVFH79k=SQ-cjd5eAmjuWpYVFbw@mail.gmail.com>

Hi all,

First of all, sorry if this email is not relevant to you. I am using the
keycloak-user at lists.jboss.org to ask for support as it was the only email I
could find.

I am setting a keycloack authentication server to allow authorized users to
access a protected resource (OAuth2.0).

The access will be done from an embedded device that has certain
restrictions. The main restriction is that the access and refresh tokens
cannot be saved if they are longer than 256 characters.

While in The OAuth 2.0 Authorization Framework
<https://tools.ietf.org/html/rfc6749> is silent about the token size, all
the identity providers are free to decide about the token size. For
example, Facebook's token is less than 256 bytes, the same for Google. But
for keycloack, I get a token around 850 bytes! I have tried several
encryption algorithms available in the admin console by I still get a large
jwt token. Decoding that jwt gives the following:

{
  "jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
  "exp": 1556284611,
  "nbf": 0,
  "iat": 1556270211,
  "iss": "http://myadress:myport/auth/realms/myrealm",
  "aud": "myapp",
  "sub": "45464-445645-4b45641e-456456-45645646",
  "typ": "Bearer",
  "azp": "myapp",
  "auth_time": 1556269490,
  "session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
  "acr": "0",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "resource_access": {},
  "scope": "readwrite"
}

I am actually not interested at all in the data in the tokens and I am not
parsing it. I just need the token to be able to access the resource. Hence,
is there a way to reduce the size of the token to less than 256? if no,
what is the best result I can get?

Thank you in advance

-- 
Ben Jha Safouan
*Embedded Software Engineer*
*Tel:* (+32) (0)499913560  -  (+32) (0)497053670
*Email: *safwen.benjha at gmail.com

From kuka.radovan at gmail.com  Fri May  3 03:43:47 2019
From: kuka.radovan at gmail.com (Radovan Kuka)
Date: Fri, 3 May 2019 09:43:47 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
Message-ID: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>

Hello all,
I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?

This is related part in my code.

const keycloakConfig = {
  authServerUrl: application.SERVER_URL,
  clientId: application.CLIENT_ID,
  realm: application.REALM,
  public: true
};

const keycloak = new Keycloak({ cookies: true }, keycloakConfig);

app.use(
  keycloak.middleware({
    logout: '/logout'
  })
);

// Use routes
app.use('/api/v1/', keycloak.protect(), api);


Thank you for any help.
Radovan


From sblanc at redhat.com  Fri May  3 03:51:04 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 3 May 2019 09:51:04 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
Message-ID: <CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>

Hi,

If you are using your node app just to expose APIs that your SPA will
consume, you should flag your node-ap as "bearer-only" (in the keycloak
config) , this will return a 401 if you user is not authenticated (and not
attempt the redirect 302).
This also means that your SPA must obtain the token by using the Keycloak
Javascript library.

Sebi


On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> Hello all,
> I am new to keycloak and I tryed to use keycloak-connect to protect routes
> on my server. From my SPA, I make a fetch call to the server route that
> uses protect middleware. In case of unauthenticated user, keycloak-connect
> returns redirect to login page (302 with location header). Problem is that,
> original request was fetch and 302 causes that, browser will call GET
> request for keycloak login page. This will not cause full browser redirect
> to that login page. Wouldn't it be better to send 401 Unauthorized and let
> browser to handle redirect itself? Or am I doing something wrong?
>
> This is related part in my code.
>
> const keycloakConfig = {
>   authServerUrl: application.SERVER_URL,
>   clientId: application.CLIENT_ID,
>   realm: application.REALM,
>   public: true
> };
>
> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>
> app.use(
>   keycloak.middleware({
>     logout: '/logout'
>   })
> );
>
> // Use routes
> app.use('/api/v1/', keycloak.protect(), api);
>
>
> Thank you for any help.
> Radovan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kuka.radovan at gmail.com  Fri May  3 04:13:54 2019
From: kuka.radovan at gmail.com (Radovan Kuka)
Date: Fri, 3 May 2019 10:13:54 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
Message-ID: <52FCB67C-4EAC-459D-8605-84D4656A1A37@gmail.com>

Hi Sebi,
thank you for your prompt answer. I would like to avoid to use keycloak.js, if it is possible. I am working on app that is using sensitive bank data and I don't consider it secure to store access and also refresh tokens in javascript's memmory. Is there any chance I can use authorization code grant flow with keycloak-connect? 

R.

> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
> 
> Hi,
> 
> If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302). 
> This also means that your SPA must obtain the token by using the Keycloak Javascript library. 
> 
> Sebi 
> 
> 
> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com <mailto:kuka.radovan at gmail.com>> wrote:
> Hello all,
> I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?
> 
> This is related part in my code.
> 
> const keycloakConfig = {
>   authServerUrl: application.SERVER_URL,
>   clientId: application.CLIENT_ID,
>   realm: application.REALM,
>   public: true
> };
> 
> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
> 
> app.use(
>   keycloak.middleware({
>     logout: '/logout'
>   })
> );
> 
> // Use routes
> app.use('/api/v1/', keycloak.protect(), api);
> 
> 
> Thank you for any help.
> Radovan
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>


From sblanc at redhat.com  Fri May  3 05:10:01 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 3 May 2019 11:10:01 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <52FCB67C-4EAC-459D-8605-84D4656A1A37@gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
	<52FCB67C-4EAC-459D-8605-84D4656A1A37@gmail.com>
Message-ID: <CAMZCGg-8qFUhqx1be=UufjNdQ7Yauta3F3dLqHF+YdrAjD8gFQ@mail.gmail.com>

Is your SPA served by the Nodeapp ? in this case the oauth flow/redirect
can just happen. I think it's was this example shows :
https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example

But if your SPA needs to call through XHR your backend APIs you will need
an access token on the client side ...


On Fri, May 3, 2019 at 10:14 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> Hi Sebi,
> thank you for your prompt answer. I would like to avoid to use
> keycloak.js, if it is possible. I am working on app that is using sensitive
> bank data and I don't consider it secure to store access and also refresh
> tokens in javascript's memmory. Is there any chance I can use authorization
> code grant flow with keycloak-connect?
>
> R.
>
> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Hi,
>
> If you are using your node app just to expose APIs that your SPA will
> consume, you should flag your node-ap as "bearer-only" (in the keycloak
> config) , this will return a 401 if you user is not authenticated (and not
> attempt the redirect 302).
> This also means that your SPA must obtain the token by using the Keycloak
> Javascript library.
>
> Sebi
>
>
> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com>
> wrote:
>
>> Hello all,
>> I am new to keycloak and I tryed to use keycloak-connect to protect
>> routes on my server. From my SPA, I make a fetch call to the server route
>> that uses protect middleware. In case of unauthenticated user,
>> keycloak-connect returns redirect to login page (302 with location header).
>> Problem is that, original request was fetch and 302 causes that, browser
>> will call GET request for keycloak login page. This will not cause full
>> browser redirect to that login page. Wouldn't it be better to send 401
>> Unauthorized and let browser to handle redirect itself? Or am I doing
>> something wrong?
>>
>> This is related part in my code.
>>
>> const keycloakConfig = {
>>   authServerUrl: application.SERVER_URL,
>>   clientId: application.CLIENT_ID,
>>   realm: application.REALM,
>>   public: true
>> };
>>
>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>>
>> app.use(
>>   keycloak.middleware({
>>     logout: '/logout'
>>   })
>> );
>>
>> // Use routes
>> app.use('/api/v1/', keycloak.protect(), api);
>>
>>
>> Thank you for any help.
>> Radovan
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From kuka.radovan at gmail.com  Fri May  3 05:24:13 2019
From: kuka.radovan at gmail.com (Radovan Kuka)
Date: Fri, 3 May 2019 11:24:13 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
Message-ID: <7781AFAF-C39C-46DF-94B1-AB592F8DEA1C@gmail.com>

I looked to the code and when bearerOnly is set to true, it will send in case of unauthorized user 403 status code not 401. 

R.

> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
> 
> Hi,
> 
> If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302). 
> This also means that your SPA must obtain the token by using the Keycloak Javascript library. 
> 
> Sebi 
> 
> 
> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com <mailto:kuka.radovan at gmail.com>> wrote:
> Hello all,
> I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?
> 
> This is related part in my code.
> 
> const keycloakConfig = {
>   authServerUrl: application.SERVER_URL,
>   clientId: application.CLIENT_ID,
>   realm: application.REALM,
>   public: true
> };
> 
> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
> 
> app.use(
>   keycloak.middleware({
>     logout: '/logout'
>   })
> );
> 
> // Use routes
> app.use('/api/v1/', keycloak.protect(), api);
> 
> 
> Thank you for any help.
> Radovan
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>


From kuka.radovan at gmail.com  Fri May  3 05:29:06 2019
From: kuka.radovan at gmail.com (Radovan Kuka)
Date: Fri, 3 May 2019 11:29:06 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <CAMZCGg-8qFUhqx1be=UufjNdQ7Yauta3F3dLqHF+YdrAjD8gFQ@mail.gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
	<52FCB67C-4EAC-459D-8605-84D4656A1A37@gmail.com>
	<CAMZCGg-8qFUhqx1be=UufjNdQ7Yauta3F3dLqHF+YdrAjD8gFQ@mail.gmail.com>
Message-ID: <F2D2CF7C-8F0B-4493-9F94-0D05C6EB9A37@gmail.com>

SPA communicates with BE only through XHR requests. So if I understand it correctly, I should change code to tokens with keycloak server by myself and I can use keycloak-connect only for validating that token? Am I right?

> On 3 May 2019, at 11:10, Sebastien Blanc <sblanc at redhat.com> wrote:
> 
> Is your SPA served by the Nodeapp ? in this case the oauth flow/redirect  can just happen. I think it's was this example shows : https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example <https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example>
> 
> But if your SPA needs to call through XHR your backend APIs you will need an access token on the client side ... 
> 
> 
> On Fri, May 3, 2019 at 10:14 AM Radovan Kuka <kuka.radovan at gmail.com <mailto:kuka.radovan at gmail.com>> wrote:
> Hi Sebi,
> thank you for your prompt answer. I would like to avoid to use keycloak.js, if it is possible. I am working on app that is using sensitive bank data and I don't consider it secure to store access and also refresh tokens in javascript's memmory. Is there any chance I can use authorization code grant flow with keycloak-connect? 
> 
> R.
> 
>> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>> wrote:
>> 
>> Hi,
>> 
>> If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302). 
>> This also means that your SPA must obtain the token by using the Keycloak Javascript library. 
>> 
>> Sebi 
>> 
>> 
>> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com <mailto:kuka.radovan at gmail.com>> wrote:
>> Hello all,
>> I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?
>> 
>> This is related part in my code.
>> 
>> const keycloakConfig = {
>>   authServerUrl: application.SERVER_URL,
>>   clientId: application.CLIENT_ID,
>>   realm: application.REALM,
>>   public: true
>> };
>> 
>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>> 
>> app.use(
>>   keycloak.middleware({
>>     logout: '/logout'
>>   })
>> );
>> 
>> // Use routes
>> app.use('/api/v1/', keycloak.protect(), api);
>> 
>> 
>> Thank you for any help.
>> Radovan
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 


From sblanc at redhat.com  Fri May  3 05:30:45 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 3 May 2019 11:30:45 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <7781AFAF-C39C-46DF-94B1-AB592F8DEA1C@gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
	<7781AFAF-C39C-46DF-94B1-AB592F8DEA1C@gmail.com>
Message-ID: <CAMZCGg_gtru-7uXv-eu3cUhqd0jv+uUqwVAAXztqq4xgJ=ZT7w@mail.gmail.com>

Yah this is known bug https://issues.jboss.org/browse/KEYCLOAK-6810 , it's
need to be planned and fixed, I will follow up.

On Fri, May 3, 2019 at 11:24 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> I looked to the code and when bearerOnly is set to true, it will send in
> case of unauthorized user 403 status code not 401.
>
> R.
>
> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Hi,
>
> If you are using your node app just to expose APIs that your SPA will
> consume, you should flag your node-ap as "bearer-only" (in the keycloak
> config) , this will return a 401 if you user is not authenticated (and not
> attempt the redirect 302).
> This also means that your SPA must obtain the token by using the Keycloak
> Javascript library.
>
> Sebi
>
>
> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com>
> wrote:
>
>> Hello all,
>> I am new to keycloak and I tryed to use keycloak-connect to protect
>> routes on my server. From my SPA, I make a fetch call to the server route
>> that uses protect middleware. In case of unauthenticated user,
>> keycloak-connect returns redirect to login page (302 with location header).
>> Problem is that, original request was fetch and 302 causes that, browser
>> will call GET request for keycloak login page. This will not cause full
>> browser redirect to that login page. Wouldn't it be better to send 401
>> Unauthorized and let browser to handle redirect itself? Or am I doing
>> something wrong?
>>
>> This is related part in my code.
>>
>> const keycloakConfig = {
>>   authServerUrl: application.SERVER_URL,
>>   clientId: application.CLIENT_ID,
>>   realm: application.REALM,
>>   public: true
>> };
>>
>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>>
>> app.use(
>>   keycloak.middleware({
>>     logout: '/logout'
>>   })
>> );
>>
>> // Use routes
>> app.use('/api/v1/', keycloak.protect(), api);
>>
>>
>> Thank you for any help.
>> Radovan
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sblanc at redhat.com  Fri May  3 05:31:56 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 3 May 2019 11:31:56 +0200
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <F2D2CF7C-8F0B-4493-9F94-0D05C6EB9A37@gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
	<52FCB67C-4EAC-459D-8605-84D4656A1A37@gmail.com>
	<CAMZCGg-8qFUhqx1be=UufjNdQ7Yauta3F3dLqHF+YdrAjD8gFQ@mail.gmail.com>
	<F2D2CF7C-8F0B-4493-9F94-0D05C6EB9A37@gmail.com>
Message-ID: <CAMZCGg92vprQ0vpv=RL-Zw09itPzPy6w4FundpiZ91uozPmKyw@mail.gmail.com>

Yes

On Fri, May 3, 2019 at 11:29 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> SPA communicates with BE only through XHR requests. So if I understand it
> correctly, I should change code to tokens with keycloak server by myself
> and I can use keycloak-connect only for validating that token? Am I right?
>
> On 3 May 2019, at 11:10, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Is your SPA served by the Nodeapp ? in this case the oauth flow/redirect
> can just happen. I think it's was this example shows :
> https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example
>
> But if your SPA needs to call through XHR your backend APIs you will need
> an access token on the client side ...
>
>
> On Fri, May 3, 2019 at 10:14 AM Radovan Kuka <kuka.radovan at gmail.com>
> wrote:
>
>> Hi Sebi,
>> thank you for your prompt answer. I would like to avoid to use
>> keycloak.js, if it is possible. I am working on app that is using sensitive
>> bank data and I don't consider it secure to store access and also refresh
>> tokens in javascript's memmory. Is there any chance I can use authorization
>> code grant flow with keycloak-connect?
>>
>> R.
>>
>> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
>>
>> Hi,
>>
>> If you are using your node app just to expose APIs that your SPA will
>> consume, you should flag your node-ap as "bearer-only" (in the keycloak
>> config) , this will return a 401 if you user is not authenticated (and not
>> attempt the redirect 302).
>> This also means that your SPA must obtain the token by using the Keycloak
>> Javascript library.
>>
>> Sebi
>>
>>
>> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com>
>> wrote:
>>
>>> Hello all,
>>> I am new to keycloak and I tryed to use keycloak-connect to protect
>>> routes on my server. From my SPA, I make a fetch call to the server route
>>> that uses protect middleware. In case of unauthenticated user,
>>> keycloak-connect returns redirect to login page (302 with location header).
>>> Problem is that, original request was fetch and 302 causes that, browser
>>> will call GET request for keycloak login page. This will not cause full
>>> browser redirect to that login page. Wouldn't it be better to send 401
>>> Unauthorized and let browser to handle redirect itself? Or am I doing
>>> something wrong?
>>>
>>> This is related part in my code.
>>>
>>> const keycloakConfig = {
>>>   authServerUrl: application.SERVER_URL,
>>>   clientId: application.CLIENT_ID,
>>>   realm: application.REALM,
>>>   public: true
>>> };
>>>
>>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>>>
>>> app.use(
>>>   keycloak.middleware({
>>>     logout: '/logout'
>>>   })
>>> );
>>>
>>> // Use routes
>>> app.use('/api/v1/', keycloak.protect(), api);
>>>
>>>
>>> Thank you for any help.
>>> Radovan
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From Tony.Harris at oneadvanced.com  Fri May  3 05:47:50 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Fri, 3 May 2019 09:47:50 +0000
Subject: [keycloak-user] 401 http status instead of 203 in case of
 unauthorized access to specific route
In-Reply-To: <CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
References: <EE7565BC-7518-4DA6-A1B6-07327BA8B9F0@gmail.com>
	<CAMZCGg9SMk7epHE=aaHbj9d=S+_LSXEO5Zbxib4To5DLwKMmJQ@mail.gmail.com>
Message-ID: <0a1cfcaa770b438d85e73e7df7e93047@SL1ACSEXCMB01.acsresource.com>

Have you looked at sending the X-Requested-With header with a value of XHTMLRequest and setting the autodetect-bearer-only value.

See https://www.keycloak.org/docs/4.2/securing_apps/index.html

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Sebastien Blanc
Sent: 03 May 2019 08:51
To: Radovan Kuka <kuka.radovan at gmail.com>
Cc: keycloak userlist <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] 401 http status instead of 203 in case of unauthorized access to specific route

Hi,

If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak
config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302).
This also means that your SPA must obtain the token by using the Keycloak Javascript library.

Sebi


On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> Hello all,
> I am new to keycloak and I tryed to use keycloak-connect to protect
> routes on my server. From my SPA, I make a fetch call to the server
> route that uses protect middleware. In case of unauthenticated user,
> keycloak-connect returns redirect to login page (302 with location
> header). Problem is that, original request was fetch and 302 causes
> that, browser will call GET request for keycloak login page. This will
> not cause full browser redirect to that login page. Wouldn't it be
> better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?
>
> This is related part in my code.
>
> const keycloakConfig = {
>   authServerUrl: application.SERVER_URL,
>   clientId: application.CLIENT_ID,
>   realm: application.REALM,
>   public: true
> };
>
> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>
> app.use(
>   keycloak.middleware({
>     logout: '/logout'
>   })
> );
>
> // Use routes
> app.use('/api/v1/', keycloak.protect(), api);
>
>
> Thank you for any help.
> Radovan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From ssilvert at redhat.com  Fri May  3 08:23:28 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 3 May 2019 08:23:28 -0400
Subject: [keycloak-user] Possible to override single messages in theme?
In-Reply-To: <CAPVdwjr37u6z84NBbjRU19Aeci8dOfYSQYLLQKtd9_M18i-Ybg@mail.gmail.com>
References: <CAPVdwjp+L2aq_TFBfRwndGm3R4bxQ5FMp8BHMd2Eauf6006zbA@mail.gmail.com>
	<CAPVdwjr37u6z84NBbjRU19Aeci8dOfYSQYLLQKtd9_M18i-Ybg@mail.gmail.com>
Message-ID: <ce451105-91bc-fa6d-57ff-78de87f6c084@redhat.com>

On 5/2/2019 2:38 PM, Craig Setera wrote:
> It seems I answered my own question.  I had not properly disabled themes
> caching to see the changes occur.
I was going to say that if it doesn't work then that's a bug.

I take it you got this working?
Did you need to disable caching permanently?

>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
>
>
>
>
> On Thu, May 2, 2019 at 12:18 PM Craig Setera <craig at baseventure.com> wrote:
>
>> Is is possible to override a single message in a theme or is it necessary
>> to essentially copy the entire messages file and alter the message within
>> that?
>>
>> =================================
>> *Craig Setera*
>>
>> *Chief Technology Officer*
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From ssilvert at redhat.com  Fri May  3 08:25:06 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 3 May 2019 08:25:06 -0400
Subject: [keycloak-user] Accounts Logs
In-Reply-To: <1556831005.3581.3.camel@carretti.pro>
References: <CAHj77GVHvHHdfmfD0CyqnZkWTTfn9xR4bBOv1ZnvsKi+V-g=Pw@mail.gmail.com>
	<1556828493.3581.1.camel@carretti.pro>
	<CAHj77GXqRg2Ya4xtUYKTkqOtgzMzhUu9Fcx1qM-+S46Cmbv-qA@mail.gmail.com>
	<1556831005.3581.3.camel@carretti.pro>
Message-ID: <07873b68-39f2-aa9d-3883-16e8c8dc2f11@redhat.com>

On 5/2/2019 5:03 PM, Dmitry Telegin wrote:
> You're welcome :)
>
> You can definitely hide this section using custom account theme (by overriding account/template.ftl), but you will also need to prohibit access to the actual URL (/auth/realms/{realm}/account/log), using e.g. Undertow rules. I know this sounds like a hack, and I hope this will be addressed in the forthcoming React.js rewrite of the account console.
Yes, this is being addressed.
>
> Alternatively, you could disable event store in Keycloak and set up event listener to forward events to Logstash/Splunk or similar system, which will also give you more powerful and versatile analysis.
>
> Cheers,
> Dmitry
>
> On Thu, 2019-05-02 at 13:31 -0700, Aaron Echols wrote:
>> Thanks Dmitry!
>>
>> There is no way to hide it in the UI without disabling it the login events? Seems like it kind of defeats?the purpose of login events and being able to track a hacked account, etc.
>>
>> Thanks again :)
>> --
>> Aaron?Echols
>>
>>> On Thu, May 2, 2019 at 1:21 PM Dmitry Telegin <demetrio at carretti.pro> wrote:
>>> Hi Aaron,
>>>
>>> Here you go: Events -> Config -> Login Events Settings -> Save Events = OFF
>>>
>>> Visibility of the logs section in the Account UI directly depends on this setting [1].
>>>
>>> [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java#L175
>>>
>>> Cheers,
>>> Dmitry
>>>
>>> On Wed, 2019-05-01 at 10:11 -0700, Aaron Echols wrote:
>>>> Hello All,
>>>>   
>>>> I'm been pulling my hair out on this one. I setup a DEV instance of
>>>> Keycloak to test some theming and one thing I've noticed, is that when
>>>> using a realms account page, Logs is disabled in DEV
>>>>   
>>>> I can't figure out how to disable that in my PROD instance. I'd like to
>>>> hide that for all users, as my users won't understand what any of that
>>>> means.
>>>>   
>>>> Currently in PROD, when going to any users account page you see the
>>>> following layout:
>>>>   
>>>> * Account
>>>> * Password
>>>> * Authenticator
>>>> * Sessions
>>>> * Applications
>>>> * Logs
>>>>   
>>>> In DEV, I see:
>>>>   
>>>> * Account
>>>> * Password
>>>> * Authenticator
>>>> * Sessions
>>>> * Applications
>>>>   
>>>> That's what I'd like to see in PROD as well. I'm hoping it's something
>>>> simple I'm missing. Thanks in advance. :)
>>>> --
>>>> Aaron Echols
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From dwayne at conscia.co  Fri May  3 09:50:26 2019
From: dwayne at conscia.co (Dwayne Remekie)
Date: Fri, 3 May 2019 09:50:26 -0400
Subject: [keycloak-user] Accessing Token information within a JavaScript
	Policy
In-Reply-To: <678AA82E-48AA-4F64-8EAA-F33D7EAD653B@conscia.co>
References: <678AA82E-48AA-4F64-8EAA-F33D7EAD653B@conscia.co>
Message-ID: <9C5DAAA0-355A-4617-97AF-B2C8B6ECDD0E@conscia.co>

Hi al,

I?ve solved this.

var accessToken = identity.getAccessToken();
var otherClaims = accessToken.getOtherClaims();
var claimObject = otherClaims.get(?someClaim?);

claimObject is an Object that you can traverse.

Thanks



> On May 2, 2019, at 10:33 PM, Dwayne Remekie <dwayne at conscia.co> wrote:
> 
> Hi all,
> 
> Consider the following token:
> 
> {
>   "jti": "25954de5-9855-43ce-95f1-34af085a572d",
>   "exp": 1556850119,
>   "nbf": 0,
>   "iat": 1556849819,
>   "aud": "msa",
>   "sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
>   "typ": "Bearer",
>   "azp": "msa",
>   "auth_time": 0,
>   "session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
>   "acr": "1",
>   "realm_access": {
>     "roles": [
>       "offline_access",
>       "uma_authorization"
>     ]
>   },
>   "resource_access": {
>     "account": {
>       "roles": [
>         "manage-account",
>         "manage-account-links",
>         "view-profile"
>       ]
>     }
>   },
>   "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "data-collection:edit"
>         ],
>         "claims": {
>           "nm": [
>             "Beniah R"
>           ],
>           "gdData": [
>             ""
>           ],
>           "gdSize": [
>             "3"
>           ],
>           "gdTemp": [
>             "org.keycloak.authorization.attribute.Attributes$Entry at 6bef60cb"
>           ]
>         }
>       }
>     ]
>   },
>   "scope": "profile drs2_security email myscope",
>   "email_verified": true,
>   "groupDetails": [
>     {
>       "name": "ug1",
>       "customerCode": "cust-a",
>       "repositoryAdmin": [
>         "cust-a/repo-a/*",
>         "cust-a/repo-b/*"
>       ],
>       "repositoryEditor": [
>         "cust-a/repo-d/*",
>         "cust-a/repo-d/*"
>       ]
>     },
>     {
>       "name": "ug2",
>       "customerCode": "cust-a",
>       "collectionEditor": [
>         "cust-a/repo-c/coll-a",
>         "cust-a/repo-c/coll-b"
>       ],
>       "collectionReader": [
>         "cust-a/repo-b/coll-x"
>       ]
>     }
>   ],
>   "name": "Beniah R"
> }
> 
> Consider the following JS Policy.
> 
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var resource = permission.getResource();
> var identity = context.getIdentity();
> var attributes = identity.getAttributes();
> 
> var nm = attributes.getValue('name');
> permission.addClaim('nm', nm.asString(0));
> 
> var groupDetails = attributes.getValue('groupDetails');
> permission.addClaim('gdTemp', groupDetails);
> permission.addClaim('gdSize', groupDetails.size());
> permission.addClaim('gdData', groupDetails.asString(0));
> 
> 
> The code above is successfully able to access the ?name? property from the token (see ?nm? in the authorization section). However, I cannot figure out how to access the objects within the ?groupDetails? array. I can see that the type of object is "org.keycloak.authorization.attribute.Attributes$Entry? which has methods to fetch Dates, doubles, Strings, etc., but no method to return an object.
> 
> 
> Thanks for your help.
> 
> 
> 
> 


From dr.doon+keycloak at gmail.com  Fri May  3 13:53:32 2019
From: dr.doon+keycloak at gmail.com (Dev Doongoor)
Date: Fri, 3 May 2019 13:53:32 -0400
Subject: [keycloak-user] Keycloak Scalability Issues
Message-ID: <CAN7EZ0z768MBQeWj=sVi83kFCRbZGU7_d9=3eqy0Z4KqXHG65g@mail.gmail.com>

Hello,

I am looking for help regarding having Keycloak accommodate roughly a
million, long-lived sessions.
My setup: I have an externalized infinispan cluster which houses the
clientSessions and sessions caches, and using Keycloak 4.8.0.
The infinispan cluster can hold that many entries in each cache, however it
seems Keycloak itself struggles with this.
When I restart Keycloak (for whatever reason), it seems to attempt to load
all sessions from infinispan into memory, which to me seems counter
intuitive to using an externalized cache system.
Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
seems like I would have to clear all session data in order for the
application to start up again.
Also, session lifetime is expected to be 8 months to a year.

My standalone-ha.xml for cache configuration looks like this:
<replicated-cache name="sessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket" passivation="false" cache=
"sessions" shared="true" purge="false" preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>

<replicated-cache name="clientSessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket" cache="clientSessions"
passivation="false" shared="true" purge="false" preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>

Is this correct? Is there a more efficient way to handle this?

Thanks in advance,

DKD

From ahmadzadehasl at outlook.com  Sat May  4 08:18:42 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Sat, 4 May 2019 12:18:42 +0000
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
Message-ID: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>

Hi
First of all, excuse me for poor English.

I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html


There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.

But after running the server, I can use rest services without any limitation and authentication.
Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?

Thank you



From corentin.dupont at gmail.com  Sat May  4 10:01:49 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sat, 4 May 2019 16:01:49 +0200
Subject: [keycloak-user] "Resource type" permissions and ownership
Message-ID: <CAEyhvmq0+cgG3x6sFfTy9=_K8UK7TTpgALrh2fj7R_mxrO5p-Q@mail.gmail.com>

Hi guys,
I noticed that when I use "Resource type" permissions ("Apply to Resource
Type" is checked), only the resources that belong to the client are
returned. Resources that belong to users will not be returned.
Basically, I created 2 resources with the API: one belonging to the client,
one to a user.
I then evaluate my permissions, with "Apply to Resource Type" on. Only the
resource belonging to the client will be returned.
Why is that?
If my resources need to belong to the client, how to manage ownership
policies? Should I use Resource Attributes for that?
Furthermore, I think UMA will not work anymore if the owner of the resource
is the client?

Thanks a lot!
Corentin

From slaskawi at redhat.com  Mon May  6 03:17:56 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 6 May 2019 09:17:56 +0200
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <CAJmz6fsi1HO=-MS=CuTtAj-8W_Mafw2kjHN2RS1K-r-tpoQTkg@mail.gmail.com>
References: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
	<CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>
	<CAJmz6fsi1HO=-MS=CuTtAj-8W_Mafw2kjHN2RS1K-r-tpoQTkg@mail.gmail.com>
Message-ID: <CAA9R9O6pgH3_E776Znb3hxAHBaThnnUSuEBL=kAshR3HyWGuBA@mail.gmail.com>

Adding +Bela Ban <bban at redhat.com>, just in case :)

Currently, JDBC_PING extends FILE_PING, which has some properties, that
works similarly to `clear_table_on_view_change`:
- remove_old_coords_on_view_change - If true, on a view change, the new
coordinator removes files from old coordinators
- remove_all_data_on_view_change - If true, on a view change, the new
coordinator removes all data except its own

It's also worth to mention, that the coordinator clears the table when
shutting down (being more specific, on `JDBC_PING#stop`. So unless your
cluster crashes a lot (by crashing I mean calling `kill -9` for example),
you should be fine.

Thanks,
Seb

On Mon, Apr 29, 2019 at 9:44 AM abhishek raghav <abhi.raghav007 at gmail.com>
wrote:

> Thanks Sebastian.
>
> I tried running the same setup with 5.0.0 of keycloak, I did not see any
> such errors which I reported in my first email. This was definitely a
> Wildfly issue and not keycloak.
>
> Regarding my 2nd question - i.e. support of "clear_table_on_view_change"
> property. I see that jgroups has removed support of this property. So lets
> say if JGROUPSPING table has lot stale entries, while keycloak starts
> booting up - each time keycloak node will try to JOIN with all the entries
> already present in the JGROUPSPING table and thus time taken for the
> service to start will be more. If that timeline is more than 300s, keycloak
> does not start and reports timeout error.
> This scenario is highly possible in cloud scenarios, since there the
> keycloak nodes can start on any available host/IP since no of nodes are not
> fixed.
>
> Can you suggest any workaround to fix this.
>
> *- Best Regards*
>    Abhishek Raghav
>
>
>
>
>
>
>
>
> On Fri, Apr 26, 2019 at 6:11 PM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> There was a bunch of fixed to JGroups a while ago, including changes in
>> JDBC_PING.
>>
>> Could you please rerun your setup with Keycloak >= 5.0.0? I believe some
>> of the issues (or maybe even all of them) should be fixed.
>>
>> On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <abhi.raghav007 at gmail.com>
>> wrote:
>>
>>> Hi
>>>
>>> After the migration of keycloak HA configurations from 3.4.3.Final to
>>> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
>>> immediately after the keycloak is started with 2 nodes. This occurs after
>>> every time when the cluster is scaled up or whenever infinispan is trying
>>> to update the cluster member list.
>>> I am using JDBC_PING to achieve clustering in keycloak.
>>>
>>> Below is the stacktrace -
>>>
>>> 2019-04-24 12:20:43,687 WARN
>>> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
>>> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>>> >> ISPN000197: Error updating cluster member list:
>>> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>>> >> waiting for responses for request 1 from dcidqdcosagent02
>>> >
>>> >                   at
>>> >>
>>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>>> >
>>> >                   at
>>> >>
>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>>> >
>>> >                   at
>>> >>
>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>>> >
>>> >                   at
>>> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> >
>>> >                   at
>>> >>
>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>>> >
>>> >                   at
>>> >>
>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>>> >
>>> >                   at
>>> >>
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> >
>>> >                   at
>>> >>
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> >
>>> >                   at java.lang.Thread.run(Thread.java:748)
>>> >
>>> >                   Suppressed:
>>> org.infinispan.util.logging.TraceException
>>> >
>>> >                                     at
>>> >>
>>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>>> >
>>> >                                     at
>>> >>
>>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>>> >
>>> >                                     at
>>> >>
>>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>>> >
>>> >
>>>
>>> Now after I searched, I really did not see anyone reported such error on
>>> keycloak but there is similar bug reported in WILDLFY 14 and is
>>> categorized
>>> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
>>> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
>>>
>>> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could
>>> be
>>> because of this blocker in WILDFLY 14.
>>>
>>> What should I do to get rid this error. Is this really a problem in
>>> keycloak 4.8.3.Final. Did anyone notice any such issue while running
>>> keycloak 4.8.3 in HA mode.
>>> Is there a workaround to fix this.
>>>
>>>
>>> One more thing we noticed is - It is regarding a property in JDBC_PING
>>> protocol we are using in our 3.4.3 setup i.e.
>>> "clear_table_on_view_change"
>>> but it is no more supported in 4.8 version. and thus the JGROUPSPING
>>> table
>>> is filled up with lot of stale entries. Is there a workaround to clear
>>> the
>>> table after view change in 4.8 also.
>>>
>>> Thanks
>>> Abhishek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>

From mhajas at redhat.com  Mon May  6 03:39:19 2019
From: mhajas at redhat.com (Michal Hajas)
Date: Mon, 6 May 2019 09:39:19 +0200
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>

Hi Ali,

it looks like you have wrongly configured Spring Boot Keycloak adapter.
Make sure you configured everything which is shown here (especially the
part with security constraints):
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter

Michal

On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com>
wrote:

> Hi
> First of all, excuse me for poor English.
>
> I am trying to use Keycloak in Spring Boot 2, I read many articles about
> this matter, such as follow link:
>
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html
>
>
> There was an issue that i can't resolve it. Resource and policy and
> permissions defined in admin panel for client, does not any effect on my
> server. For example I defined a resource for URL pattern /rest/* and a
> policy for having ROLE_REST, also I defined a permission for mapping this
> resource and policy.
>
> But after running the server, I can use rest services without any
> limitation and authentication.
> Now the question is: How can I manage Spring Boot application security and
> permissions from Keycloak admin panel?
>
> Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Mon May  6 03:43:40 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 6 May 2019 09:43:40 +0200
Subject: [keycloak-user] Setting up SSL certificate on keycloak container
In-Reply-To: <DB6P195MB04228450EA35A271E491D8A8E4390@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
References: <DB6P195MB04228450EA35A271E491D8A8E4390@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
Message-ID: <CAA9R9O6HVwPg46rEpnktZms28EzQyQxFgpfZQAsofhDOuGUmKQ@mail.gmail.com>

The problem is probably with the .csr file. The container expects tls.cer,
which is basically the Certificate itself rather than Certificate Signing
Request.

On Mon, Apr 29, 2019 at 10:18 AM Francesco Longo <
francesco.longo at linksfoundation.com> wrote:

> Good morning! I have a problem setting up keycloak on a docker container,
> using portainer, installing the SSL certificate.
>
>   *   I installed from portainer the official jboss keycloak image (5.0.0)
> setting up the internal 8443 port (in this case it recognize to use HTTPS).
>   *   I have my 2 files (.csr and .key certificates) placed on the
> /etc/x509/https folder of the docker container.
>
> I have some errors:
>
>   *   Connecting to the keycloak:port/auth I get the error: "Error code:
> SSL_ERROR_NO_CYPHER_OVERLAP" and I cannot connect to that page...
>   *   Performing a request to my application that is protected by keycloak
> I get a response error:
> "Error: write EPROTO 140495380186944:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:../deps/openssl/openssl/ssl/s23_clnt.c:802:"...
>
> Can somebody help me? What's wrong with the SSL configuration on the
> keycloak side?
>
> [LINKS Foundation]
>
> Facebook<https://www.facebook.com/linksfoundation/> | Twitter<
> https://twitter.com/linksfoundation> | LinkedIn<
> https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-knowledge-for-society/
> >
>
> Francesco Longo
> Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
> T. +39 0112276440
> francesco.longo at linksfoundation.com<mailto:
> nome.cognome at linksfoundation.com>
>
> Personal account: LinkedIn<https://www.linkedin.com/in/france193/> |
> Skype<https://join.skype.com/invite/jt9vIqDeuk6G>
>
> ________________________________
> [Please consider the environment]
>
> Rispetta l'ambiente, pensa prima di stampare questa e-mail
> Please consider the environment before printing this email
>
>
> ________________________________
>
> Questo documento ? formato esclusivamente per il destinatario. Tutte le
> informazioni ivi contenute, compresi eventuali allegati, sono da ritenere
> esclusivamente confidenziali e riservate secondo i termini del vigente
> D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016
> -GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata. Se
> avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di
> contattare immediatamente il mittente e cancellare la e-mail. Grazie.
>
> Confidentiality Notice - This e-mail message including any attachments is
> for the sole use of the intended recipient and may contain confidential and
> privileged information pursuant to Legislative Decree 196/2003 and the
> European General Data Protection Regulation 679/2016 -GDPR-. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Mon May  6 06:26:44 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 6 May 2019 12:26:44 +0200
Subject: [keycloak-user] "Resource type" permissions and ownership
In-Reply-To: <CAEyhvmq0+cgG3x6sFfTy9=_K8UK7TTpgALrh2fj7R_mxrO5p-Q@mail.gmail.com>
References: <CAEyhvmq0+cgG3x6sFfTy9=_K8UK7TTpgALrh2fj7R_mxrO5p-Q@mail.gmail.com>
Message-ID: <CAEyhvmph_5AbnUA-H3fcZ0v8-i3miTYLKMOjLkxJpeLK7J_nZA@mail.gmail.com>

Hi guys,
any idea on that? By the way, how to retrieve permissions based on the
resource type using the API?
I see no options to do that in the current API.
For instance in this request:

curl -X POST \
  http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience={resource_server_client_id}" \
  --data "permission=Resource A#Scope A" \
  --data "permission=Resource B#Scope B"

Where should I specify the resource type?


On Sat, May 4, 2019 at 4:01 PM Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I noticed that when I use "Resource type" permissions ("Apply to Resource
> Type" is checked), only the resources that belong to the client are
> returned. Resources that belong to users will not be returned.
> Basically, I created 2 resources with the API: one belonging to the
> client, one to a user.
> I then evaluate my permissions, with "Apply to Resource Type" on. Only the
> resource belonging to the client will be returned.
> Why is that?
> If my resources need to belong to the client, how to manage ownership
> policies? Should I use Resource Attributes for that?
> Furthermore, I think UMA will not work anymore if the owner of the
> resource is the client?
>
> Thanks a lot!
> Corentin
>

From stefan.romete at gmail.com  Mon May  6 06:37:06 2019
From: stefan.romete at gmail.com (stefan.romete at gmail.com)
Date: Mon, 6 May 2019 13:37:06 +0300
Subject: [keycloak-user] Same Keycloak instance hosted on different domains
In-Reply-To: <02b301d503f6$981c3040$c85490c0$@gmail.com>
References: <02b301d503f6$981c3040$c85490c0$@gmail.com>
Message-ID: <02c001d503f7$a708b9b0$f51a2d10$@gmail.com>

Hi,

 

We have an issue with trying to have the same keycloak instance hosted on 2
different domains(URLs).

 

We have the following scenario:

2 Different Angular apps that point to 2 different URLs for the auth part.
These 2 URLs use the same instance of keycloak. This works as expected and
we are able to authenticate in both apps.

The problem comes when trying to reach the same Backend application from
both apps, as for one app we have the same token issuer but for the other
one (different Endpoint for Keycloak) we get the message  :

error="invalid_token", error_description="Invalid token issuer. Expected
'<DOMAIN1>', but was '<DOMAIN2>"

 

While looking through the source code of keycloak I found out that this is
the normal behavior when trying to have this setup.

 

Is there any way of achieving the above configuration without having also 2
instances of the BackEnd application , each configured with its own issuer? 

That will mean for us an extra deployment of the same application , which
does not make sense .

 

Thank you,

Stefan Romete


From l.lech at ringler.ch  Mon May  6 09:48:05 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Mon, 6 May 2019 13:48:05 +0000
Subject: [keycloak-user] Keycloak 5.x vs 6.x,
	what is the difference between those 2 lines?
Message-ID: <5E48B917000C984B86B77170F441903A189B5B36@exch.ringler.ch>

I'm quite disturbed by keycloak 5.x and 6.x being launched in the same time....

Which should I upgrade to from 4.8.x?

Was 5.x line a mistake and it was abandoned and replaced with 6.x, or those are parallel development lines for other purposes?

Excuse me for maybe a na?ve question, but release notes are not very speaking...

Best regards,
Lukasz Lech


From sthorger at redhat.com  Mon May  6 09:56:55 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 May 2019 15:56:55 +0200
Subject: [keycloak-user] Keycloak 5.x vs 6.x,
 what is the difference between those 2 lines?
In-Reply-To: <5E48B917000C984B86B77170F441903A189B5B36@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A189B5B36@exch.ringler.ch>
Message-ID: <CAJgngAdFfKROx-om8DhPf6J_4jx-Vdvs85jvWTJntn=w73YkRw@mail.gmail.com>

Please read this:
https://www.keycloak.org/2019/04/versioning.html

On Mon, 6 May 2019 at 15:50, Lukasz Lech <l.lech at ringler.ch> wrote:

> I'm quite disturbed by keycloak 5.x and 6.x being launched in the same
> time....
>
> Which should I upgrade to from 4.8.x?
>
> Was 5.x line a mistake and it was abandoned and replaced with 6.x, or
> those are parallel development lines for other purposes?
>
> Excuse me for maybe a na?ve question, but release notes are not very
> speaking...
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rohit.nikhade at fantailtech.com  Mon May  6 11:19:31 2019
From: rohit.nikhade at fantailtech.com (Rohit Nikhade)
Date: Mon, 6 May 2019 20:49:31 +0530
Subject: [keycloak-user] Restrict the user creation of from IDP.
Message-ID: <CAA_ZLhOHJu4ZLYx5-kTprnjRephd3dAPNxBWOi9_4YXc+ecM0Q@mail.gmail.com>

Hi,

My requirement is that only pre-created user, when logged in via Identity
Broker, should be automatically linked to its IDP user. If other user gets
logged in then it should throw an error and stop the Authentication Flow.

My requirement is similar to that mention on
https://issues.jboss.org/browse/KEYCLOAK-4544

As the above issue is deferred I still need to get a solution for my
requirement. Can you suggest me any solution? Or the path to contribute?


As mentioned in above Jira ticket in the comment of Robert, I would like to
add configuration and modify  IdpCreateUserIfUniqueAuthenticator, so that
if a nonexisting user logs in via IDP then it should throw an error.


Thank You
Rohit Nikhade
(+91) 8793652775

From clehingue at gmail.com  Mon May  6 11:24:24 2019
From: clehingue at gmail.com (Christophe Lehingue)
Date: Mon, 6 May 2019 17:24:24 +0200
Subject: [keycloak-user] How to configure my client for use ADMIN REST API
	[DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'
Message-ID: <CADf9yZOLeQiTTYFW94mCxQdHnB=A4Z3cddMzigX+TU6vXAz+vg@mail.gmail.com>

Hello, how to configure a client so that the user can use the user removal API?

[DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq

Whenever I try to call this request REST => I get the following error
message: "resulted in a 401/403 Unauthorized`"

Can you help me ?

Thank you

From tmescic at upchain.com  Mon May  6 11:51:23 2019
From: tmescic at upchain.com (Tihomir Mescic)
Date: Mon, 6 May 2019 17:51:23 +0200
Subject: [keycloak-user] Webhook/notification when user's data is changed
Message-ID: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>

Hi all,

I'm building a system that integrates with Keycloak. What I would need is
some kind of a notification mechanism in case user information (e.g. first,
or last name) is changed in Keycloak.

Something like this:
 - user's first name is changed in Keycloak (either via the Keyclaok
administration page, or via a REST API call)
 - Keycloak notifies my app about the change (either via a webhook or by
sending a message to a message bus, or something else)

Is anything like this possible currently?

Thanks in advance,
Tihomir

From sblanc at redhat.com  Mon May  6 12:08:23 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 6 May 2019 18:08:23 +0200
Subject: [keycloak-user] Restrict the user creation of from IDP.
In-Reply-To: <CAA_ZLhOHJu4ZLYx5-kTprnjRephd3dAPNxBWOi9_4YXc+ecM0Q@mail.gmail.com>
References: <CAA_ZLhOHJu4ZLYx5-kTprnjRephd3dAPNxBWOi9_4YXc+ecM0Q@mail.gmail.com>
Message-ID: <CAMZCGg9HkZCc94enS-P72f-2UO8wUKVizXZ-eunVfeeZ0_XMvQ@mail.gmail.com>

Hi Rohit,

Contributions are more than welcome, you can start the discussion on our
dev mailing list. We will then reopen the ticket accordingly. Once we
agreed on a solution you can provide a pull request, be sure to have
integration tests as well.



On Mon, May 6, 2019 at 5:45 PM Rohit Nikhade <rohit.nikhade at fantailtech.com>
wrote:

> Hi,
>
> My requirement is that only pre-created user, when logged in via Identity
> Broker, should be automatically linked to its IDP user. If other user gets
> logged in then it should throw an error and stop the Authentication Flow.
>
> My requirement is similar to that mention on
> https://issues.jboss.org/browse/KEYCLOAK-4544
>
> As the above issue is deferred I still need to get a solution for my
> requirement. Can you suggest me any solution? Or the path to contribute?
>
>
> As mentioned in above Jira ticket in the comment of Robert, I would like to
> add configuration and modify  IdpCreateUserIfUniqueAuthenticator, so that
> if a nonexisting user logs in via IDP then it should throw an error.
>
>
> Thank You
> Rohit Nikhade
> (+91) 8793652775
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Mon May  6 12:54:30 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 6 May 2019 18:54:30 +0200
Subject: [keycloak-user] How to configure my client for use ADMIN REST
 API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'
In-Reply-To: <CADf9yZOLeQiTTYFW94mCxQdHnB=A4Z3cddMzigX+TU6vXAz+vg@mail.gmail.com>
References: <CADf9yZOLeQiTTYFW94mCxQdHnB=A4Z3cddMzigX+TU6vXAz+vg@mail.gmail.com>
Message-ID: <CAMZCGg-HXC_wFjRo+LAkheckZ2kDFpA2xUn_R2O7Bzs9bO_aeA@mail.gmail.com>

Give your user the "manage-users" role , you can do that from the role
Mappings tab in the user screen and select in "client roles" =>
"realm-management" and there you should see the role "manage-users" and
assign it.



On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue at gmail.com>
wrote:

> Hello, how to configure a client so that the user can use the user removal
> API?
>
> [DELETE]:
> https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq
>
> Whenever I try to call this request REST => I get the following error
> message: "resulted in a 401/403 Unauthorized`"
>
> Can you help me ?
>
> Thank you
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From orivat at janua.fr  Mon May  6 14:37:23 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 6 May 2019 20:37:23 +0200
Subject: [keycloak-user] Keycloak Scalability Issues
In-Reply-To: <CAN7EZ0z768MBQeWj=sVi83kFCRbZGU7_d9=3eqy0Z4KqXHG65g@mail.gmail.com>
References: <CAN7EZ0z768MBQeWj=sVi83kFCRbZGU7_d9=3eqy0Z4KqXHG65g@mail.gmail.com>
Message-ID: <321ed686-5e08-702e-751e-826bd355ac41@janua.fr>

Hi,

I am surprised to see you having to consider that many session with a 
session lifetime spann of about 8 months.
All the sessions are piling up, and at the end as you mention you can 
end up with about 1 million sessions with scability issues.

I am wondering if you don't have a design issue.
A normal session is 10H, and session idletimeout is about 30mn.
Keycloak provide offline tokens that can last by 30 days, but could be 
extended to much more (8 months - a year)
offline tokens handling will allow your application to generate new 
access tokens (very short timelifespann), whithout having the need to 
reauthenticate.

I guess it shoulds fulfill your needs.

see also:

http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/

http://www.janua.fr/understanding-token-usage-in-keycloak/



Regards,

Olivier Rivat






Le 03/05/2019 ? 19:53, Dev Doongoor a ?crit?:
> Hello,
>
> I am looking for help regarding having Keycloak accommodate roughly a
> million, long-lived sessions.
> My setup: I have an externalized infinispan cluster which houses the
> clientSessions and sessions caches, and using Keycloak 4.8.0.
> The infinispan cluster can hold that many entries in each cache, however it
> seems Keycloak itself struggles with this.
> When I restart Keycloak (for whatever reason), it seems to attempt to load
> all sessions from infinispan into memory, which to me seems counter
> intuitive to using an externalized cache system.
> Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
> seems like I would have to clear all session data in order for the
> application to start up again.
> Also, session lifetime is expected to be 8 months to a year.
>
> My standalone-ha.xml for cache configuration looks like this:
> <replicated-cache name="sessions" statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket" passivation="false" cache=
> "sessions" shared="true" purge="false" preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> <replicated-cache name="clientSessions" statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket" cache="clientSessions"
> passivation="false" shared="true" purge="false" preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> Is this correct? Is there a more efficient way to handle this?
>
> Thanks in advance,
>
> DKD
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From psilva at redhat.com  Mon May  6 14:57:20 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 6 May 2019 15:57:20 -0300
Subject: [keycloak-user] Webhook/notification when user's data is changed
In-Reply-To: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
References: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
Message-ID: <CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>

Hi,

>From time to time someone shows up with requirements that could be
addressed using SCIM [1].

The functionality you are looking for is also addressed by one of the
drafts related to SCIM [2].

[1] https://issues.jboss.org/browse/KEYCLOAK-2537
[2] https://tools.ietf.org/id/draft-hunt-scim-notify-00.txt

Regards.
Pedro Igor

On Mon, May 6, 2019 at 1:11 PM Tihomir Mescic <tmescic at upchain.com> wrote:

> Hi all,
>
> I'm building a system that integrates with Keycloak. What I would need is
> some kind of a notification mechanism in case user information (e.g. first,
> or last name) is changed in Keycloak.
>
> Something like this:
>  - user's first name is changed in Keycloak (either via the Keyclaok
> administration page, or via a REST API call)
>  - Keycloak notifies my app about the change (either via a webhook or by
> sending a message to a message bus, or something else)
>
> Is anything like this possible currently?
>
> Thanks in advance,
> Tihomir
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From gary at apnic.net  Mon May  6 19:38:43 2019
From: gary at apnic.net (Gary Kennedy)
Date: Mon, 6 May 2019 23:38:43 +0000
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <1556836691.3581.8.camel@carretti.pro>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
Message-ID: <0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>


> On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> 
> Hi Gary,
> 
> To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?

Unfortunately no.

The roles are set, however they are not presented in the token, eg no "resource_access" claim.

And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.

> If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".

Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.

Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here. 

The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.

> Cheers,
> Dmitry
> 
> On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
>> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
>> 
>> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
>> 
>> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
>> 
>> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
>> 
>> (Keycloak 4.8.2)
>> 
>> Cheers,
>> Gary
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190506/208b937c/attachment-0001.bin 

From gary at apnic.net  Mon May  6 23:40:22 2019
From: gary at apnic.net (Gary Kennedy)
Date: Tue, 7 May 2019 03:40:22 +0000
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
	<0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
Message-ID: <91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>

I think I've found an acceptable solution, can I get some feedback please? I don't want to risk any loopholes or lessened security here.

Originally I was thinking that I needed to add the "resource_access" claim to the token (with "realm-management" roles), because the admin API was using the "KeycloakIdentity" class in "MgmtPermissions.hasOneAdminRole" calls. However, now I've gone with changing the "azp" (issued-for) claim instead, so that "MgmtPermissions.initIdentity" uses the "UserModelIdentity" class instead. FYI - I've arbitrarily chosen to use the "admin-cli" client id for the "azp" claim, but "security-admin-console" would work just as well.

This is all accomplished with a single client specific script mapper with no "Token Claim Name", no "Claim JSON Type", and set to only "Add to access token" (ie, ID token and user info flags are OFF).

The script:

```
// todo: can we make the service account detection a bit more robust? ie, sub claim??
// note: could also check client session notes for form data scope so we don't always set the issued-for
var tokenName = null;
if (token !== null && token.getOtherClaims() !== null) {
    tokenName = token.getOtherClaims().get('preferred_username');
}
if (tokenName == 'service-account-test-client') {
    // admin-cli is to get the admin api to use the usermodel instead of the token for roles
    // you could also use the security-admin-console client id
    // see MgmtPermissions.initIdentity
    token.issuedFor('admin-cli');
}
```

Digging through the code I cannot find any other means of setting the issued-for of the token during the client credentials grant, but am I missing something? Is there another way we can set the issued-for at token request time?

Cheers,
Gary

> On 7 May 2019, at 9:38 am, Gary Kennedy <gary at apnic.net> wrote:
> 
>> 
>> On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro <mailto:demetrio at carretti.pro>> wrote:
>> 
>> Hi Gary,
>> 
>> To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
> 
> Unfortunately no.
> 
> The roles are set, however they are not presented in the token, eg no "resource_access" claim.
> 
> And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.
> 
>> If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
> 
> Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.
> 
> Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here. 
> 
> The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.
> 
>> Cheers,
>> Dmitry
>> 
>> On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
>>> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
>>> 
>>> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
>>> 
>>> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
>>> 
>>> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
>>> 
>>> (Keycloak 4.8.2)
>>> 
>>> Cheers,
>>> Gary
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190507/4bca616f/attachment.bin 

From gary at apnic.net  Tue May  7 00:02:00 2019
From: gary at apnic.net (Gary Kennedy)
Date: Tue, 7 May 2019 04:02:00 +0000
Subject: [keycloak-user] How to configure my client for use ADMIN REST
 API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'
In-Reply-To: <CAMZCGg-HXC_wFjRo+LAkheckZ2kDFpA2xUn_R2O7Bzs9bO_aeA@mail.gmail.com>
References: <CADf9yZOLeQiTTYFW94mCxQdHnB=A4Z3cddMzigX+TU6vXAz+vg@mail.gmail.com>
	<CAMZCGg-HXC_wFjRo+LAkheckZ2kDFpA2xUn_R2O7Bzs9bO_aeA@mail.gmail.com>
Message-ID: <6B0DD813-7CC3-41A8-93AB-A8DC50ED7F8D@apnic.net>

I'm pretty sure this is similar to the problem I'm having, and I'm also pretty sure that you need to either:

- add the assigned roles needed for the admin API call (eg, as Sebastien wrote) to the service or user account;
  AND ensure the token is issued for the admin clients (either "admin-cli" or "security-admin-console" by default)
  (ie, the "azp" claim is either "admin-cli" or "security-admin-console")

OR

- if the token is NOT issued for the admin clients, the token needs a "resource_access" claim which is a map containing the "realm-management" key with a map value having a "roles" key which is an array of role name strings. eg:
    "resource_access": {
        "realm-management": {
            "roles": [ "manage-users" ]
        }
    }

Cheers,
Gary

> On 7 May 2019, at 2:54 am, Sebastien Blanc <sblanc at redhat.com> wrote:
> 
> Give your user the "manage-users" role , you can do that from the role
> Mappings tab in the user screen and select in "client roles" =>
> "realm-management" and there you should see the role "manage-users" and
> assign it.
> 
> 
> 
> On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue at gmail.com>
> wrote:
> 
>> Hello, how to configure a client so that the user can use the user removal
>> API?
>> 
>> [DELETE]:
>> https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq
>> 
>> Whenever I try to call this request REST => I get the following error
>> message: "resulted in a 401/403 Unauthorized`"
>> 
>> Can you help me ?
>> 
>> Thank you
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190507/c2e61229/attachment.bin 

From ahmadzadehasl at outlook.com  Tue May  7 01:05:07 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Tue, 7 May 2019 05:05:07 +0000
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>,
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
Message-ID: <VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>


Hi Michal,

I'm configured my server exactly like this tutorial, but I'm not defined any keycloak.securityConstraints in application.properties file, I want to define permissions and policies in Keycloak admin panel. Does this require any special setting? Do anybody have any sample or tutorial for this?
________________________________
From: Michal Hajas <mhajas at redhat.com>
Sent: Monday, May 6, 2019 12:09 PM
To: Ali Ahmadzadeh Asl
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot

Hi Ali,

it looks like you have wrongly configured Spring Boot Keycloak adapter. Make sure you configured everything which is shown here (especially the part with security constraints): https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter

Michal

On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:
Hi
First of all, excuse me for poor English.

I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html


There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.

But after running the server, I can use rest services without any limitation and authentication.
Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?

Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Tue May  7 01:24:28 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 7 May 2019 07:24:28 +0200
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
	<VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>

Hi Ali,

Have you tried this quickstart that shows how tu use the authz service from
KC
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
Also make sure you enable the policy enforcer on the app side in the
configuration , i.e :
keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied

sebi


On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com>
wrote:

>
> Hi Michal,
>
> I'm configured my server exactly like this tutorial, but I'm not defined
> any keycloak.securityConstraints in application.properties file, I want to
> define permissions and policies in Keycloak admin panel. Does this require
> any special setting? Do anybody have any sample or tutorial for this?
> ________________________________
> From: Michal Hajas <mhajas at redhat.com>
> Sent: Monday, May 6, 2019 12:09 PM
> To: Ali Ahmadzadeh Asl
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
>
> Hi Ali,
>
> it looks like you have wrongly configured Spring Boot Keycloak adapter.
> Make sure you configured everything which is shown here (especially the
> part with security constraints):
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter
>
> Michal
>
> On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <
> ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:
> Hi
> First of all, excuse me for poor English.
>
> I am trying to use Keycloak in Spring Boot 2, I read many articles about
> this matter, such as follow link:
>
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html
>
>
> There was an issue that i can't resolve it. Resource and policy and
> permissions defined in admin panel for client, does not any effect on my
> server. For example I defined a resource for URL pattern /rest/* and a
> policy for having ROLE_REST, also I defined a permission for mapping this
> resource and policy.
>
> But after running the server, I can use rest services without any
> limitation and authentication.
> Now the question is: How can I manage Spring Boot application security and
> permissions from Keycloak admin panel?
>
> Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mhajas at redhat.com  Tue May  7 02:57:22 2019
From: mhajas at redhat.com (Michal Hajas)
Date: Tue, 7 May 2019 08:57:22 +0200
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
	<VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>
Message-ID: <CACv4bCQ3B1XCJAbi53XT_vPSaTqOAsmveB=vg89RCRQgVm6Ciw@mail.gmail.com>

Hi Ali,

as far as I understand, you have to specify securityContrains (it is also
in authz quickstart:
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-springboot/src/main/resources/application.properties#L10)
so that Keycloak know about your resources. You can specify your
permissions and policies afterward.

Michal

On Tue, May 7, 2019 at 7:24 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi Ali,
>
> Have you tried this quickstart that shows how tu use the authz service
> from KC
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
> Also make sure you enable the policy enforcer on the app side in the
> configuration , i.e :
> keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied
>
> sebi
>
>
> On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl <
> ahmadzadehasl at outlook.com> wrote:
>
>>
>> Hi Michal,
>>
>> I'm configured my server exactly like this tutorial, but I'm not defined
>> any keycloak.securityConstraints in application.properties file, I want to
>> define permissions and policies in Keycloak admin panel. Does this require
>> any special setting? Do anybody have any sample or tutorial for this?
>> ________________________________
>> From: Michal Hajas <mhajas at redhat.com>
>> Sent: Monday, May 6, 2019 12:09 PM
>> To: Ali Ahmadzadeh Asl
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
>>
>> Hi Ali,
>>
>> it looks like you have wrongly configured Spring Boot Keycloak adapter.
>> Make sure you configured everything which is shown here (especially the
>> part with security constraints):
>> https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter
>>
>> Michal
>>
>> On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <
>> ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:
>> Hi
>> First of all, excuse me for poor English.
>>
>> I am trying to use Keycloak in Spring Boot 2, I read many articles about
>> this matter, such as follow link:
>>
>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html
>>
>>
>> There was an issue that i can't resolve it. Resource and policy and
>> permissions defined in admin panel for client, does not any effect on my
>> server. For example I defined a resource for URL pattern /rest/* and a
>> policy for having ROLE_REST, also I defined a permission for mapping this
>> resource and policy.
>>
>> But after running the server, I can use rest services without any
>> limitation and authentication.
>> Now the question is: How can I manage Spring Boot application security
>> and permissions from Keycloak admin panel?
>>
>> Thank you
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From ahmadzadehasl at outlook.com  Tue May  7 04:08:08 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Tue, 7 May 2019 08:08:08 +0000
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <CACv4bCQ3B1XCJAbi53XT_vPSaTqOAsmveB=vg89RCRQgVm6Ciw@mail.gmail.com>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
	<VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>,
	<CACv4bCQ3B1XCJAbi53XT_vPSaTqOAsmveB=vg89RCRQgVm6Ciw@mail.gmail.com>
Message-ID: <VI1P193MB03037CE928F335F511BF29A0B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>


Hi guys,

Thank you Michal, Thank you Sebastien. As you know, in the application.properties file of this project there is a keycloak.securityConstraints which enforce visitors for having role "user", when I remove this securityConstraints and run the project, every requests redirects to "/accessDenied" page, though based on permissions defined in admin panel, url / is public.

If I have to define at least one securityConstraints in application.properties (which in my opinion, is not a good constraint), how can I define it as a public patterns without any role constraint?


________________________________
From: Michal Hajas <mhajas at redhat.com>
Sent: Tuesday, May 7, 2019 11:27 AM
To: Sebastien Blanc
Cc: Ali Ahmadzadeh Asl; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot

Hi Ali,

as far as I understand, you have to specify securityContrains (it is also in authz quickstart: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-springboot/src/main/resources/application.properties#L10) so that Keycloak know about your resources. You can specify your permissions and policies afterward.

Michal

On Tue, May 7, 2019 at 7:24 AM Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>> wrote:
Hi Ali,

Have you tried this quickstart that shows how tu use the authz service from KC https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
Also make sure you enable the policy enforcer on the app side in the configuration , i.e :
keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied

sebi


On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:

Hi Michal,

I'm configured my server exactly like this tutorial, but I'm not defined any keycloak.securityConstraints in application.properties file, I want to define permissions and policies in Keycloak admin panel. Does this require any special setting? Do anybody have any sample or tutorial for this?
________________________________
From: Michal Hajas <mhajas at redhat.com<mailto:mhajas at redhat.com>>
Sent: Monday, May 6, 2019 12:09 PM
To: Ali Ahmadzadeh Asl
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot

Hi Ali,

it looks like you have wrongly configured Spring Boot Keycloak adapter. Make sure you configured everything which is shown here (especially the part with security constraints): https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter

Michal

On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com><mailto:ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>>> wrote:
Hi
First of all, excuse me for poor English.

I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html


There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.

But after running the server, I can use rest services without any limitation and authentication.
Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?

Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Tue May  7 04:16:55 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 7 May 2019 10:16:55 +0200
Subject: [keycloak-user] Review Arabic translation
Message-ID: <CAJgngAe70y8hAKwW9Qxfz7-WO8ueTkTd7vjg8LY-o3y5hbytKA@mail.gmail.com>

We have an open contribution for Arabic translations, but need someone from
the community to review.

https://github.com/keycloak/keycloak/pull/5962

From mhuin at redhat.com  Tue May  7 04:36:21 2019
From: mhuin at redhat.com (Matthieu Huin)
Date: Tue, 7 May 2019 10:36:21 +0200
Subject: [keycloak-user] Webhook/notification when user's data is changed
In-Reply-To: <CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>
References: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
	<CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>
Message-ID: <CADNCi7dPdg5iaPcuDGbEGVsqf8LijEjkGJZDQp+OHS1xSG0Q7w@mail.gmail.com>

Hello,

If you're okay with writing code, you could cover your use case with a SPI
based on event notifications. For example, I've written this (very
experimental) MQTT emitter that fires a message every time an event occurs
on a specific realm: https://github.com/mhuin/keycloak-event-listener-mqtt

It is based on the stdout emitter SPI included in the keycloak-examples
repo, which is a good way to get started.

Hope that helps,

MHU

On Mon, May 6, 2019 at 9:10 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> >From time to time someone shows up with requirements that could be
> addressed using SCIM [1].
>
> The functionality you are looking for is also addressed by one of the
> drafts related to SCIM [2].
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-2537
> [2] https://tools.ietf.org/id/draft-hunt-scim-notify-00.txt
>
> Regards.
> Pedro Igor
>
> On Mon, May 6, 2019 at 1:11 PM Tihomir Mescic <tmescic at upchain.com> wrote:
>
> > Hi all,
> >
> > I'm building a system that integrates with Keycloak. What I would need is
> > some kind of a notification mechanism in case user information (e.g.
> first,
> > or last name) is changed in Keycloak.
> >
> > Something like this:
> >  - user's first name is changed in Keycloak (either via the Keyclaok
> > administration page, or via a REST API call)
> >  - Keycloak notifies my app about the change (either via a webhook or by
> > sending a message to a message bus, or something else)
> >
> > Is anything like this possible currently?
> >
> > Thanks in advance,
> > Tihomir
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Matthieu Huin

Senior Software Developper

Red Hat <https://www.redhat.com>

<https://red.ht/sig>

From sblanc at redhat.com  Tue May  7 05:08:24 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 7 May 2019 11:08:24 +0200
Subject: [keycloak-user] Webhook/notification when user's data is changed
In-Reply-To: <CADNCi7dPdg5iaPcuDGbEGVsqf8LijEjkGJZDQp+OHS1xSG0Q7w@mail.gmail.com>
References: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
	<CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>
	<CADNCi7dPdg5iaPcuDGbEGVsqf8LijEjkGJZDQp+OHS1xSG0Q7w@mail.gmail.com>
Message-ID: <CAMZCGg9Bk13Qf2gh3XG7Hc55ynTV-R0P_om4eq=9NRPmEMG8eQ@mail.gmail.com>

Hi Matthieu !

This is a really nice example and we are actually lacking of examples for
the Event SPI. Would be nice if once you could wrote a small blog post
about it ;)

Sebi


On Tue, May 7, 2019 at 10:45 AM Matthieu Huin <mhuin at redhat.com> wrote:

> Hello,
>
> If you're okay with writing code, you could cover your use case with a SPI
> based on event notifications. For example, I've written this (very
> experimental) MQTT emitter that fires a message every time an event occurs
> on a specific realm: https://github.com/mhuin/keycloak-event-listener-mqtt
>
> It is based on the stdout emitter SPI included in the keycloak-examples
> repo, which is a good way to get started.
>
> Hope that helps,
>
> MHU
>
> On Mon, May 6, 2019 at 9:10 PM Pedro Igor Silva <psilva at redhat.com> wrote:
>
> > Hi,
> >
> > >From time to time someone shows up with requirements that could be
> > addressed using SCIM [1].
> >
> > The functionality you are looking for is also addressed by one of the
> > drafts related to SCIM [2].
> >
> > [1] https://issues.jboss.org/browse/KEYCLOAK-2537
> > [2] https://tools.ietf.org/id/draft-hunt-scim-notify-00.txt
> >
> > Regards.
> > Pedro Igor
> >
> > On Mon, May 6, 2019 at 1:11 PM Tihomir Mescic <tmescic at upchain.com>
> wrote:
> >
> > > Hi all,
> > >
> > > I'm building a system that integrates with Keycloak. What I would need
> is
> > > some kind of a notification mechanism in case user information (e.g.
> > first,
> > > or last name) is changed in Keycloak.
> > >
> > > Something like this:
> > >  - user's first name is changed in Keycloak (either via the Keyclaok
> > > administration page, or via a REST API call)
> > >  - Keycloak notifies my app about the change (either via a webhook or
> by
> > > sending a message to a message bus, or something else)
> > >
> > > Is anything like this possible currently?
> > >
> > > Thanks in advance,
> > > Tihomir
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> --
>
> Matthieu Huin
>
> Senior Software Developper
>
> Red Hat <https://www.redhat.com>
>
> <https://red.ht/sig>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From abhi.raghav007 at gmail.com  Tue May  7 05:17:54 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 7 May 2019 14:47:54 +0530
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <CAA9R9O6pgH3_E776Znb3hxAHBaThnnUSuEBL=kAshR3HyWGuBA@mail.gmail.com>
References: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
	<CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>
	<CAJmz6fsi1HO=-MS=CuTtAj-8W_Mafw2kjHN2RS1K-r-tpoQTkg@mail.gmail.com>
	<CAA9R9O6pgH3_E776Znb3hxAHBaThnnUSuEBL=kAshR3HyWGuBA@mail.gmail.com>
Message-ID: <CAJmz6fvE77irE+4XoiRhDohXZG2-Ajp-ScaaPgWeiSDAEsqbew@mail.gmail.com>

Hi Sebastian,

Thanks for the response. I got it working with a clue in your last answer.
I am using docker based container orchestration framework which when I am
scaling down the service is actually force killing the docker containers
(something like kill -9), instead of a graceful shut down. So then, I
changed my docker-entrypoint (I am using my own docker-entrypoint and not
relying on default one which comes with keycloak image) and added *exec*
just before the start command. something like this as below -

exec /opt/jboss/keycloak/bin/standalone.sh --server-config
standalone-ha.xml -Djboss.bind.address=${privateaddress}.....

After adding  "exec", I noticed that keycloak is shutting down gracefully
when I am scaling down the nodes in the cluster and the respective entries
are also getting cleared off from JGROUPSPING table just as you mentioned.

Looks like this there should not be anymore stale entries until the cluster
crashes a lot.

Thanks a lot for your support.

- Best Regards
  Abhishek








On Mon, May 6, 2019 at 12:48 PM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Adding +Bela Ban <bban at redhat.com>, just in case :)
>
> Currently, JDBC_PING extends FILE_PING, which has some properties, that
> works similarly to `clear_table_on_view_change`:
> - remove_old_coords_on_view_change - If true, on a view change, the new
> coordinator removes files from old coordinators
> - remove_all_data_on_view_change - If true, on a view change, the new
> coordinator removes all data except its own
>
> It's also worth to mention, that the coordinator clears the table when
> shutting down (being more specific, on `JDBC_PING#stop`. So unless your
> cluster crashes a lot (by crashing I mean calling `kill -9` for example),
> you should be fine.
>
> Thanks,
> Seb
>
> On Mon, Apr 29, 2019 at 9:44 AM abhishek raghav <abhi.raghav007 at gmail.com>
> wrote:
>
>> Thanks Sebastian.
>>
>> I tried running the same setup with 5.0.0 of keycloak, I did not see any
>> such errors which I reported in my first email. This was definitely a
>> Wildfly issue and not keycloak.
>>
>> Regarding my 2nd question - i.e. support of "clear_table_on_view_change"
>> property. I see that jgroups has removed support of this property. So lets
>> say if JGROUPSPING table has lot stale entries, while keycloak starts
>> booting up - each time keycloak node will try to JOIN with all the entries
>> already present in the JGROUPSPING table and thus time taken for the
>> service to start will be more. If that timeline is more than 300s, keycloak
>> does not start and reports timeout error.
>> This scenario is highly possible in cloud scenarios, since there the
>> keycloak nodes can start on any available host/IP since no of nodes are not
>> fixed.
>>
>> Can you suggest any workaround to fix this.
>>
>> *- Best Regards*
>>    Abhishek Raghav
>>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Apr 26, 2019 at 6:11 PM Sebastian Laskawiec <slaskawi at redhat.com>
>> wrote:
>>
>>> There was a bunch of fixed to JGroups a while ago, including changes in
>>> JDBC_PING.
>>>
>>> Could you please rerun your setup with Keycloak >= 5.0.0? I believe some
>>> of the issues (or maybe even all of them) should be fixed.
>>>
>>> On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <
>>> abhi.raghav007 at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> After the migration of keycloak HA configurations from 3.4.3.Final to
>>>> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
>>>> immediately after the keycloak is started with 2 nodes. This occurs
>>>> after
>>>> every time when the cluster is scaled up or whenever infinispan is
>>>> trying
>>>> to update the cluster member list.
>>>> I am using JDBC_PING to achieve clustering in keycloak.
>>>>
>>>> Below is the stacktrace -
>>>>
>>>> 2019-04-24 12:20:43,687 WARN
>>>> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
>>>> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>>>> >> ISPN000197: Error updating cluster member list:
>>>> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed
>>>> out
>>>> >> waiting for responses for request 1 from dcidqdcosagent02
>>>> >
>>>> >                   at
>>>> >>
>>>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>>>> >
>>>> >                   at
>>>> >>
>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>>>> >
>>>> >                   at
>>>> >>
>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>>>> >
>>>> >                   at
>>>> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>>> >
>>>> >                   at
>>>> >>
>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>>>> >
>>>> >                   at
>>>> >>
>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>>>> >
>>>> >                   at
>>>> >>
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>>> >
>>>> >                   at
>>>> >>
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>>> >
>>>> >                   at java.lang.Thread.run(Thread.java:748)
>>>> >
>>>> >                   Suppressed:
>>>> org.infinispan.util.logging.TraceException
>>>> >
>>>> >                                     at
>>>> >>
>>>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>>>> >
>>>> >                                     at
>>>> >>
>>>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>>>> >
>>>> >                                     at
>>>> >>
>>>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>>>> >
>>>> >
>>>>
>>>> Now after I searched, I really did not see anyone reported such error on
>>>> keycloak but there is similar bug reported in WILDLFY 14 and is
>>>> categorized
>>>> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
>>>> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
>>>>
>>>> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS
>>>> could be
>>>> because of this blocker in WILDFLY 14.
>>>>
>>>> What should I do to get rid this error. Is this really a problem in
>>>> keycloak 4.8.3.Final. Did anyone notice any such issue while running
>>>> keycloak 4.8.3 in HA mode.
>>>> Is there a workaround to fix this.
>>>>
>>>>
>>>> One more thing we noticed is - It is regarding a property in JDBC_PING
>>>> protocol we are using in our 3.4.3 setup i.e.
>>>> "clear_table_on_view_change"
>>>> but it is no more supported in 4.8 version. and thus the JGROUPSPING
>>>> table
>>>> is filled up with lot of stale entries. Is there a workaround to clear
>>>> the
>>>> table after view change in 4.8 also.
>>>>
>>>> Thanks
>>>> Abhishek
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>

From mhuin at redhat.com  Tue May  7 05:22:04 2019
From: mhuin at redhat.com (Matthieu Huin)
Date: Tue, 7 May 2019 11:22:04 +0200
Subject: [keycloak-user] Webhook/notification when user's data is changed
In-Reply-To: <CAMZCGg9Bk13Qf2gh3XG7Hc55ynTV-R0P_om4eq=9NRPmEMG8eQ@mail.gmail.com>
References: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
	<CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>
	<CADNCi7dPdg5iaPcuDGbEGVsqf8LijEjkGJZDQp+OHS1xSG0Q7w@mail.gmail.com>
	<CAMZCGg9Bk13Qf2gh3XG7Hc55ynTV-R0P_om4eq=9NRPmEMG8eQ@mail.gmail.com>
Message-ID: <CADNCi7ej-Rh-Xmnu_P7XW7m1UQ3gE775mZzLMA2rMDJyads+gg@mail.gmail.com>

Gladly! I was also wondering if there is a centralized source of
information like a wiki with a list of available, community-developped SPIs
where I could add this one.

I'm not a Java dev though, and there are a few things I'd like to fix
before "officially" advertising this (the config part does not work), so I
might do that post in a few weeks or months.

On Tue, May 7, 2019 at 11:08 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi Matthieu !
>
> This is a really nice example and we are actually lacking of examples for
> the Event SPI. Would be nice if once you could wrote a small blog post
> about it ;)
>
> Sebi
>
>
> On Tue, May 7, 2019 at 10:45 AM Matthieu Huin <mhuin at redhat.com> wrote:
>
>> Hello,
>>
>> If you're okay with writing code, you could cover your use case with a SPI
>> based on event notifications. For example, I've written this (very
>> experimental) MQTT emitter that fires a message every time an event occurs
>> on a specific realm:
>> https://github.com/mhuin/keycloak-event-listener-mqtt
>>
>> It is based on the stdout emitter SPI included in the keycloak-examples
>> repo, which is a good way to get started.
>>
>> Hope that helps,
>>
>> MHU
>>
>> On Mon, May 6, 2019 at 9:10 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>> > Hi,
>> >
>> > >From time to time someone shows up with requirements that could be
>> > addressed using SCIM [1].
>> >
>> > The functionality you are looking for is also addressed by one of the
>> > drafts related to SCIM [2].
>> >
>> > [1] https://issues.jboss.org/browse/KEYCLOAK-2537
>> > [2] https://tools.ietf.org/id/draft-hunt-scim-notify-00.txt
>> >
>> > Regards.
>> > Pedro Igor
>> >
>> > On Mon, May 6, 2019 at 1:11 PM Tihomir Mescic <tmescic at upchain.com>
>> wrote:
>> >
>> > > Hi all,
>> > >
>> > > I'm building a system that integrates with Keycloak. What I would
>> need is
>> > > some kind of a notification mechanism in case user information (e.g.
>> > first,
>> > > or last name) is changed in Keycloak.
>> > >
>> > > Something like this:
>> > >  - user's first name is changed in Keycloak (either via the Keyclaok
>> > > administration page, or via a REST API call)
>> > >  - Keycloak notifies my app about the change (either via a webhook or
>> by
>> > > sending a message to a message bus, or something else)
>> > >
>> > > Is anything like this possible currently?
>> > >
>> > > Thanks in advance,
>> > > Tihomir
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>>
>> --
>>
>> Matthieu Huin
>>
>> Senior Software Developper
>>
>> Red Hat <https://www.redhat.com>
>>
>> <https://red.ht/sig>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 

Matthieu Huin

Senior Software Developper

Red Hat <https://www.redhat.com>

<https://red.ht/sig>

From sblanc at redhat.com  Tue May  7 05:35:08 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 7 May 2019 11:35:08 +0200
Subject: [keycloak-user] Webhook/notification when user's data is changed
In-Reply-To: <CADNCi7ej-Rh-Xmnu_P7XW7m1UQ3gE775mZzLMA2rMDJyads+gg@mail.gmail.com>
References: <CACFy=qG+m7DcTjio3e81gRO33P16o5vgb4dxHTP=cb8NncY4Sg@mail.gmail.com>
	<CAJrcDBfinAJCGDLh6ujhoL-GU_Wh0MtPmNpVmaOja-s2KhV3zg@mail.gmail.com>
	<CADNCi7dPdg5iaPcuDGbEGVsqf8LijEjkGJZDQp+OHS1xSG0Q7w@mail.gmail.com>
	<CAMZCGg9Bk13Qf2gh3XG7Hc55ynTV-R0P_om4eq=9NRPmEMG8eQ@mail.gmail.com>
	<CADNCi7ej-Rh-Xmnu_P7XW7m1UQ3gE775mZzLMA2rMDJyads+gg@mail.gmail.com>
Message-ID: <CAMZCGg9ZAfUsxPbT8wzJSVMq9gHqjorbA99YopguDo1m-T7RBQ@mail.gmail.com>

Yes you can submit a PR here :
https://github.com/keycloak/keycloak-web/tree/master/extensions , and your
extension will appear on the keycloak site.


On Tue, May 7, 2019 at 11:22 AM Matthieu Huin <mhuin at redhat.com> wrote:

> Gladly! I was also wondering if there is a centralized source of
> information like a wiki with a list of available, community-developped SPIs
> where I could add this one.
>
> I'm not a Java dev though, and there are a few things I'd like to fix
> before "officially" advertising this (the config part does not work), so I
> might do that post in a few weeks or months.
>
> On Tue, May 7, 2019 at 11:08 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Hi Matthieu !
>>
>> This is a really nice example and we are actually lacking of examples for
>> the Event SPI. Would be nice if once you could wrote a small blog post
>> about it ;)
>>
>> Sebi
>>
>>
>> On Tue, May 7, 2019 at 10:45 AM Matthieu Huin <mhuin at redhat.com> wrote:
>>
>>> Hello,
>>>
>>> If you're okay with writing code, you could cover your use case with a
>>> SPI
>>> based on event notifications. For example, I've written this (very
>>> experimental) MQTT emitter that fires a message every time an event
>>> occurs
>>> on a specific realm:
>>> https://github.com/mhuin/keycloak-event-listener-mqtt
>>>
>>> It is based on the stdout emitter SPI included in the keycloak-examples
>>> repo, which is a good way to get started.
>>>
>>> Hope that helps,
>>>
>>> MHU
>>>
>>> On Mon, May 6, 2019 at 9:10 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > >From time to time someone shows up with requirements that could be
>>> > addressed using SCIM [1].
>>> >
>>> > The functionality you are looking for is also addressed by one of the
>>> > drafts related to SCIM [2].
>>> >
>>> > [1] https://issues.jboss.org/browse/KEYCLOAK-2537
>>> > [2] https://tools.ietf.org/id/draft-hunt-scim-notify-00.txt
>>> >
>>> > Regards.
>>> > Pedro Igor
>>> >
>>> > On Mon, May 6, 2019 at 1:11 PM Tihomir Mescic <tmescic at upchain.com>
>>> wrote:
>>> >
>>> > > Hi all,
>>> > >
>>> > > I'm building a system that integrates with Keycloak. What I would
>>> need is
>>> > > some kind of a notification mechanism in case user information (e.g.
>>> > first,
>>> > > or last name) is changed in Keycloak.
>>> > >
>>> > > Something like this:
>>> > >  - user's first name is changed in Keycloak (either via the Keyclaok
>>> > > administration page, or via a REST API call)
>>> > >  - Keycloak notifies my app about the change (either via a webhook
>>> or by
>>> > > sending a message to a message bus, or something else)
>>> > >
>>> > > Is anything like this possible currently?
>>> > >
>>> > > Thanks in advance,
>>> > > Tihomir
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>>
>>> --
>>>
>>> Matthieu Huin
>>>
>>> Senior Software Developper
>>>
>>> Red Hat <https://www.redhat.com>
>>>
>>> <https://red.ht/sig>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
> --
>
> Matthieu Huin
>
> Senior Software Developper
>
> Red Hat <https://www.redhat.com>
>
> <https://red.ht/sig>
>

From matthias.anglade at gmail.com  Tue May  7 09:30:56 2019
From: matthias.anglade at gmail.com (Matthias Anglade)
Date: Tue, 7 May 2019 15:30:56 +0200
Subject: [keycloak-user] Strange behavior related to LDAP groups / subgroups
Message-ID: <CAPicBoEz2YOv2Oq+XVbe0Eh8wgORc9jAVyLsQxzaiLkwQAtsLA@mail.gmail.com>

Hi,

We are currently trying to use an LDAP directory as a federation and we are
facing issues regarding groups.

First case, when we are trying to create a group using the API, is there a
way to specify a parent group to create it into ? As for now any group will
be created at the root of the federation group mapper (i.e the one given as
"LDAP Groups DN" parameter ?

Second case, when I create a structure with groups and subgroups, if some
groups have the same name then the membership will not be taken into
account even if the groups having the same name are in two distinct
subgroups.
Say I have the following structure :
grp 1
sub-grp1
sub-grp2
grp 2
sub-grp1
sub-grp3
If I have a user as member of all four sub groups then either grp1/sub-grp1
or grp2/sub-grp1
will be missing.

Any helps would be appreciated.

Yours,
-- 
Matthias

From dr.doon+keycloak at gmail.com  Tue May  7 14:41:55 2019
From: dr.doon+keycloak at gmail.com (DKD)
Date: Tue, 7 May 2019 14:41:55 -0400
Subject: [keycloak-user] Keycloak Scalability Issues
In-Reply-To: <321ed686-5e08-702e-751e-826bd355ac41@janua.fr>
References: <CAN7EZ0z768MBQeWj=sVi83kFCRbZGU7_d9=3eqy0Z4KqXHG65g@mail.gmail.com>
	<321ed686-5e08-702e-751e-826bd355ac41@janua.fr>
Message-ID: <CAN7EZ0xrEq_SzNG+RT3+hFHCSkoCRZnq8dmzVF22VnsLfaRqhA@mail.gmail.com>

Thanks for your reply and the links. Offline tokens don't really apply in
this use case, since there aren't any offline operations that are happening
when the user isn't active, and we'd need the
I'd imagine if the tokens are somewhat permanent in nature, with such a
long lived timeout, that infinispan + backing store can still be used just
as L1/L2 caches.
Loading them all into main memory, makes the remote store somewhat useless
- unless the purpose of the remote stores are for coordination and cluster
synchronization, and not for performance reasons.

However, I strongly suspect we are not configuring things correctly. For
example, we did not set the `Revoke Refresh Token` flag to true, so a new
refresh token was always issued and kept around. That may probably help.

For reference, here are other timeout settings that I have configured:

SSO Session Idle = 30 days;
SSO Session Max = 1825 Days;
No "remember me" values set.
Offline session idle = 30 days
Access token lifespan = 20 minutes;
Access token lifespan for implicit flow = 15 minutes

Thanks again,
DKD

On Mon, May 6, 2019 at 3:02 PM Olivier Rivat <orivat at janua.fr> wrote:

> Hi,
>
> I am surprised to see you having to consider that many session with a
> session lifetime spann of about 8 months.
> All the sessions are piling up, and at the end as you mention you can
> end up with about 1 million sessions with scability issues.
>
> I am wondering if you don't have a design issue.
> A normal session is 10H, and session idletimeout is about 30mn.
> Keycloak provide offline tokens that can last by 30 days, but could be
> extended to much more (8 months - a year)
> offline tokens handling will allow your application to generate new
> access tokens (very short timelifespann), whithout having the need to
> reauthenticate.
>
> I guess it shoulds fulfill your needs.
>
> see also:
>
> http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/
>
> http://www.janua.fr/understanding-token-usage-in-keycloak/
>
>
>
> Regards,
>
> Olivier Rivat
>
>
>
>
>
>
> Le 03/05/2019 ? 19:53, Dev Doongoor a ?crit :
> > Hello,
> >
> > I am looking for help regarding having Keycloak accommodate roughly a
> > million, long-lived sessions.
> > My setup: I have an externalized infinispan cluster which houses the
> > clientSessions and sessions caches, and using Keycloak 4.8.0.
> > The infinispan cluster can hold that many entries in each cache, however
> it
> > seems Keycloak itself struggles with this.
> > When I restart Keycloak (for whatever reason), it seems to attempt to
> load
> > all sessions from infinispan into memory, which to me seems counter
> > intuitive to using an externalized cache system.
> > Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
> > seems like I would have to clear all session data in order for the
> > application to start up again.
> > Also, session lifetime is expected to be 8 months to a year.
> >
> > My standalone-ha.xml for cache configuration looks like this:
> > <replicated-cache name="sessions" statistics-enabled="true">
> > <state-transfer timeout="600000" />
> > <object-memory size="400000" />
> > <remote-store remote-servers="infinispan-socket" passivation="false"
> cache=
> > "sessions" shared="true" purge="false" preload="false">
> > <property name="rawValues">true</property>
> > <property name="marshaller">
> >
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> > </remote-store>
> > </replicated-cache>
> >
> > <replicated-cache name="clientSessions" statistics-enabled="true">
> > <state-transfer timeout="600000" />
> > <object-memory size="400000" />
> > <remote-store remote-servers="infinispan-socket" cache="clientSessions"
> > passivation="false" shared="true" purge="false" preload="false">
> > <property name="rawValues">true</property>
> > <property name="marshaller">
> >
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> > </remote-store>
> > </replicated-cache>
> >
> > Is this correct? Is there a more efficient way to handle this?
> >
> > Thanks in advance,
> >
> > DKD
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From iainsteers at gmail.com  Tue May  7 16:28:46 2019
From: iainsteers at gmail.com (Iain Steers)
Date: Tue, 7 May 2019 16:28:46 -0400
Subject: [keycloak-user] keycloak 4.8.3 ReadOnlyException on new SAML client
	with ldap federation
Message-ID: <CANAutjg+710O6hxqfQH63Y2oZBkOwgGRe_eobfHba4Onqb6zMg@mail.gmail.com>

Hey folks,

We upgraded to keycloak 4.8.3 fairly recently. We were on version 4.2.1.

All existing SAML and OAuth clients work as expected and there are no
issues signing into them.

However, we just created a new SAML client and don't seem to be able to
successfully complete the auth process. With the vague error message:
?Unexpected error when handling authentication request to identity provider?
Digging into the logs I found a stacktrace[1]. This occurs on login
attempts with this new client.
Our User Federation backend is a read-only ldap. Some searching of the
jboss jira and web didn't find much related to this. Any help would be
appreciated.

This is reproducible for us across two separate instances of keycloak
backed by separate ldap backends.

Thanks,

Iain

[1]
May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-733)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/washington/
May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 WARN
[org.keycloak.services] (default task-733) KC-SERVICES0013: Failed
authentication: org.keycloak.storage.ReadOnlyException
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.ReadOnlyUserModelDelegate.setSingleAttribute(ReadOnlyUserModelDelegate.java:48)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.models.cache.infinispan.UserAdapter.setSingleAttribute(UserAdapter.java:137)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId(SamlProtocol.java:366)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.protocol.saml.SamlProtocol.getNameId(SamlProtocol.java:324)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.protocol.saml.SamlProtocol.authenticated(SamlProtocol.java:380)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:790)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:742)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:876)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1008)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:878)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
sun.reflect.GeneratedMethodAccessor673.invoke(Unknown Source)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
java.lang.reflect.Method.invoke(Method.java:498)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
May 07 20:01:05 keycloak-01 standalone.sh[947]: at
java.lang.Thread.run(Thread.java:748)

From traviskds at gmail.com  Tue May  7 21:54:54 2019
From: traviskds at gmail.com (Travis De Silva)
Date: Wed, 8 May 2019 11:54:54 +1000
Subject: [keycloak-user] User Federation - LDAP - syncronize changed users
Message-ID: <CACQJ6LT7ypFhMOrjLsg5+599FmSSgkRmbcNWW8zBqfkyZ=X6Jw@mail.gmail.com>

Hi

We have a user federation setup that connects to Microsoft Active Directory
(AD)

We are having an issue where when user attributes such as "memberof" or
extension attributes are updated, it does not update it in keycloak. We
have the synchronize changed users set to activate every half an hour.

How does Keycloak identify if the user has changed in AD? Are you using the
AD attribute "whenChanged" or is it some other attribute?

Appreciate any help.

Cheers
Travis

From traviskds at gmail.com  Wed May  8 00:49:18 2019
From: traviskds at gmail.com (Travis De Silva)
Date: Wed, 8 May 2019 14:49:18 +1000
Subject: [keycloak-user] User Federation - LDAP - syncronize changed
	users
In-Reply-To: <CACQJ6LT7ypFhMOrjLsg5+599FmSSgkRmbcNWW8zBqfkyZ=X6Jw@mail.gmail.com>
References: <CACQJ6LT7ypFhMOrjLsg5+599FmSSgkRmbcNWW8zBqfkyZ=X6Jw@mail.gmail.com>
Message-ID: <CACQJ6LSYrq3ZoeBPXzLe=71k_f3bXU1VfcqfwCvB_3ZX3mKfXw@mail.gmail.com>

On further research, I believe this is done using cookies.

I can see the below keycloak class setting cookies
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java

Also, Microsoft has the below
https://docs.microsoft.com/en-us/windows/desktop/ad/polling-for-changes-using-the-dirsync-control

I am assuming for this to work, on the Microsoft Active Directory side, it
needs to support this concept. If they don't, won't it just do a full sync
rather than not sync?


On Wed, May 8, 2019 at 11:54 AM Travis De Silva <traviskds at gmail.com> wrote:

> Hi
>
> We have a user federation setup that connects to Microsoft Active
> Directory (AD)
>
> We are having an issue where when user attributes such as "memberof" or
> extension attributes are updated, it does not update it in keycloak. We
> have the synchronize changed users set to activate every half an hour.
>
> How does Keycloak identify if the user has changed in AD? Are you using
> the AD attribute "whenChanged" or is it some other attribute?
>
> Appreciate any help.
>
> Cheers
> Travis
>
>

From Leigh.Kennedy at qlik.com  Wed May  8 03:10:16 2019
From: Leigh.Kennedy at qlik.com (Leigh Kennedy)
Date: Wed, 8 May 2019 07:10:16 +0000
Subject: [keycloak-user] Problems with kcadm returning messages as errors
	incorrectly
Message-ID: <DM6PR18MB321270E2E9343115BA757E039D320@DM6PR18MB3212.namprd18.prod.outlook.com>

Hi,

I have been porting some keycloak scripts I wrote from linux to powershell.

The issue I have is while the commands work, the output is being returned as stderr incorrectly.  i.e :

PS C:\Windows\system32> kcadm.bat config credentials --server http://127.0.0.1:8080/auth --realm master --user myuser --password xxxx
kcadm.bat : Logging into http://127.0.0.1:8080/auth as user myuser of realm master

At line:1 char:1
+ kcadm.bat config credentials --server http://127.0.0.1:8080/auth --re ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Logging into ht...of realm master:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError


If I redirect the error ourput to a file, I get no output:

PS C:\Windows\system32> kcadm.bat config credentials --server http://127.0.0.1:8080/auth --realm master --user qlik --password Qlik1234  2>console.err

PS C:\Windows\system32>

The commands are working, but for some reason the way the java returns the output is causing the issue.

Does anyone know how to work around this?

Thanks.

Leigh.

From slaskawi at redhat.com  Wed May  8 04:07:32 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 8 May 2019 10:07:32 +0200
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <CAJmz6fvE77irE+4XoiRhDohXZG2-Ajp-ScaaPgWeiSDAEsqbew@mail.gmail.com>
References: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
	<CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>
	<CAJmz6fsi1HO=-MS=CuTtAj-8W_Mafw2kjHN2RS1K-r-tpoQTkg@mail.gmail.com>
	<CAA9R9O6pgH3_E776Znb3hxAHBaThnnUSuEBL=kAshR3HyWGuBA@mail.gmail.com>
	<CAJmz6fvE77irE+4XoiRhDohXZG2-Ajp-ScaaPgWeiSDAEsqbew@mail.gmail.com>
Message-ID: <CAA9R9O5h4DDfqDAbjd-AuEfoWpAntQpzxcO-+UG9XNGLwfqZCQ@mail.gmail.com>

I'm glad that worked for you. Thanks for a great feedback Abhishek!

On Tue, May 7, 2019 at 11:18 AM abhishek raghav <abhi.raghav007 at gmail.com>
wrote:

> Hi Sebastian,
>
> Thanks for the response. I got it working with a clue in your last answer.
> I am using docker based container orchestration framework which when I am
> scaling down the service is actually force killing the docker containers
> (something like kill -9), instead of a graceful shut down. So then, I
> changed my docker-entrypoint (I am using my own docker-entrypoint and not
> relying on default one which comes with keycloak image) and added *exec*
> just before the start command. something like this as below -
>
> exec /opt/jboss/keycloak/bin/standalone.sh --server-config
> standalone-ha.xml -Djboss.bind.address=${privateaddress}.....
>
> After adding  "exec", I noticed that keycloak is shutting down gracefully
> when I am scaling down the nodes in the cluster and the respective entries
> are also getting cleared off from JGROUPSPING table just as you mentioned.
>
> Looks like this there should not be anymore stale entries until the
> cluster crashes a lot.
>
> Thanks a lot for your support.
>
> - Best Regards
>   Abhishek
>
>
>
>
>
>
>
>
> On Mon, May 6, 2019 at 12:48 PM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> Adding +Bela Ban <bban at redhat.com>, just in case :)
>>
>> Currently, JDBC_PING extends FILE_PING, which has some properties, that
>> works similarly to `clear_table_on_view_change`:
>> - remove_old_coords_on_view_change - If true, on a view change, the new
>> coordinator removes files from old coordinators
>> - remove_all_data_on_view_change - If true, on a view change, the new
>> coordinator removes all data except its own
>>
>> It's also worth to mention, that the coordinator clears the table when
>> shutting down (being more specific, on `JDBC_PING#stop`. So unless your
>> cluster crashes a lot (by crashing I mean calling `kill -9` for example),
>> you should be fine.
>>
>> Thanks,
>> Seb
>>
>> On Mon, Apr 29, 2019 at 9:44 AM abhishek raghav <abhi.raghav007 at gmail.com>
>> wrote:
>>
>>> Thanks Sebastian.
>>>
>>> I tried running the same setup with 5.0.0 of keycloak, I did not see any
>>> such errors which I reported in my first email. This was definitely a
>>> Wildfly issue and not keycloak.
>>>
>>> Regarding my 2nd question - i.e. support of "clear_table_on_view_change"
>>> property. I see that jgroups has removed support of this property. So lets
>>> say if JGROUPSPING table has lot stale entries, while keycloak starts
>>> booting up - each time keycloak node will try to JOIN with all the entries
>>> already present in the JGROUPSPING table and thus time taken for the
>>> service to start will be more. If that timeline is more than 300s, keycloak
>>> does not start and reports timeout error.
>>> This scenario is highly possible in cloud scenarios, since there the
>>> keycloak nodes can start on any available host/IP since no of nodes are not
>>> fixed.
>>>
>>> Can you suggest any workaround to fix this.
>>>
>>> *- Best Regards*
>>>    Abhishek Raghav
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Apr 26, 2019 at 6:11 PM Sebastian Laskawiec <slaskawi at redhat.com>
>>> wrote:
>>>
>>>> There was a bunch of fixed to JGroups a while ago, including changes in
>>>> JDBC_PING.
>>>>
>>>> Could you please rerun your setup with Keycloak >= 5.0.0? I believe
>>>> some of the issues (or maybe even all of them) should be fixed.
>>>>
>>>> On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <
>>>> abhi.raghav007 at gmail.com> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> After the migration of keycloak HA configurations from 3.4.3.Final to
>>>>> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
>>>>> immediately after the keycloak is started with 2 nodes. This occurs
>>>>> after
>>>>> every time when the cluster is scaled up or whenever infinispan is
>>>>> trying
>>>>> to update the cluster member list.
>>>>> I am using JDBC_PING to achieve clustering in keycloak.
>>>>>
>>>>> Below is the stacktrace -
>>>>>
>>>>> 2019-04-24 12:20:43,687 WARN
>>>>> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
>>>>> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>>>>> >> ISPN000197: Error updating cluster member list:
>>>>> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed
>>>>> out
>>>>> >> waiting for responses for request 1 from dcidqdcosagent02
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>>>>> >
>>>>> >                   at
>>>>> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>>>> >
>>>>> >                   at
>>>>> >>
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>>>> >
>>>>> >                   at java.lang.Thread.run(Thread.java:748)
>>>>> >
>>>>> >                   Suppressed:
>>>>> org.infinispan.util.logging.TraceException
>>>>> >
>>>>> >                                     at
>>>>> >>
>>>>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>>>>> >
>>>>> >                                     at
>>>>> >>
>>>>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>>>>> >
>>>>> >                                     at
>>>>> >>
>>>>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>>>>> >
>>>>> >
>>>>>
>>>>> Now after I searched, I really did not see anyone reported such error
>>>>> on
>>>>> keycloak but there is similar bug reported in WILDLFY 14 and is
>>>>> categorized
>>>>> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
>>>>> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
>>>>>
>>>>> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS
>>>>> could be
>>>>> because of this blocker in WILDFLY 14.
>>>>>
>>>>> What should I do to get rid this error. Is this really a problem in
>>>>> keycloak 4.8.3.Final. Did anyone notice any such issue while running
>>>>> keycloak 4.8.3 in HA mode.
>>>>> Is there a workaround to fix this.
>>>>>
>>>>>
>>>>> One more thing we noticed is - It is regarding a property in JDBC_PING
>>>>> protocol we are using in our 3.4.3 setup i.e.
>>>>> "clear_table_on_view_change"
>>>>> but it is no more supported in 4.8 version. and thus the JGROUPSPING
>>>>> table
>>>>> is filled up with lot of stale entries. Is there a workaround to clear
>>>>> the
>>>>> table after view change in 4.8 also.
>>>>>
>>>>> Thanks
>>>>> Abhishek
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>

From shiva.prasad.thagadur.prakash at ericsson.com  Wed May  8 04:09:32 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Wed, 8 May 2019 08:09:32 +0000
Subject: [keycloak-user] Is CVE-2019-3868 (session hijacking) fixed in 6.0.1
 keycloak release
Message-ID: <1557302972.19007.4.camel@ericsson.com>

Hi Guys,

Is?CVE-2019-3868 fixed in 6.0.1 Keycloak release? Is there a place
where I can check the status of different CVEs i.e. whether they are
fixed or planned to be fixed etc...?

Thanks,
Shiva


From tdudgeon.ml at gmail.com  Wed May  8 05:08:56 2019
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 8 May 2019 10:08:56 +0100
Subject: [keycloak-user] obtaining token when using identify broker
Message-ID: <01d293d2-d9a3-6c4c-6570-0dd7024e4cb0@gmail.com>

Apologies again if this was already answered, but my subscription to the 
ML keeps getting cut and there is no archive to check!

How can I obtain a token in the following scenario:

1. My keycloak realm is set up to manage users with identity brokering 
(e.g. in a browser they would login through GitHub, Google etc.)
2. I have a public client in that realm that has REST API that requires 
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to 
provide an access token.

How can I get a token?

Thanks
Tim


From Tony.Harris at oneadvanced.com  Wed May  8 05:44:31 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Wed, 8 May 2019 09:44:31 +0000
Subject: [keycloak-user] obtaining token when using identify broker
In-Reply-To: <01d293d2-d9a3-6c4c-6570-0dd7024e4cb0@gmail.com>
References: <01d293d2-d9a3-6c4c-6570-0dd7024e4cb0@gmail.com>
Message-ID: <73b2905b36d547b190ff848ac93bbb5d@SL1ACSEXCMB01.acsresource.com>

One way would be change your client to confidential and login with the client id and secret.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Tim Dudgeon
Sent: 08 May 2019 10:09
To: keycloak-user <keycloak-user at lists.jboss.org>
Subject: [keycloak-user] obtaining token when using identify broker

Apologies again if this was already answered, but my subscription to the ML keeps getting cut and there is no archive to check!

How can I obtain a token in the following scenario:

1. My keycloak realm is set up to manage users with identity brokering (e.g. in a browser they would login through GitHub, Google etc.) 2. I have a public client in that realm that has REST API that requires access to be authenticated 3. I want to access that API using curl or other CLI tool so need to provide an access token.

How can I get a token?

Thanks
Tim

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From frank.herrmann at modernizingmedicine.com  Wed May  8 10:14:17 2019
From: frank.herrmann at modernizingmedicine.com (Frank Herrmann)
Date: Wed, 8 May 2019 10:14:17 -0400
Subject: [keycloak-user] Permissions tab missing after upgrading
Message-ID: <CAF1JiVSb53QjrfD1-VNab3kYVLD9sEcNcFt5PGRXB+L++yp3Ew@mail.gmail.com>

Hello,

I just updated my installation of Keycloak from 3.4.3 to 6.0.1. I need to
set up token exchange. The documentation still references the Permissions
tab in my identity provider. However, the tab is missing. It is also
missing from my clients. My 3.4.3 installation has the Permissions tabs.

I can, however, get to the permissions pages by altering the url. I was
wondering if anyone else has seen this. Is this a bug, or does the
documentation need to be updated?

Thanks,
-Frank

-- 
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT

T: 561-880-2998 x1563

E: frank.herrmann at modmed.com



[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>

[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>

-- 
*CONFIDENTIALITY NOTICE:*?This e-mail message may contain material 
protected by the Health Insurance Portability and Accountability Act of 
1996 and its implementing regulations and other state and federal laws and 
legal privileges. This message is only for the personal and confidential 
use of the individuals or organization to whom the message is addressed. If 
you are an unintended recipient, you?have received this message in error, 
and any reading, distributing, copying or disclosure is unauthorized and 
strictly prohibited.? All recipients are hereby notified that any 
unauthorized receipt does not waive any confidentiality obligations or 
privileges. If you have received this message in error, please notify the 
sender immediately?at the above?email?address and?confirm that you have 
deleted or destroyed the message.

From bruno at abstractj.org  Wed May  8 10:27:13 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 8 May 2019 11:27:13 -0300
Subject: [keycloak-user] Is CVE-2019-3868 (session hijacking) fixed in
 6.0.1 keycloak release
In-Reply-To: <1557302972.19007.4.camel@ericsson.com>
References: <1557302972.19007.4.camel@ericsson.com>
Message-ID: <CAM5SUC4v55UYWq6ZK2aF1FfXS0c3-aggpE==iwMvDK8NK6-c5Q@mail.gmail.com>

Please, take a look at
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3868. It was
fixed.

On Wed, May 8, 2019 at 5:14 AM Shiva Prasad Thagadur Prakash
<shiva.prasad.thagadur.prakash at ericsson.com> wrote:
>
> Hi Guys,
>
> Is CVE-2019-3868 fixed in 6.0.1 Keycloak release? Is there a place
> where I can check the status of different CVEs i.e. whether they are
> fixed or planned to be fixed etc...
>
> Thanks,
> Shiva
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From psilva at redhat.com  Wed May  8 14:12:49 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 8 May 2019 15:12:49 -0300
Subject: [keycloak-user] Permissions tab missing after upgrading
In-Reply-To: <CAF1JiVSb53QjrfD1-VNab3kYVLD9sEcNcFt5PGRXB+L++yp3Ew@mail.gmail.com>
References: <CAF1JiVSb53QjrfD1-VNab3kYVLD9sEcNcFt5PGRXB+L++yp3Ew@mail.gmail.com>
Message-ID: <CAJrcDBfxZ4uZ5SMH2kZ_bu6Thty-OLcvJZAZc2fcKrnkG97xUw@mail.gmail.com>

Hi,

This is probably because tech-preview features are not enabled by default.
See
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
.

You basically need to set the following system property to boot the server:
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled.

On Wed, May 8, 2019 at 11:16 AM Frank Herrmann <
frank.herrmann at modernizingmedicine.com> wrote:

> Hello,
>
> I just updated my installation of Keycloak from 3.4.3 to 6.0.1. I need to
> set up token exchange. The documentation still references the Permissions
> tab in my identity provider. However, the tab is missing. It is also
> missing from my clients. My 3.4.3 installation has the Permissions tabs.
>
> I can, however, get to the permissions pages by altering the url. I was
> wondering if anyone else has seen this. Is this a bug, or does the
> documentation need to be updated?
>
> Thanks,
> -Frank
>
> --
> FRANK HERRMANN
> ASSOCIATE SOFTWARE ARCHITECT
>
> T: 561-880-2998 x1563
>
> E: frank.herrmann at modmed.com
>
>
>
> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
> [image:
> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
> [image:
> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
> <http://instagram.com/modernizing_medicine>
>
> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>
> --
> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
> protected by the Health Insurance Portability and Accountability Act of
> 1996 and its implementing regulations and other state and federal laws and
> legal privileges. This message is only for the personal and confidential
> use of the individuals or organization to whom the message is addressed.
> If
> you are an unintended recipient, you have received this message in error,
> and any reading, distributing, copying or disclosure is unauthorized and
> strictly prohibited.  All recipients are hereby notified that any
> unauthorized receipt does not waive any confidentiality obligations or
> privileges. If you have received this message in error, please notify the
> sender immediately at the above email address and confirm that you have
> deleted or destroyed the message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From frank.herrmann at modernizingmedicine.com  Wed May  8 14:19:54 2019
From: frank.herrmann at modernizingmedicine.com (Frank Herrmann)
Date: Wed, 8 May 2019 14:19:54 -0400
Subject: [keycloak-user] Permissions tab missing after upgrading
In-Reply-To: <CAJrcDBfxZ4uZ5SMH2kZ_bu6Thty-OLcvJZAZc2fcKrnkG97xUw@mail.gmail.com>
References: <CAF1JiVSb53QjrfD1-VNab3kYVLD9sEcNcFt5PGRXB+L++yp3Ew@mail.gmail.com>
	<CAJrcDBfxZ4uZ5SMH2kZ_bu6Thty-OLcvJZAZc2fcKrnkG97xUw@mail.gmail.com>
Message-ID: <CAF1JiVREZ3JY2hyg9ZjmB-ZSO8Cm9hGU9xtHnoegRr75-ZKa3A@mail.gmail.com>

Thanks. That appears to have done it. I missed that change in the
documentation.

On Wed, May 8, 2019 at 2:13 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> This is probably because tech-preview features are not enabled by default.
> See
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
> .
>
> You basically need to set the following system property to boot the
> server: -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled.
>
> On Wed, May 8, 2019 at 11:16 AM Frank Herrmann <
> frank.herrmann at modernizingmedicine.com> wrote:
>
>> Hello,
>>
>> I just updated my installation of Keycloak from 3.4.3 to 6.0.1. I need to
>> set up token exchange. The documentation still references the Permissions
>> tab in my identity provider. However, the tab is missing. It is also
>> missing from my clients. My 3.4.3 installation has the Permissions tabs.
>>
>> I can, however, get to the permissions pages by altering the url. I was
>> wondering if anyone else has seen this. Is this a bug, or does the
>> documentation need to be updated?
>>
>> Thanks,
>> -Frank
>>
>> --
>> FRANK HERRMANN
>> ASSOCIATE SOFTWARE ARCHITECT
>>
>> T: 561-880-2998 x1563
>>
>> E: frank.herrmann at modmed.com
>>
>>
>>
>> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>> [image:
>> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>> [image:
>> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
>> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>> <http://instagram.com/modernizing_medicine>
>>
>> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>>
>> --
>> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>> protected by the Health Insurance Portability and Accountability Act of
>> 1996 and its implementing regulations and other state and federal laws
>> and
>> legal privileges. This message is only for the personal and confidential
>> use of the individuals or organization to whom the message is addressed.
>> If
>> you are an unintended recipient, you have received this message in error,
>> and any reading, distributing, copying or disclosure is unauthorized and
>> strictly prohibited.  All recipients are hereby notified that any
>> unauthorized receipt does not waive any confidentiality obligations or
>> privileges. If you have received this message in error, please notify the
>> sender immediately at the above email address and confirm that you have
>> deleted or destroyed the message.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT

T: 561-880-2998 x1563

E: frank.herrmann at modmed.com



[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>

[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>

-- 
*CONFIDENTIALITY NOTICE:*?This e-mail message may contain material 
protected by the Health Insurance Portability and Accountability Act of 
1996 and its implementing regulations and other state and federal laws and 
legal privileges. This message is only for the personal and confidential 
use of the individuals or organization to whom the message is addressed. If 
you are an unintended recipient, you?have received this message in error, 
and any reading, distributing, copying or disclosure is unauthorized and 
strictly prohibited.? All recipients are hereby notified that any 
unauthorized receipt does not waive any confidentiality obligations or 
privileges. If you have received this message in error, please notify the 
sender immediately?at the above?email?address and?confirm that you have 
deleted or destroyed the message.

From guido_99 at gmx.de  Wed May  8 15:04:51 2019
From: guido_99 at gmx.de (Guido Wimmel)
Date: Wed, 8 May 2019 21:04:51 +0200
Subject: [keycloak-user] Show Username in Admin Events / Login Events
In-Reply-To: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>
References: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>
Message-ID: <5de83ea9-9227-106f-50af-e0176b1aa492@gmx.de>

Hi,

does anyone possibly have similar concerns / a workaround? The Admin
Events View
in the Administration Console is of limited use for our Keycloak admins
if they have to lookup
the usernames of the concerned users.

In addition, it seems that the Admin Events do not contain information
on which role(s)
were assigned to / removed from a user - I can only see a general update
of the
client-role-mapping.
Is this true? Is there a way to extend the Admin Events such that it is
possible to see which role(s) were
added/removed?

Thanks in advance, best regards,
 ? Guido

On 06.04.19 10:39 Guido Wimmel wrote:
> Hi,
>
> in the Admin Events / Login Events - View in the Administration Console
> in Keycloak, I can see e.g. if users logged in or were assigned to a role.
> However, the users are only referenced by their id.
>
> I can determine the username by constructing an URL (e.g.
> .../realms/<MY_REALM>/users/<UserId> ) and navigating to it.
>
> Is there an easier way?
>
> Best regards,
>   ?? Guido
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From demetrio at carretti.pro  Wed May  8 17:01:03 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Thu, 09 May 2019 00:01:03 +0300
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
	<0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
	<91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>
Message-ID: <1557349263.3565.4.camel@carretti.pro>

Hi Gary,

I'm still convinced this could be done much simpler. Just performed a quick test:
- created a realm;
- created an OIDC client of type "confidential";
- enabled service account;
- went to Service Account Roles and assigned realm-management.manage-realm role;

Then ran a script:

#!/bin/sh

KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=test-realm
KEYCLOAK_CLIENT=test-client
KEYCLOAK_CLIENT_SECRET=...

ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
    --basic --user $KEYCLOAK_CLIENT:$KEYCLOAK_CLIENT_SECRET \
    -d grant_type=client_credentials \
    | jq -r '.access_token')

echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq

I've been able to see the following inside the token:

  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "manage-realm" // <- this
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

(How it works: by default, built-in client scopes are assigned to the clients (see Client Scopes tab -> Assigned Default Client Scopes).
One of them, namely "roles", invokes the "client roles" mapper, which in its turn resolves the roles and puts them into a token.)

Could you please try to reproduce the same on your instance? Hope that helps,

Dmitry Telegin
Opensource IAM consultant
https://www.linkedin.com/in/d-telegin

On Tue, 2019-05-07 at 03:40 +0000, Gary Kennedy wrote:
> I think I've found an acceptable solution, can I get some feedback please? I don't want to risk any loopholes or lessened security here.
> 
> Originally I was thinking that I needed to add the "resource_access" claim to the token (with "realm-management" roles), because the admin API was using the "KeycloakIdentity" class in "MgmtPermissions.hasOneAdminRole" calls. However, now I've gone with changing the "azp" (issued-for) claim instead, so that "MgmtPermissions.initIdentity" uses the "UserModelIdentity" class instead. FYI - I've arbitrarily chosen to use the "admin-cli" client id for the "azp" claim, but "security-admin-console" would work just as well.
> 
> This is all accomplished with a single client specific script mapper with no "Token Claim Name", no "Claim JSON Type", and set to only "Add to access token" (ie, ID token and user info flags are OFF).
> 
> The script:
> 
> ```
> // todo: can we make the service account detection a bit more robust? ie, sub claim??
> // note: could also check client session notes for form data scope so we don't always set the issued-for
> var tokenName = null;
> if (token !== null && token.getOtherClaims() !== null) {
> ? ? tokenName = token.getOtherClaims().get('preferred_username');
> }
> if (tokenName == 'service-account-test-client') {
> ? ? // admin-cli is to get the admin api to use the usermodel instead of the token for roles
> ? ? // you could also use the security-admin-console client id
> ? ? // see MgmtPermissions.initIdentity
> ? ? token.issuedFor('admin-cli');
> }
> ```
> 
> Digging through the code I cannot find any other means of setting the issued-for of the token during the client credentials grant, but am I missing something? Is there another way we can set the issued-for at token request time?
> 
> Cheers,
> Gary
> 
> > > > On 7 May 2019, at 9:38 am, Gary Kennedy <gary at apnic.net> wrote:
> > 
> > > > > > On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> > > 
> > > Hi Gary,
> > > 
> > > To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
> > 
> > Unfortunately no.
> > 
> > The roles are set, however they are not presented in the token, eg no "resource_access" claim.
> > 
> > And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.
> > 
> > > If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
> > 
> > Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.
> > 
> > Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here.?
> > 
> > The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.
> > 
> > > Cheers,
> > > Dmitry
> > > 
> > > On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
> > > > I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
> > > > 
> > > > I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
> > > > 
> > > > How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
> > > > 
> > > > If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
> > > > 
> > > > (Keycloak 4.8.2)
> > > > 
> > > > Cheers,
> > > > Gary
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

From demetrio at carretti.pro  Wed May  8 17:33:47 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Thu, 09 May 2019 00:33:47 +0300
Subject: [keycloak-user] keycloak 4.8.3 ReadOnlyException on new SAML
 client with ldap federation
In-Reply-To: <CANAutjg+710O6hxqfQH63Y2oZBkOwgGRe_eobfHba4Onqb6zMg@mail.gmail.com>
References: <CANAutjg+710O6hxqfQH63Y2oZBkOwgGRe_eobfHba4Onqb6zMg@mail.gmail.com>
Message-ID: <1557351227.3565.6.camel@carretti.pro>

Hi Iain,

Seems that your client uses the so-called "persistent NameID policy",
which implies that for each new user Keycloak will generate and,
literally, persist a SAML-specific identifier called NameID. It's not
obvious, but this policy works with writable user stores only, since it
needs to persist the generated NameID (under the hood, Keycloak uses
custom user attribute named "saml.persistent.name.id.for.<client-id>").

You can overcome this by forcing a different NameID policy, like
username or email, in the client settings. However, you'll need to make
sure that your actual client (web application) is ok with that policy
and there is no lock-in for any particular NameID format.

In fact, the clients should neither rely on the presence of NameID nor
use it for long-term identification, see [1] section [SDP-SP13].

[1] https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

Good luck,
Dmitry Telegin
Opensource IAM consultant
https://www.linkedin.com/in/d-telegin

On Tue, 2019-05-07 at 16:28 -0400, Iain Steers wrote:
> Hey folks,
> 
> We upgraded to keycloak 4.8.3 fairly recently. We were on version 4.2.1.
> 
> All existing SAML and OAuth clients work as expected and there are no
> issues signing into them.
> 
> However, we just created a new SAML client and don't seem to be able to
> successfully complete the auth process. With the vague error message:
> ?Unexpected error when handling authentication request to identity provider?
> Digging into the logs I found a stacktrace[1]. This occurs on login
> attempts with this new client.
> Our User Federation backend is a read-only ldap. Some searching of the
> jboss jira and web didn't find much related to this. Any help would be
> appreciated.
> 
> This is reproducible for us across two separate instances of keycloak
> backed by separate ldap backends.
> 
> Thanks,
> 
> Iain
> 
> [1]
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-733)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/washington/
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 WARN
> [org.keycloak.services] (default task-733) KC-SERVICES0013: Failed
> authentication: org.keycloak.storage.ReadOnlyException
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.ReadOnlyUserModelDelegate.setSingleAttribute(ReadOnlyUserModelDelegate.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.cache.infinispan.UserAdapter.setSingleAttribute(UserAdapter.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId(SamlProtocol.java:366)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.getNameId(SamlProtocol.java:324)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.authenticated(SamlProtocol.java:380)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:790)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:742)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:876)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1008)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:878)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> sun.reflect.GeneratedMethodAccessor673.invoke(Unknown Source)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.reflect.Method.invoke(Method.java:498)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.Thread.run(Thread.java:748)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From demetrio at carretti.pro  Wed May  8 17:39:54 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Thu, 09 May 2019 00:39:54 +0300
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <VI1P193MB03037CE928F335F511BF29A0B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
	<VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>
	, <CACv4bCQ3B1XCJAbi53XT_vPSaTqOAsmveB=vg89RCRQgVm6Ciw@mail.gmail.com>
	<VI1P193MB03037CE928F335F511BF29A0B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
Message-ID: <1557351594.3565.8.camel@carretti.pro>

Hello Ali,

It would be helpful if you could share your application.properties (scrubbing the secrets, if any) as well as authorization settings in Keycloak.

Please also mind that security constraints (role-based) and authorization are separate concepts, in the sense that they are configured and enforced differently.

Cheers,
Dmitry Telegin
Opensource IAM consultant
https://www.linkedin.com/in/d-telegin

On Tue, 2019-05-07 at 08:08 +0000, Ali Ahmadzadeh Asl wrote:
> Hi guys,
> 
> Thank you Michal, Thank you Sebastien. As you know, in the application.properties file of this project there is a keycloak.securityConstraints which enforce visitors for having role "user", when I remove this securityConstraints and run the project, every requests redirects to "/accessDenied" page, though based on permissions defined in admin panel, url / is public.
> 
> If I have to define at least one securityConstraints in application.properties (which in my opinion, is not a good constraint), how can I define it as a public patterns without any role constraint?
> 
> 
> ________________________________
> > From: Michal Hajas <mhajas at redhat.com>
> Sent: Tuesday, May 7, 2019 11:27 AM
> To: Sebastien Blanc
> Cc: Ali Ahmadzadeh Asl; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
> 
> Hi Ali,
> 
> as far as I understand, you have to specify securityContrains (it is also in authz quickstart: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-springboot/src/main/resources/application.properties#L10) so that Keycloak know about your resources. You can specify your permissions and policies afterward.
> 
> Michal
> 
> > > On Tue, May 7, 2019 at 7:24 AM Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>> wrote:
> Hi Ali,
> 
> Have you tried this quickstart that shows how tu use the authz service from KC https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
> Also make sure you enable the policy enforcer on the app side in the configuration , i.e :
> keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied
> 
> sebi
> 
> 
> > On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:
> 
> Hi Michal,
> 
> I'm configured my server exactly like this tutorial, but I'm not defined any keycloak.securityConstraints in application.properties file, I want to define permissions and policies in Keycloak admin panel. Does this require any special setting? Do anybody have any sample or tutorial for this?
> ________________________________
> > > From: Michal Hajas <mhajas at redhat.com<mailto:mhajas at redhat.com>>
> Sent: Monday, May 6, 2019 12:09 PM
> To: Ali Ahmadzadeh Asl
> > Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
> 
> Hi Ali,
> 
> it looks like you have wrongly configured Spring Boot Keycloak adapter. Make sure you configured everything which is shown here (especially the part with security constraints): https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter
> 
> Michal
> 
> > > On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com><mailto:ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>>> wrote:
> Hi
> First of all, excuse me for poor English.
> 
> I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html
> 
> 
> There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.
> 
> But after running the server, I can use rest services without any limitation and authentication.
> Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?
> 
> Thank you
> 
> 
> _______________________________________________
> keycloak-user mailing list
> > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gary at apnic.net  Wed May  8 20:11:06 2019
From: gary at apnic.net (Gary Kennedy)
Date: Thu, 9 May 2019 00:11:06 +0000
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <1557349263.3565.4.camel@carretti.pro>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
	<0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
	<91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>
	<1557349263.3565.4.camel@carretti.pro>
Message-ID: <D2D9476D-0B6F-42AF-BDC7-7678A115139B@apnic.net>

Ugh, someone had turned off the "Full Scope Allowed" setting in the client registration scope mappings. (Not me, I swear)
This is the second time I've been bitten by this and I feel dumb about wasting everyone's time because of it.

Because the TokenManager uses the intersection of actual user roles with the client "scope mappings", with the scope mappings "Full Scope Allowed" being off and no matching assigned roles the final role set for the "resource_access" claim was empty - hence no "resource_access" claim.

At least I have a better understanding of the Keycloak internals and another pain point to prompt me to check client scope mappings more often.

Thank you Dmitry :)

> On 9 May 2019, at 7:01 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> 
> Hi Gary,
> 
> I'm still convinced this could be done much simpler. Just performed a quick test:
> - created a realm;
> - created an OIDC client of type "confidential";
> - enabled service account;
> - went to Service Account Roles and assigned realm-management.manage-realm role;
> 
> Then ran a script:
> 
> #!/bin/sh
> 
> KEYCLOAK_URL=http://localhost:8080/auth
> KEYCLOAK_REALM=test-realm
> KEYCLOAK_CLIENT=test-client
> KEYCLOAK_CLIENT_SECRET=...
> 
> ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
>    --basic --user $KEYCLOAK_CLIENT:$KEYCLOAK_CLIENT_SECRET \
>    -d grant_type=client_credentials \
>    | jq -r '.access_token')
> 
> echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq
> 
> I've been able to see the following inside the token:
> 
>  "realm_access": {
>    "roles": [
>      "offline_access",
>      "uma_authorization"
>    ]
>  },
>  "resource_access": {
>    "realm-management": {
>      "roles": [
>        "manage-realm" // <- this
>      ]
>    },
>    "account": {
>      "roles": [
>        "manage-account",
>        "manage-account-links",
>        "view-profile"
>      ]
>    }
>  },
> 
> (How it works: by default, built-in client scopes are assigned to the clients (see Client Scopes tab -> Assigned Default Client Scopes).
> One of them, namely "roles", invokes the "client roles" mapper, which in its turn resolves the roles and puts them into a token.)
> 
> Could you please try to reproduce the same on your instance? Hope that helps,
> 
> Dmitry Telegin
> Opensource IAM consultant
> https://www.linkedin.com/in/d-telegin
> 
> On Tue, 2019-05-07 at 03:40 +0000, Gary Kennedy wrote:
>> I think I've found an acceptable solution, can I get some feedback please? I don't want to risk any loopholes or lessened security here.
>> 
>> Originally I was thinking that I needed to add the "resource_access" claim to the token (with "realm-management" roles), because the admin API was using the "KeycloakIdentity" class in "MgmtPermissions.hasOneAdminRole" calls. However, now I've gone with changing the "azp" (issued-for) claim instead, so that "MgmtPermissions.initIdentity" uses the "UserModelIdentity" class instead. FYI - I've arbitrarily chosen to use the "admin-cli" client id for the "azp" claim, but "security-admin-console" would work just as well.
>> 
>> This is all accomplished with a single client specific script mapper with no "Token Claim Name", no "Claim JSON Type", and set to only "Add to access token" (ie, ID token and user info flags are OFF).
>> 
>> The script:
>> 
>> ```
>> // todo: can we make the service account detection a bit more robust? ie, sub claim??
>> // note: could also check client session notes for form data scope so we don't always set the issued-for
>> var tokenName = null;
>> if (token !== null && token.getOtherClaims() !== null) {
>>     tokenName = token.getOtherClaims().get('preferred_username');
>> }
>> if (tokenName == 'service-account-test-client') {
>>     // admin-cli is to get the admin api to use the usermodel instead of the token for roles
>>     // you could also use the security-admin-console client id
>>     // see MgmtPermissions.initIdentity
>>     token.issuedFor('admin-cli');
>> }
>> ```
>> 
>> Digging through the code I cannot find any other means of setting the issued-for of the token during the client credentials grant, but am I missing something? Is there another way we can set the issued-for at token request time?
>> 
>> Cheers,
>> Gary
>> 
>>>>> On 7 May 2019, at 9:38 am, Gary Kennedy <gary at apnic.net> wrote:
>>> 
>>>>>>> On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
>>>> 
>>>> Hi Gary,
>>>> 
>>>> To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
>>> 
>>> Unfortunately no.
>>> 
>>> The roles are set, however they are not presented in the token, eg no "resource_access" claim.
>>> 
>>> And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.
>>> 
>>>> If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
>>> 
>>> Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.
>>> 
>>> Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here. 
>>> 
>>> The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.
>>> 
>>>> Cheers,
>>>> Dmitry
>>>> 
>>>> On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
>>>>> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
>>>>> 
>>>>> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
>>>>> 
>>>>> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
>>>>> 
>>>>> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
>>>>> 
>>>>> (Keycloak 4.8.2)
>>>>> 
>>>>> Cheers,
>>>>> Gary
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190509/b9c57137/attachment-0001.bin 

From gary at apnic.net  Wed May  8 20:11:27 2019
From: gary at apnic.net (Gary Kennedy)
Date: Thu, 9 May 2019 00:11:27 +0000
Subject: [keycloak-user] How to configure my client for use ADMIN REST
 API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'
In-Reply-To: <6B0DD813-7CC3-41A8-93AB-A8DC50ED7F8D@apnic.net>
References: <CADf9yZOLeQiTTYFW94mCxQdHnB=A4Z3cddMzigX+TU6vXAz+vg@mail.gmail.com>
	<CAMZCGg-HXC_wFjRo+LAkheckZ2kDFpA2xUn_R2O7Bzs9bO_aeA@mail.gmail.com>
	<6B0DD813-7CC3-41A8-93AB-A8DC50ED7F8D@apnic.net>
Message-ID: <5039C415-BB98-4C17-9E12-E2DF3C3B526D@apnic.net>

Addendum:

The "resource_access" token claim can be set with the builtin "client roles" mapper by assigning the needed roles to the service or user accounts AND having in the issuing client registration's scope mappings EITHER "Full Scope Allowed" turned on OR the assigned roles matching the needed roles.

> On 7 May 2019, at 2:02 pm, Gary Kennedy <gary at apnic.net> wrote:
> 
> I'm pretty sure this is similar to the problem I'm having, and I'm also pretty sure that you need to either:
> 
> - add the assigned roles needed for the admin API call (eg, as Sebastien wrote) to the service or user account;
>  AND ensure the token is issued for the admin clients (either "admin-cli" or "security-admin-console" by default)
>  (ie, the "azp" claim is either "admin-cli" or "security-admin-console")
> 
> OR
> 
> - if the token is NOT issued for the admin clients, the token needs a "resource_access" claim which is a map containing the "realm-management" key with a map value having a "roles" key which is an array of role name strings. eg:
>    "resource_access": {
>        "realm-management": {
>            "roles": [ "manage-users" ]
>        }
>    }
> 
> Cheers,
> Gary
> 
>> On 7 May 2019, at 2:54 am, Sebastien Blanc <sblanc at redhat.com> wrote:
>> 
>> Give your user the "manage-users" role , you can do that from the role
>> Mappings tab in the user screen and select in "client roles" =>
>> "realm-management" and there you should see the role "manage-users" and
>> assign it.
>> 
>> 
>> 
>> On Mon, May 6, 2019 at 5:45 PM Christophe Lehingue <clehingue at gmail.com>
>> wrote:
>> 
>>> Hello, how to configure a client so that the user can use the user removal
>>> API?
>>> 
>>> [DELETE]:
>>> https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sdssdsqdqsdqsdsq
>>> 
>>> Whenever I try to call this request REST => I get the following error
>>> message: "resulted in a 401/403 Unauthorized`"
>>> 
>>> Can you help me ?
>>> 
>>> Thank you
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190509/ffab4645/attachment-0001.bin 

From demetrio at carretti.pro  Wed May  8 21:47:40 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Thu, 09 May 2019 04:47:40 +0300
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <D2D9476D-0B6F-42AF-BDC7-7678A115139B@apnic.net>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
	<0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
	<91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>
	<1557349263.3565.4.camel@carretti.pro>
	<D2D9476D-0B6F-42AF-BDC7-7678A115139B@apnic.net>
Message-ID: <1557366460.3565.15.camel@carretti.pro>

Gary, you're welcome!

At least you now know how to do scripting in Keycloak, which is beyond any doubt a valuable asset :)

Fun fact: did you know that in the context of Keycloak the term "scope" is used in at least seven (!) different meanings? :)

Dmitry

On Thu, 2019-05-09 at 00:11 +0000, Gary Kennedy wrote:
> Ugh, someone had turned off the "Full Scope Allowed" setting in the client registration scope mappings. (Not me, I swear)
> This is the second time I've been bitten by this and I feel dumb about wasting everyone's time because of it.
> 
> Because the TokenManager uses the intersection of actual user roles with the client "scope mappings", with the scope mappings "Full Scope Allowed" being off and no matching assigned roles the final role set for the "resource_access" claim was empty - hence no "resource_access" claim.
> 
> At least I have a better understanding of the Keycloak internals and another pain point to prompt me to check client scope mappings more often.
> 
> Thank you Dmitry :)
> 
> > > > On 9 May 2019, at 7:01 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> > 
> > Hi Gary,
> > 
> > I'm still convinced this could be done much simpler. Just performed a quick test:
> > - created a realm;
> > - created an OIDC client of type "confidential";
> > - enabled service account;
> > - went to Service Account Roles and assigned realm-management.manage-realm role;
> > 
> > Then ran a script:
> > 
> > #!/bin/sh
> > 
> > KEYCLOAK_URL=http://localhost:8080/auth
> > KEYCLOAK_REALM=test-realm
> > KEYCLOAK_CLIENT=test-client
> > KEYCLOAK_CLIENT_SECRET=...
> > 
> > ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
> > ???--basic --user $KEYCLOAK_CLIENT:$KEYCLOAK_CLIENT_SECRET \
> > ???-d grant_type=client_credentials \
> > ???| jq -r '.access_token')
> > 
> > echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq
> > 
> > I've been able to see the following inside the token:
> > 
> > ?"realm_access": {
> > ???"roles": [
> > ?????"offline_access",
> > ?????"uma_authorization"
> > ???]
> > ?},
> > ?"resource_access": {
> > ???"realm-management": {
> > ?????"roles": [
> > ???????"manage-realm" // <- this
> > ?????]
> > ???},
> > ???"account": {
> > ?????"roles": [
> > ???????"manage-account",
> > ???????"manage-account-links",
> > ???????"view-profile"
> > ?????]
> > ???}
> > ?},
> > 
> > (How it works: by default, built-in client scopes are assigned to the clients (see Client Scopes tab -> Assigned Default Client Scopes).
> > One of them, namely "roles", invokes the "client roles" mapper, which in its turn resolves the roles and puts them into a token.)
> > 
> > Could you please try to reproduce the same on your instance? Hope that helps,
> > 
> > Dmitry Telegin
> > Opensource IAM consultant
> > https://www.linkedin.com/in/d-telegin
> > 
> > On Tue, 2019-05-07 at 03:40 +0000, Gary Kennedy wrote:
> > > I think I've found an acceptable solution, can I get some feedback please? I don't want to risk any loopholes or lessened security here.
> > > 
> > > Originally I was thinking that I needed to add the "resource_access" claim to the token (with "realm-management" roles), because the admin API was using the "KeycloakIdentity" class in "MgmtPermissions.hasOneAdminRole" calls. However, now I've gone with changing the "azp" (issued-for) claim instead, so that "MgmtPermissions.initIdentity" uses the "UserModelIdentity" class instead. FYI - I've arbitrarily chosen to use the "admin-cli" client id for the "azp" claim, but "security-admin-console" would work just as well.
> > > 
> > > This is all accomplished with a single client specific script mapper with no "Token Claim Name", no "Claim JSON Type", and set to only "Add to access token" (ie, ID token and user info flags are OFF).
> > > 
> > > The script:
> > > 
> > > ```
> > > // todo: can we make the service account detection a bit more robust? ie, sub claim??
> > > // note: could also check client session notes for form data scope so we don't always set the issued-for
> > > var tokenName = null;
> > > if (token !== null && token.getOtherClaims() !== null) {
> > > ????tokenName = token.getOtherClaims().get('preferred_username');
> > > }
> > > if (tokenName == 'service-account-test-client') {
> > > ????// admin-cli is to get the admin api to use the usermodel instead of the token for roles
> > > ????// you could also use the security-admin-console client id
> > > ????// see MgmtPermissions.initIdentity
> > > ????token.issuedFor('admin-cli');
> > > }
> > > ```
> > > 
> > > Digging through the code I cannot find any other means of setting the issued-for of the token during the client credentials grant, but am I missing something? Is there another way we can set the issued-for at token request time?
> > > 
> > > Cheers,
> > > Gary
> > > 
> > > > > > > > > > > > On 7 May 2019, at 9:38 am, Gary Kennedy <gary at apnic.net> wrote:
> > > > > > > > On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> > > > > 
> > > > > Hi Gary,
> > > > > 
> > > > > To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
> > > > 
> > > > Unfortunately no.
> > > > 
> > > > The roles are set, however they are not presented in the token, eg no "resource_access" claim.
> > > > 
> > > > And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.
> > > > 
> > > > > If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
> > > > 
> > > > Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.
> > > > 
> > > > Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here.?
> > > > 
> > > > The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.
> > > > 
> > > > > Cheers,
> > > > > Dmitry
> > > > > 
> > > > > On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
> > > > > > I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
> > > > > > 
> > > > > > I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
> > > > > > 
> > > > > > How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
> > > > > > 
> > > > > > If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
> > > > > > 
> > > > > > (Keycloak 4.8.2)
> > > > > > 
> > > > > > Cheers,
> > > > > > Gary
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From kapilkumarjoshi001 at gmail.com  Thu May  9 02:30:47 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 9 May 2019 12:00:47 +0530
Subject: [keycloak-user] Password expiry policy not working for
	federated user
In-Reply-To: <CAMLZ2v=soO3FKPdgGGahg4Nw=fQeqRhigkGPpGZDpDfBHAPLhA@mail.gmail.com>
References: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>
	<CAMLZ2vmUROZSfam8L=jDgX=SDOPS5FemCVjh2NQxeG7Ajt7X0Q@mail.gmail.com>
	<CAMLZ2vnQEfvq5LzekUjiSTfVBD2+tQtyWTTD=e=HV_EzuZudqg@mail.gmail.com>
	<CAMLZ2v=soO3FKPdgGGahg4Nw=fQeqRhigkGPpGZDpDfBHAPLhA@mail.gmail.com>
Message-ID: <CAMLZ2vm9Dq5eUvA8D4C5pFGd8gOVR=BEiEgMZyAVORKVdKZZyA@mail.gmail.com>

Hi All

Gentle reminder, if any answers, clues or hints are available, will be very
helpful.

Please let us know.

Thanks & Regards
Kapil

On Thu, Apr 18, 2019 at 2:45 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi All,
>
> Gentle reminder, on the last few questions asked, can someone from
> keycloak team answer or guide us with few hints, so that we can proceed, we
> are kind of blocked.
> Also, can someone point me the table where i can find last password change
> time in keycloak. We have integrated keycloak with postgres.
>
> Thanks & regards
> Kapil
>
> On Wed, Apr 17, 2019 at 4:43 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> As i understand, there is no support for OpenLDAP, can we still create
>> custom mappers and map attributes like pwdLastSet to pwdChangedTime
>>
>> such that few password policies like password expiry time works. ?
>>
>> Thanks & Regards
>> Kapil
>>
>> On Wed, Apr 17, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> We are using OpenLDAP.
>>>
>>> I found out that there is ldap mapper precisely
>>> user-account-control-mapper, by adding this LDAP password policy will be
>>> respected.
>>> on doing this we are getting update password UI, on login. But while
>>> updating the password we are getting below error:
>>>
>>> On update the password:
>>>
>>> On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]
>>>
>>> On ldap.log we can see below error coming up:
>>>
>>> conn=1159 op=1 do_modify: get_ctrls failed
>>>
>>>
>>> Please suggest us what are we missing or can correct in our configuration.
>>>
>>>
>>> Thanks & Regards
>>>
>>> Kapil
>>>
>>>
>>>
>>>
>>> On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <
>>> kapilkumarjoshi001 at gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> Password expiry policy not working for federated user. We can see that
>>>> the password has expired for LDAP user, which was set to 90 days, but user
>>>> can still login to UI via keycloak authentication.
>>>>
>>>> Kindly point us what are we missing.
>>>>
>>>> Please note we have enabled the switch to sync password policy with
>>>> federated user.
>>>>
>>>> Thanks & regards
>>>>
>>>> Kapil
>>>>
>>>

From Gregor.Tudan at cofinpro.de  Thu May  9 03:23:28 2019
From: Gregor.Tudan at cofinpro.de (Gregor Tudan)
Date: Thu, 9 May 2019 07:23:28 +0000
Subject: [keycloak-user] Migrations taking very long
Message-ID: <7A3EE609-4221-4529-A6EC-BFBE95A8B16B@cofinpro.de>

Hi,

We run Keycloak with a lot of realms (~400). The last update from 4.4 to 4.8 took around 3h on our test environments, and most of this was due to the migrations for client scopes.
https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo4_6_0.java

Such long downtimes are a problem to us, and make it hard for us to convince everyone to do those upgrades regular. Does someone know a way to shorten them, i.e. by running those migrations after the server started?
The manual migration strategy for JPA looked promising (https://www.keycloak.org/docs/latest/server_installation/index.html#database-configuration), but doesn?t apply to the Java migrations.

Thanks,
Gregor

From dmarsh26 at outlook.com  Thu May  9 03:45:17 2019
From: dmarsh26 at outlook.com (David Marsh)
Date: Thu, 9 May 2019 07:45:17 +0000
Subject: [keycloak-user] Keycloak fine grained permissions with Spring Boot
	/ Spring Security
In-Reply-To: <DB7PR01MB5209ECA46F822E4DDFB09B31D9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
References: <VI1PR01MB5213B642030C3F5E4496557DD9330@VI1PR01MB5213.eurprd01.prod.exchangelabs.com>,
	<DB7PR01MB5209ECA46F822E4DDFB09B31D9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
Message-ID: <DB7PR01MB5209F063A5911510C4E33E8CD9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>

I would like to use permissions or scopes or similar to allow fine grained access to REST resource.

Ideally I would like to do something like:


@PreAuthorize("hasPermission('Brands', 'brands:write')")

ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String brandCode);

where 'Brands' is a keycloak client authorization resource with scopes 'brands:write, brands:read'.

The only annotation that seems to work is @Secured with a role, I do not with to do RBAC.

@Secured({"ROLE_STAFF"})

I have looked at the PolicyEnforcer, it is unclear to me exactly how it is supposed to be used.

I can write code of the form:


KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {

     // This works....
}

How can I tie the AuthorizationContext from PolicyEnforcing to the standard Spring security annotations ?

thanks
David

From tdudgeon.ml at gmail.com  Thu May  9 05:44:14 2019
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Thu, 9 May 2019 10:44:14 +0100
Subject: [keycloak-user] obtaining token when using identify broker
In-Reply-To: <73b2905b36d547b190ff848ac93bbb5d@SL1ACSEXCMB01.acsresource.com>
References: <01d293d2-d9a3-6c4c-6570-0dd7024e4cb0@gmail.com>
	<73b2905b36d547b190ff848ac93bbb5d@SL1ACSEXCMB01.acsresource.com>
Message-ID: <2a15fc29-4995-8009-d3a0-42cec166281d@gmail.com>

Yes, that would work, but I'm wanting users to do this as a 'public' 
client and not have to distribute a client secret to all users.

Tim

On 08/05/2019 10:44, Tony Harris wrote:
> One way would be change your client to confidential and login with the client id and secret.
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Tim Dudgeon
> Sent: 08 May 2019 10:09
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] obtaining token when using identify broker
>
> Apologies again if this was already answered, but my subscription to the ML keeps getting cut and there is no archive to check!
>
> How can I obtain a token in the following scenario:
>
> 1. My keycloak realm is set up to manage users with identity brokering (e.g. in a browser they would login through GitHub, Google etc.) 2. I have a public client in that realm that has REST API that requires access to be authenticated 3. I want to access that API using curl or other CLI tool so need to provide an access token.
>
> How can I get a token?
>
> Thanks
> Tim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>
> Please consider the environment: Think before you print!
>
>
> This message has been scanned for malware by Websense. www.websense.com

From Tony.Harris at oneadvanced.com  Thu May  9 06:45:42 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Thu, 9 May 2019 10:45:42 +0000
Subject: [keycloak-user] obtaining token when using identify broker
In-Reply-To: <2a15fc29-4995-8009-d3a0-42cec166281d@gmail.com>
References: <01d293d2-d9a3-6c4c-6570-0dd7024e4cb0@gmail.com>
	<73b2905b36d547b190ff848ac93bbb5d@SL1ACSEXCMB01.acsresource.com>
	<2a15fc29-4995-8009-d3a0-42cec166281d@gmail.com>
Message-ID: <597e6c04d28845079f55583f0d1e3479@SL1ACSEXCMB01.acsresource.com>

Take a look at the last answer on https://stackoverflow.com/questions/49322417/obtain-id-token-with-keycloak, it may help. Never tried it.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Tim Dudgeon
Sent: 09 May 2019 10:44
To: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] obtaining token when using identify broker

Yes, that would work, but I'm wanting users to do this as a 'public' 
client and not have to distribute a client secret to all users.

Tim

On 08/05/2019 10:44, Tony Harris wrote:
> One way would be change your client to confidential and login with the client id and secret.
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Tim Dudgeon
> Sent: 08 May 2019 10:09
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] obtaining token when using identify broker
>
> Apologies again if this was already answered, but my subscription to the ML keeps getting cut and there is no archive to check!
>
> How can I obtain a token in the following scenario:
>
> 1. My keycloak realm is set up to manage users with identity brokering (e.g. in a browser they would login through GitHub, Google etc.) 2. I have a public client in that realm that has REST API that requires access to be authenticated 3. I want to access that API using curl or other CLI tool so need to provide an access token.
>
> How can I get a token?
>
> Thanks
> Tim
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>
> Please consider the environment: Think before you print!
>
>
> This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From dmarsh26 at outlook.com  Thu May  9 07:03:26 2019
From: dmarsh26 at outlook.com (David Marsh)
Date: Thu, 9 May 2019 11:03:26 +0000
Subject: [keycloak-user] Keycloak fine grained permissions with Spring
 Boot	/ Spring Security
In-Reply-To: <DB7PR01MB5209F063A5911510C4E33E8CD9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
References: <VI1PR01MB5213B642030C3F5E4496557DD9330@VI1PR01MB5213.eurprd01.prod.exchangelabs.com>,
	<DB7PR01MB5209ECA46F822E4DDFB09B31D9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>,
	<DB7PR01MB5209F063A5911510C4E33E8CD9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
Message-ID: <DB7PR01MB52097120C984019A9D6D7E46D9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>

Seems this is what i needed:


@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
    @Autowired
    private HttpServletRequest request;


    @Override
    public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) {
        if ((auth == null) || (targetDomainObject == null) || !(permission instanceof String)){
            return false;
        }

        KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
        AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();

        if(targetDomainObject instanceof String) {
            return authzContext.hasPermission((String)targetDomainObject, (String)permission);
        } else if(targetDomainObject == null) {
            return authzContext.hasScopePermission((String)permission);
        } else {
            return false;
        }
    }


________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of David Marsh <dmarsh26 at outlook.com>
Sent: 09 May 2019 08:45
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak fine grained permissions with Spring Boot / Spring Security

I would like to use permissions or scopes or similar to allow fine grained access to REST resource.

Ideally I would like to do something like:


@PreAuthorize("hasPermission('Brands', 'brands:write')")

ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String brandCode);

where 'Brands' is a keycloak client authorization resource with scopes 'brands:write, brands:read'.

The only annotation that seems to work is @Secured with a role, I do not with to do RBAC.

@Secured({"ROLE_STAFF"})

I have looked at the PolicyEnforcer, it is unclear to me exactly how it is supposed to be used.

I can write code of the form:


KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {

     // This works....
}

How can I tie the AuthorizationContext from PolicyEnforcing to the standard Spring security annotations ?

thanks
David
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From pjulien at saba.com  Thu May  9 08:18:44 2019
From: pjulien at saba.com (Philippe Julien)
Date: Thu, 9 May 2019 12:18:44 +0000
Subject: [keycloak-user] Adding a custom user storage provider to a realm
 with the admin client
Message-ID: <C96E92F2-D35C-4C1A-9E13-C6D76A0D8735@saba.com>

Hi everyone,

Is there a way to add a user storage provider to an existing realm with the admin client (rest api) ?
I?ve looked at the code and user storage providers are ignored on realm update.

On realm creation, only LDAP and Kerberos user storage providers are taken into account.

What would be the best way to programmatically add a custom user storage provider to a new or existing realm?

Thanks,
Philippe


From psilva at redhat.com  Thu May  9 09:31:41 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 9 May 2019 10:31:41 -0300
Subject: [keycloak-user] Keycloak fine grained permissions with Spring
 Boot / Spring Security
In-Reply-To: <DB7PR01MB5209F063A5911510C4E33E8CD9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
References: <VI1PR01MB5213B642030C3F5E4496557DD9330@VI1PR01MB5213.eurprd01.prod.exchangelabs.com>
	<DB7PR01MB5209ECA46F822E4DDFB09B31D9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
	<DB7PR01MB5209F063A5911510C4E33E8CD9330@DB7PR01MB5209.eurprd01.prod.exchangelabs.com>
Message-ID: <CAJrcDBc9jQ5x_rmJ=NgVENiJLLCTP0Rj43+sF6mEmZ0Uy0Qs3w@mail.gmail.com>

Hi,

As you noticed we don't have this capability yet. If you create some
interceptor which is bound to some annotation you should be able to perform
the policy enforcement.

I like the idea and if you want to open an RFE, please do it. If you end up
doing something feel free to contribute.

Regards.
Pedro Igor.

On Thu, May 9, 2019 at 4:47 AM David Marsh <dmarsh26 at outlook.com> wrote:

> I would like to use permissions or scopes or similar to allow fine grained
> access to REST resource.
>
> Ideally I would like to do something like:
>
>
> @PreAuthorize("hasPermission('Brands', 'brands:write')")
>
> ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String
> brandCode);
>
> where 'Brands' is a keycloak client authorization resource with scopes
> 'brands:write, brands:read'.
>
> The only annotation that seems to work is @Secured with a role, I do not
> with to do RBAC.
>
> @Secured({"ROLE_STAFF"})
>
> I have looked at the PolicyEnforcer, it is unclear to me exactly how it is
> supposed to be used.
>
> I can write code of the form:
>
>
> KeycloakSecurityContext keycloakSecurityContext =
> (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName());
> AuthorizationContext authzContext =
> keycloakSecurityContext.getAuthorizationContext();
> if (authzContext.hasScopePermission("brands:write")) {
>
>      // This works....
> }
>
> How can I tie the AuthorizationContext from PolicyEnforcing to the
> standard Spring security annotations ?
>
> thanks
> David
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From cecile.saintmartin at gmail.com  Thu May  9 10:11:19 2019
From: cecile.saintmartin at gmail.com (=?UTF-8?Q?C=C3=A9cile_Radix_Saint=2DMartin?=)
Date: Thu, 9 May 2019 16:11:19 +0200
Subject: [keycloak-user] Configure Keycloak to be able to delegate
	authentication to other application
Message-ID: <CAC+2_LoAi83S-kytH_p3bOg5JWd7vqp2V=+v0-CE_j78=gheuA@mail.gmail.com>

Hi,

We wish to use Keycloak as our IDP for our application (frontend + REST
micro services).
We want to give users the possibility to authenticate using their
credentials of another application (login + password).
In the same time, our application needs to call this other application APIs
and for this, needs the custom token returned by the application during
authentication (this application is not OIDC compliant).

First I wanted to implement a custom identity provider for Keycloak, as it
enables to store token of external IDP. But there is very few documentation
about that and only examples I found are for OIDC providers.

So finally I decided to implement a custom authenticator
(org.keycloak.authentication.Authenticator).

I want to be sure that with a custom authenticator, I will be able to :
- Store custom tokens of the other application, provide it to a client API
and refresh it if expired
- Create user in Keycloak if it does not exist (if authentication with the
other application succeed)

Anyone can confirm ?

*C?cile RADIX SAINT-MARTIN*
*mailto:cecile.saintmartin at gmail.com <cecile.saintmartin at gmail.com>*

From jeet at glabbr.com  Thu May  9 10:41:18 2019
From: jeet at glabbr.com (jeet parmar)
Date: Thu, 09 May 2019 20:11:18 +0530
Subject: [keycloak-user] Cannot verify ES256 JWT token
Message-ID: <16a9d0a978b.121036c1b38099.3470847634710565580@glabbr.com>

Hello All,



I was using RS256 algo till now and had not problems in verifying them until i upgraded to 6.0.1 as i wanted to use ES256.



After upgrading to 6.0.1 and changing default token algo ES256 I am no longer able to validate token signature.



Step to reproduce.

Create a realm

Add ecdsa-genenrated key provider with P-256

Set default token algo ES256 

Generate a JWT token using login procedure

go to https://jwt.io/

select algo as ES256

Paste the token?

Paste the public key which you get from Keys tab for ECDSA key.

It fails with invalid signature.



Above same workflow with RSA256 works perfectly fine.



Please help on this.



Thanks,

Jeet 

Glabbr

https://glabbr.me/jeety

From ryans at jlab.org  Thu May  9 13:48:16 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Thu, 9 May 2019 17:48:16 +0000
Subject: [keycloak-user] LDAP User Storage Provider web interface
Message-ID: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>

On the admin web interface what do the buttons at the bottom of the LDAP User Storage Provider settings page do?  Specifically the buttons:

Synchronize changed users
Synchronize all users
Remove imported
Unlink users

I don't want Keycloak caching much / anything so I've configured Cache Policy NO_CACHE, Edit Mode READ_ONLY, and Import Users OFF.  It seems like these buttons should not be shown with this configuration as it isn't clear they do anything.  I'm especially mystified by Unlink users button since I can't find any reference on what the heck that does.




From gary at apnic.net  Thu May  9 23:21:41 2019
From: gary at apnic.net (Gary Kennedy)
Date: Fri, 10 May 2019 03:21:41 +0000
Subject: [keycloak-user] Service account token mappers?
In-Reply-To: <1557366460.3565.15.camel@carretti.pro>
References: <9F1B6422-2089-4DFF-93ED-AC9583635B0B@apnic.net>
	<1556836691.3581.8.camel@carretti.pro>
	<0D50A546-20FC-4B03-9A59-E610A0627555@apnic.net>
	<91F81618-4CEF-472E-988D-43EAAB5F0777@apnic.net>
	<1557349263.3565.4.camel@carretti.pro>
	<D2D9476D-0B6F-42AF-BDC7-7678A115139B@apnic.net>
	<1557366460.3565.15.camel@carretti.pro>
Message-ID: <FF7E6829-4230-4249-92F2-015973A71203@apnic.net>

Ha! I was only aware of 2 (or 3?) of them :)

> On 9 May 2019, at 11:47 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
> 
> Gary, you're welcome!
> 
> At least you now know how to do scripting in Keycloak, which is beyond any doubt a valuable asset :)
> 
> Fun fact: did you know that in the context of Keycloak the term "scope" is used in at least seven (!) different meanings? :)
> 
> Dmitry
> 
> On Thu, 2019-05-09 at 00:11 +0000, Gary Kennedy wrote:
>> Ugh, someone had turned off the "Full Scope Allowed" setting in the client registration scope mappings. (Not me, I swear)
>> This is the second time I've been bitten by this and I feel dumb about wasting everyone's time because of it.
>> 
>> Because the TokenManager uses the intersection of actual user roles with the client "scope mappings", with the scope mappings "Full Scope Allowed" being off and no matching assigned roles the final role set for the "resource_access" claim was empty - hence no "resource_access" claim.
>> 
>> At least I have a better understanding of the Keycloak internals and another pain point to prompt me to check client scope mappings more often.
>> 
>> Thank you Dmitry :)
>> 
>>>>> On 9 May 2019, at 7:01 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
>>> 
>>> Hi Gary,
>>> 
>>> I'm still convinced this could be done much simpler. Just performed a quick test:
>>> - created a realm;
>>> - created an OIDC client of type "confidential";
>>> - enabled service account;
>>> - went to Service Account Roles and assigned realm-management.manage-realm role;
>>> 
>>> Then ran a script:
>>> 
>>> #!/bin/sh
>>> 
>>> KEYCLOAK_URL=http://localhost:8080/auth
>>> KEYCLOAK_REALM=test-realm
>>> KEYCLOAK_CLIENT=test-client
>>> KEYCLOAK_CLIENT_SECRET=...
>>> 
>>> ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
>>>    --basic --user $KEYCLOAK_CLIENT:$KEYCLOAK_CLIENT_SECRET \
>>>    -d grant_type=client_credentials \
>>>    | jq -r '.access_token')
>>> 
>>> echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq
>>> 
>>> I've been able to see the following inside the token:
>>> 
>>>  "realm_access": {
>>>    "roles": [
>>>      "offline_access",
>>>      "uma_authorization"
>>>    ]
>>>  },
>>>  "resource_access": {
>>>    "realm-management": {
>>>      "roles": [
>>>        "manage-realm" // <- this
>>>      ]
>>>    },
>>>    "account": {
>>>      "roles": [
>>>        "manage-account",
>>>        "manage-account-links",
>>>        "view-profile"
>>>      ]
>>>    }
>>>  },
>>> 
>>> (How it works: by default, built-in client scopes are assigned to the clients (see Client Scopes tab -> Assigned Default Client Scopes).
>>> One of them, namely "roles", invokes the "client roles" mapper, which in its turn resolves the roles and puts them into a token.)
>>> 
>>> Could you please try to reproduce the same on your instance? Hope that helps,
>>> 
>>> Dmitry Telegin
>>> Opensource IAM consultant
>>> https://www.linkedin.com/in/d-telegin
>>> 
>>> On Tue, 2019-05-07 at 03:40 +0000, Gary Kennedy wrote:
>>>> I think I've found an acceptable solution, can I get some feedback please? I don't want to risk any loopholes or lessened security here.
>>>> 
>>>> Originally I was thinking that I needed to add the "resource_access" claim to the token (with "realm-management" roles), because the admin API was using the "KeycloakIdentity" class in "MgmtPermissions.hasOneAdminRole" calls. However, now I've gone with changing the "azp" (issued-for) claim instead, so that "MgmtPermissions.initIdentity" uses the "UserModelIdentity" class instead. FYI - I've arbitrarily chosen to use the "admin-cli" client id for the "azp" claim, but "security-admin-console" would work just as well.
>>>> 
>>>> This is all accomplished with a single client specific script mapper with no "Token Claim Name", no "Claim JSON Type", and set to only "Add to access token" (ie, ID token and user info flags are OFF).
>>>> 
>>>> The script:
>>>> 
>>>> ```
>>>> // todo: can we make the service account detection a bit more robust? ie, sub claim??
>>>> // note: could also check client session notes for form data scope so we don't always set the issued-for
>>>> var tokenName = null;
>>>> if (token !== null && token.getOtherClaims() !== null) {
>>>>     tokenName = token.getOtherClaims().get('preferred_username');
>>>> }
>>>> if (tokenName == 'service-account-test-client') {
>>>>     // admin-cli is to get the admin api to use the usermodel instead of the token for roles
>>>>     // you could also use the security-admin-console client id
>>>>     // see MgmtPermissions.initIdentity
>>>>     token.issuedFor('admin-cli');
>>>> }
>>>> ```
>>>> 
>>>> Digging through the code I cannot find any other means of setting the issued-for of the token during the client credentials grant, but am I missing something? Is there another way we can set the issued-for at token request time?
>>>> 
>>>> Cheers,
>>>> Gary
>>>> 
>>>>>>>>>>>>> On 7 May 2019, at 9:38 am, Gary Kennedy <gary at apnic.net> wrote:
>>>>>>>>> On 3 May 2019, at 8:38 am, Dmitry Telegin <demetrio at carretti.pro> wrote:
>>>>>> 
>>>>>> Hi Gary,
>>>>>> 
>>>>>> To ensure proper "resource_access" claim, you can simply assign the necessary roles to your service account (client -> Service Account Roles -> Client Roles -> realm-management). Does that work for you?
>>>>> 
>>>>> Unfortunately no.
>>>>> 
>>>>> The roles are set, however they are not presented in the token, eg no "resource_access" claim.
>>>>> 
>>>>> And because of the missing "resource_access" claim, using the token with the admin API results in 403 forbidden.
>>>>> 
>>>>>> If you still need to use mappers, there are numerous ways to determine if the token was issued for a service account. For example, in your JS mapper you could look for "preferred_username" claim, its value will look like "service-account-<your-client>".
>>>>> 
>>>>> Thanks. I previously explicitly tried the built-in "client roles" mapper for the client as well as creating a "user client role" mapper manually (not at the same time) and they were not adding the claim to the token so I assumed wrongly that the client mappers were not being used for the service account token.
>>>>> 
>>>>> Using a script mapper (and a hardcoded claim mapper) works in that the service account token has the configured claims from those mappers. It seems like the "user client roles" mapper type is being filtered from the applied protocol mappers here. 
>>>>> 
>>>>> The mapper is applied to user tokens as well (of course) but at least using a script mapper will allow me to hack in the "resource_access" claim as I want. I'd like to do the right thing and have the script mapper use actual roles but I may have to fall back to hardcoding the claim value, we'll see how much effort is needed and that I'm allowed to put in :p.
>>>>> 
>>>>>> Cheers,
>>>>>> Dmitry
>>>>>> 
>>>>>> On Thu, 2019-05-02 at 06:18 +0000, Gary Kennedy wrote:
>>>>>>> I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles).
>>>>>>> 
>>>>>>> I don't want user tokens generated through the client to have the claim (unless absolutely necessary).
>>>>>>> 
>>>>>>> How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens?
>>>>>>> 
>>>>>>> If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token.
>>>>>>> 
>>>>>>> (Keycloak 4.8.2)
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> Gary
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190510/69ebe6bf/attachment.bin 

From uo67113 at gmail.com  Fri May 10 03:31:55 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 10 May 2019 09:31:55 +0200
Subject: [keycloak-user] keycloak 4.8.3 ReadOnlyException on new SAML
 client with ldap federation
In-Reply-To: <CANAutjg+710O6hxqfQH63Y2oZBkOwgGRe_eobfHba4Onqb6zMg@mail.gmail.com>
References: <CANAutjg+710O6hxqfQH63Y2oZBkOwgGRe_eobfHba4Onqb6zMg@mail.gmail.com>
Message-ID: <CACp70MkjbXeH=P-r7Wyri_bbjQCPjL8b0gqMmn8HObhn5JkwcQ@mail.gmail.com>

Hello Iain,

mmm, it is weird, I have a very similar setup and it works:

Operating System Linux 4.15.0-46-generic (Ubuntu 18.04.2 LTS bionic)
Java Version     1.8.0_191
Java Vendor     Oracle Corporation
Server Version 4.8.3.Final

In my case I am running the keycloak server directly from the cloned repo
using maven: mvn -f keycloak/testsuite/utils/pom.xml exec:java
-Pkeycloak-server
-Dimport=test-suite/src/test/resources/keycloak-saml/testsaml-with-mappers.json
See more info here [2]

In this gist [1] you can find the relevant client and ldap saml
configuration.

Hope it helps,

Luis

[1] https://gist.github.com/lurodrig/9ed0a7023639a0ebb29f055236ba2d0a
[2]
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2018-12-testing-web-applications-sso-keycloak












El mar., 7 may. 2019 a las 23:12, Iain Steers (<iainsteers at gmail.com>)
escribi?:

> Hey folks,
>
> We upgraded to keycloak 4.8.3 fairly recently. We were on version 4.2.1.
>
> All existing SAML and OAuth clients work as expected and there are no
> issues signing into them.
>
> However, we just created a new SAML client and don't seem to be able to
> successfully complete the auth process. With the vague error message:
> ?Unexpected error when handling authentication request to identity
> provider?
> Digging into the logs I found a stacktrace[1]. This occurs on login
> attempts with this new client.
> Our User Federation backend is a read-only ldap. Some searching of the
> jboss jira and web didn't find much related to this. Any help would be
> appreciated.
>
> This is reproducible for us across two separate instances of keycloak
> backed by separate ldap backends.
>
> Thanks,
>
> Iain
>
> [1]
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-733)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/washington/
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 WARN
> [org.keycloak.services] (default task-733) KC-SERVICES0013: Failed
> authentication: org.keycloak.storage.ReadOnlyException
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.ReadOnlyUserModelDelegate.setSingleAttribute(ReadOnlyUserModelDelegate.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.models.cache.infinispan.UserAdapter.setSingleAttribute(UserAdapter.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId(SamlProtocol.java:366)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.getNameId(SamlProtocol.java:324)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.protocol.saml.SamlProtocol.authenticated(SamlProtocol.java:380)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:790)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:742)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:876)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1008)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:878)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> sun.reflect.GeneratedMethodAccessor673.invoke(Unknown Source)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.reflect.Method.invoke(Method.java:498)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.Thread.run(Thread.java:748)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From m at maltris.org  Fri May 10 03:54:27 2019
From: m at maltris.org (Malte Schmidt)
Date: Fri, 10 May 2019 09:54:27 +0200
Subject: [keycloak-user] keycloak-gatekeeper doing compression offloading
 without the instruction to do so
Message-ID: <2e4416d1-2f87-c908-bc8e-04443935a9c6@maltris.org>

Hello, I recently discovered strange behaviour of an application which
is being protected by gatekeeper when I noticed that the resources from
the application are being transmitted uncompressed.
Looks like that the "content-encoding: gzip" header gets missing and the
response to the client/reverse proxy happens uncompressed, after being
passed through gatekeeper.

I tried to search the documentation for gatekeeper and this behaviour,
but failed to find anything of use.
Ideas on how to pass already compressed data through gatekeeper or any
other opinions?

Normal communication from the client over the reverse proxy to the
application server:

Client to reverse proxy

GET /test.js HTTP/1.1
[...]
Accept-Encoding: deflate, gzip

Reverse proxy to application server

GET /test.js HTTP/1.1
[...]
Accept-Encoding: deflate, gzip

Answer from the application server over the reverse proxy to the client

HTTP/1.1 200 OK
[...]
vary: accept-encoding
content-encoding: gzip

keycloak-gatekeeper added to the chain, between the reverse proxy and
the upstream

Gatekeeper to its upstream

GET /test.js HTTP/1.1
[...]
Accept-Encoding: gzip

Upstream to gatekeeper

HTTP/1.1 200 OK
[...]
vary: accept-encoding
content-encoding: gzip

Gatekeeper to client

HTTP/1.1 200 OK
[...]
Vary: accept-encoding


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190510/4fc992d0/attachment.bin 

From kyriakos.stefanidis at fokus.fraunhofer.de  Fri May 10 07:47:24 2019
From: kyriakos.stefanidis at fokus.fraunhofer.de (Stefanidis, Kyriakos)
Date: Fri, 10 May 2019 11:47:24 +0000
Subject: [keycloak-user] Proper naming for User Based Access Control
Message-ID: <a112b555dd6f42fea7445d593549c06f@fokus.fraunhofer.de>

Hello all,

In the topic of Keycloak authorization services. I was wondering if there is a proper, or at least a nicer than mine, naming scheme for the names of the resources, policies and permissions when trying to set up UBAC.

The scenario:
There are N resources of a specific type "box"
Specific users need to have access to specific resource
The management is done centrally by the realm admin

A solution:
Create N resources with the name "box##" and the uri scheme is "/resources/box/##"
Create N (user based) policies with the name "Only users that access box##"
Create N (resource based) permissions with the name "Allow access to box##"

My comments:
The solution seems a bit verbose and bulky and I couldn't find a more structured naming scheme. If I add S scopes to the concept then I have S*N policies and permissions with the scope as part of the policy and permission names.

Are there any more structured ways of setting up UBAC in keycloak that I am missing here? At least, are there any better naming schemes that I could use?

Best regards,
Kyriakos Stefanidis


From lrozenblyum at gmail.com  Fri May 10 08:03:03 2019
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 10 May 2019 15:03:03 +0300
Subject: [keycloak-user] Keycloak Tomcat adapater and Tomcat SSO
Message-ID: <CANZPfwQ4F+WrBNFoy7+eDWpotwPzMi5yDs-KvZtUN6OY8GR69g@mail.gmail.com>

Hello!

I need integrating 6 webapps which are running on Tomcat SSO with Keycloak
(using SAML 2.0 protocol although OpenIdConnect is also possible).

Does keycloak Tomcat adapter support Tomcat SSO (which is implemented in
SingleSignOn Valve)?

The idea is if I logged in to WebApp1 in Tomcat via Keycloak and then
trying using WebApp2, we shouldn't go authenticating to keycloak and
instead reusing Tomcat SSO session.

From bruno at abstractj.org  Fri May 10 08:36:48 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 10 May 2019 09:36:48 -0300
Subject: [keycloak-user] keycloak-gatekeeper doing compression
 offloading without the instruction to do so
In-Reply-To: <2e4416d1-2f87-c908-bc8e-04443935a9c6@maltris.org>
References: <2e4416d1-2f87-c908-bc8e-04443935a9c6@maltris.org>
Message-ID: <20190510123648.GB10675@abstractj.org>

Hi Malte,

Could you please, file a Jira adding all the details like steps to reproduce, 
affected version and your environment setup?

On 2019-05-10, Malte Schmidt wrote:
> Hello, I recently discovered strange behaviour of an application which
> is being protected by gatekeeper when I noticed that the resources from
> the application are being transmitted uncompressed.
> Looks like that the "content-encoding: gzip" header gets missing and the
> response to the client/reverse proxy happens uncompressed, after being
> passed through gatekeeper.
> 
> I tried to search the documentation for gatekeeper and this behaviour,
> but failed to find anything of use.
> Ideas on how to pass already compressed data through gatekeeper or any
> other opinions?
> 
> Normal communication from the client over the reverse proxy to the
> application server:
> 
> Client to reverse proxy
> 
> GET /test.js HTTP/1.1
> [...]
> Accept-Encoding: deflate, gzip
> 
> Reverse proxy to application server
> 
> GET /test.js HTTP/1.1
> [...]
> Accept-Encoding: deflate, gzip
> 
> Answer from the application server over the reverse proxy to the client
> 
> HTTP/1.1 200 OK
> [...]
> vary: accept-encoding
> content-encoding: gzip
> 
> keycloak-gatekeeper added to the chain, between the reverse proxy and
> the upstream
> 
> Gatekeeper to its upstream
> 
> GET /test.js HTTP/1.1
> [...]
> Accept-Encoding: gzip
> 
> Upstream to gatekeeper
> 
> HTTP/1.1 200 OK
> [...]
> vary: accept-encoding
> content-encoding: gzip
> 
> Gatekeeper to client
> 
> HTTP/1.1 200 OK
> [...]
> Vary: accept-encoding
> 
> 




> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


-- 

abstractj

From bruno at abstractj.org  Fri May 10 09:01:47 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 10 May 2019 10:01:47 -0300
Subject: [keycloak-user] LDAP User Storage Provider web interface
In-Reply-To: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <20190510130147.GC10675@abstractj.org>

Please take a look at our documentation:
https://www.keycloak.org/docs/latest/server_development/index.html#import-implementation-strategy.

I believe the item clarifies the "Unlink users":

"If you are moving to Keycloak as your official user store and
deprecating the old external store, you can slowly migrate applications
to use Keycloak. When all applications have been migrated, unlink the
imported user, and retire the old legacy external store."

Regards your other comments. I can be wrong, but I don't believe these
buttons will be hidden.

On 2019-05-09, Ryan Slominski wrote:
> On the admin web interface what do the buttons at the bottom of the LDAP User Storage Provider settings page do?  Specifically the buttons:
> 
> Synchronize changed users
> Synchronize all users
> Remove imported
> Unlink users
> 
> I don't want Keycloak caching much / anything so I've configured Cache Policy NO_CACHE, Edit Mode READ_ONLY, and Import Users OFF.  It seems like these buttons should not be shown with this configuration as it isn't clear they do anything.  I'm especially mystified by Unlink users button since I can't find any reference on what the heck that does.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From Bob.Dannehl at deutschebahn.com  Fri May 10 10:01:03 2019
From: Bob.Dannehl at deutschebahn.com (Bob Dannehl)
Date: Fri, 10 May 2019 14:01:03 +0000
Subject: [keycloak-user] Keycloak integration with AWS IAM
Message-ID: <1004AB11-7306-42B8-9F9E-8486EBA164F5@contoso.com>

Hello everybody,

I am currently evaluating, if there is a way to connect our Keycloak to the new IAM Authentication of Amazon RDS (PostgreSQL) in order to isolate databases and get rid of the security impact of long term database credentials. Instead of having a static datasource configuration the Keycloak is registered at AWS IAM as relying party and then would have to get access tokens (later refresh tokens) from IAM in order to access its database. See this link for further information AWS RDS IAM feature: https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-postgresql-now-supports-iam-authentication/?nc1=h_ls

Do you have an idea, if such would work with keycloak out of he box or how to solve it in another way (e.g. SPI)?

Thanks in advance,
Bob


________________________________

Pflichtangaben anzeigen<http://www.deutschebahn.com/pflichtangaben/20190509>

N?here Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: http://www.deutschebahn.com/de/konzern/datenschutz

From orivat at janua.fr  Fri May 10 11:08:41 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Fri, 10 May 2019 17:08:41 +0200
Subject: [keycloak-user] Cannot get UMA photoz example working (keycloak
	quickstart 6.0.1)
Message-ID: <cc06972f-f4d5-dad5-f30d-fb2c14dbabd1@janua.fr>

Hi,

I am not able to get the app-auth-photoz uma example working.

I have followed the example instructions at

https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz

When I ckik on the
http://localhost:8080/photoz-html5-client

I obtain the error message

We're sorry...
Page not 
foundhttps://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz

Landing URL in teh browser is:
http://localhost:8180/auth/realms/photoz/protocol/openid-connect/auth?client_id=photoz-html5-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fphotoz-html5-client%2F&state=38044f03-0abc-4473-8a76-06531078d225&response_mode=fragment&response_type=code&scope=openid&nonce=6f1d9f20-64da-4ac1-9c71-8d399d8e0d5f

I have enabled debug logs, but haven't found any further clue.

I am wondering where this problem can originate ?
Misconfiguration of mine (I've tried this example with diffrenet 
distribs and always falling in the same hurdle)

Or is it a bug in with this example ?


Regards,


Olivier Rivat



-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From ryans at jlab.org  Fri May 10 13:33:28 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Fri, 10 May 2019 17:33:28 +0000
Subject: [keycloak-user] LDAP User Storage Provider web interface
In-Reply-To: <20190510130147.GC10675@abstractj.org>
References: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<20190510130147.GC10675@abstractj.org>
Message-ID: <DM6PR09MB30658D0D5E210C8389089E3CDC0C0@DM6PR09MB3065.namprd09.prod.outlook.com>

Hi Bruno,
  Sounds like all the buttons should be hidden in the scenario where users are not imported, defined, or even cached in Keycloak at all.   They aren?t currently and clicking the buttons is undefined in this case (hopefully they just do nothing).  Should I create a JIRA for this?
Ryan

________________________________
From: Bruno Oliveira <bruno at abstractj.org>
Sent: Friday, May 10, 2019 9:01:47 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] LDAP User Storage Provider web interface

Please take a look at our documentation:
https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_development%2Findex.html%23import-implementation-strategy&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=2g0UDriht%2BYgeEdXFiT%2B9h0YKt9UfWwobcw%2BxRePxlM%3D&amp;reserved=0.

I believe the item clarifies the "Unlink users":

"If you are moving to Keycloak as your official user store and
deprecating the old external store, you can slowly migrate applications
to use Keycloak. When all applications have been migrated, unlink the
imported user, and retire the old legacy external store."

Regards your other comments. I can be wrong, but I don't believe these
buttons will be hidden.

On 2019-05-09, Ryan Slominski wrote:
> On the admin web interface what do the buttons at the bottom of the LDAP User Storage Provider settings page do?  Specifically the buttons:
>
> Synchronize changed users
> Synchronize all users
> Remove imported
> Unlink users
>
> I don't want Keycloak caching much / anything so I've configured Cache Policy NO_CACHE, Edit Mode READ_ONLY, and Import Users OFF.  It seems like these buttons should not be shown with this configuration as it isn't clear they do anything.  I'm especially mystified by Unlink users button since I can't find any reference on what the heck that does.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=zaMgw4b74aDwQSLoJOr9vlFiai2uxulZRrLaVBldOOI%3D&amp;reserved=0

--

abstractj

From jeet at glabbr.com  Sat May 11 03:42:41 2019
From: jeet at glabbr.com (jeet parmar)
Date: Sat, 11 May 2019 13:12:41 +0530
Subject: [keycloak-user] Integrate keycloak and kafka
Message-ID: <16aa5d810db.f4375b43306279.9152928291993945994@glabbr.com>

Hello All,

Need some pointers on how I can integrate Keycloak with Kafka so that whenever there are events sent on Kafka
eg. CREATE_REALM , DELETE_USER etc.. for keycloak, keycloak should react to? them according to events.
Any pointers would greatly help on this.



Thanks,

Jeet 

Glabbr

https://glabbr.me/jeety

From orivat at janua.fr  Sat May 11 13:06:27 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Sat, 11 May 2019 19:06:27 +0200
Subject: [keycloak-user] Cannot get UMA photoz example working (keycloak
	quickstart 6.0.1)
In-Reply-To: <cc06972f-f4d5-dad5-f30d-fb2c14dbabd1@janua.fr>
References: <cc06972f-f4d5-dad5-f30d-fb2c14dbabd1@janua.fr>
Message-ID: <0dfe4a55-5308-ae3d-d3cc-302a8646a289@janua.fr>

Hi,

I have found the discrepancy

I have used the import command, whereas one should use the "add 
realm"/select file and doc should you mention to upload file here.
I think keycloak quikstart guide doc example clarity could be improved? 
with above comment to avoid any further confusion


Regards,

Olivier Rivat



Le 10/05/2019 ? 17:08, Olivier Rivat a ?crit?:
>
> Hi,
>
> I am not able to get the app-auth-photoz uma example working.
>
> I have followed the example instructions at
>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
>
> When I ckik on the
> http://localhost:8080/photoz-html5-client
>
> I obtain the error message
>
> We're sorry...
> Page not 
> foundhttps://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
>
> Landing URL in teh browser is:
> http://localhost:8180/auth/realms/photoz/protocol/openid-connect/auth?client_id=photoz-html5-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fphotoz-html5-client%2F&state=38044f03-0abc-4473-8a76-06531078d225&response_mode=fragment&response_type=code&scope=openid&nonce=6f1d9f20-64da-4ac1-9c71-8d399d8e0d5f
>
> I have enabled debug logs, but haven't found any further clue.
>
> I am wondering where this problem can originate ?
> Misconfiguration of mine (I've tried this example with diffrenet 
> distribs and always falling in the same hurdle)
>
> Or is it a bug in with this example ?
>
>
> Regards,
>
>
> Olivier Rivat
>
>
>
> -- 
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From firozpalapra at outlook.com  Sat May 11 13:55:37 2019
From: firozpalapra at outlook.com (Firoz Ahamed)
Date: Sat, 11 May 2019 17:55:37 +0000
Subject: [keycloak-user] Get users api very slow when federation is enabled
Message-ID: <SG2PR0201MB21904B65B78272CD8077DBB2CB0D0@SG2PR0201MB2190.apcprd02.prod.outlook.com>

Hi,

We have a setup where federation is enabled in keycloak and have some 200 users imported from the federation. The get users REST api call now takes around 30 seconds to return the details of the 200 users !

Without the federation enabled, it only takes a few seconds to get 1000s of users. I believe the slowness is because keycloak checks with the federation for each user. Is there some way to turn this check off ?

Any help would be greatly appreciated.

Thanks in advance,
Firoz


From patdung100 at gmail.com  Sat May 11 16:54:23 2019
From: patdung100 at gmail.com (Patrick Dung)
Date: Sun, 12 May 2019 04:54:23 +0800
Subject: [keycloak-user] Keycloak 4.3 could not use sssd federation after
	upgrade to Fedora 30
Message-ID: <CAJTWkdstaYVQH8ZEKFyXTE7iP8rjN6cFOWJwP_HTV7s1jkYaPA@mail.gmail.com>

Hello,

I was using Fedora 29 with Keycloak, FreeIPA and sssd on the same machine.
After upgrading to Fedora 30. All service can start normally but sssd
federation is not loaded when Keycloak is started. It is missing from the
list for user federation. It only have LDAP and Kerberos authentication to
choose from.

On the problem local machine, I can run "sssctl user-checks admin -s
keycloak" without problem.

Any help would be appreciated, thanks.

Patrick

From sblanc at redhat.com  Sun May 12 01:56:36 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sun, 12 May 2019 07:56:36 +0200
Subject: [keycloak-user] [keycloak-dev] Cannot get UMA photoz example
 working (keycloak quickstart 6.0.1)
In-Reply-To: <0dfe4a55-5308-ae3d-d3cc-302a8646a289@janua.fr>
References: <cc06972f-f4d5-dad5-f30d-fb2c14dbabd1@janua.fr>
	<0dfe4a55-5308-ae3d-d3cc-302a8646a289@janua.fr>
Message-ID: <CAMZCGg83kW0KcUJdxXdh4mNm3aNR-P06xthXJqgNmVZsRn8B1Q@mail.gmail.com>

Could you tell us what the issue was with the import when using the command
line ? Because it should also work.


On Sat, May 11, 2019 at 7:19 PM Olivier Rivat <orivat at janua.fr> wrote:

> Hi,
>
> I have found the discrepancy
>
> I have used the import command, whereas one should use the "add
> realm"/select file and doc should you mention to upload file here.
> I think keycloak quikstart guide doc example clarity could be improved
> with above comment to avoid any further confusion
>
>
> Regards,
>
> Olivier Rivat
>
>
>
> Le 10/05/2019 ? 17:08, Olivier Rivat a ?crit :
> >
> > Hi,
> >
> > I am not able to get the app-auth-photoz uma example working.
> >
> > I have followed the example instructions at
> >
> >
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
> >
> > When I ckik on the
> > http://localhost:8080/photoz-html5-client
> >
> > I obtain the error message
> >
> > We're sorry...
> > Page not
> > foundhttps://
> github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz
> >
> > Landing URL in teh browser is:
> >
> http://localhost:8180/auth/realms/photoz/protocol/openid-connect/auth?client_id=photoz-html5-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fphotoz-html5-client%2F&state=38044f03-0abc-4473-8a76-06531078d225&response_mode=fragment&response_type=code&scope=openid&nonce=6f1d9f20-64da-4ac1-9c71-8d399d8e0d5f
> >
> > I have enabled debug logs, but haven't found any further clue.
> >
> > I am wondering where this problem can originate ?
> > Misconfiguration of mine (I've tried this example with diffrenet
> > distribs and always falling in the same hurdle)
> >
> > Or is it a bug in with this example ?
> >
> >
> > Regards,
> >
> >
> > Olivier Rivat
> >
> >
> >
> > --
> >
> >
> > <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
> >
> >       <http://www.janua.fr/images/6g_top.gif>
> >
> > Olivier Rivat
> > CTO
> > orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> > Gsm: +33(0)682 801 609
> > T?l: +33(0)489 829 238
> > Fax: +33(0)955 260 370
> > http://www.janua.fr <http://www.janua.fr/>
> >       <http://www.janua.fr/images/6g_top.gif>
> >
> >
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From cjbm2994 at gmail.com  Mon May 13 03:43:09 2019
From: cjbm2994 at gmail.com (Charles Joseph Malata)
Date: Mon, 13 May 2019 15:43:09 +0800
Subject: [keycloak-user] GROUP-LDAP-MAPPER for Dynamic Groups in LDAP
Message-ID: <CANmK4c5RfD5G8uq-TrdBnt3A-J_X7mPXGymxULni-9qGTE427w@mail.gmail.com>

Hi,

Is the default "GROUP-LDAP-MAPPER" for ldap able to work with Dynamic
Groups(Using the groupOfURLs objectclass)?

I noticed that the behaviour of that mapper seem to expect that the
objectclass used should be groupOfNames.

Appreciate any help.

Cheers,
Charles

From maksym.gendin at gmail.com  Mon May 13 07:42:38 2019
From: maksym.gendin at gmail.com (Maksym Gendin)
Date: Mon, 13 May 2019 13:42:38 +0200
Subject: [keycloak-user] Fwd: Not properly closed connections in
	org.keycloak.adapters.ServerRequest
In-Reply-To: <CAKm1Xe+3EzfY-_gbLsfHJhbN474O9ift3FLtfFCCFv_yhwbgXA@mail.gmail.com>
References: <CAKm1Xe+3EzfY-_gbLsfHJhbN474O9ift3FLtfFCCFv_yhwbgXA@mail.gmail.com>
Message-ID: <CAKm1XeJP60fv2qkHtCvoSLjvVLbh4t7gqD4Wf9VfhrP10z4OJQ@mail.gmail.com>

Dear Keycloak users/developers,

I have noticed a potential problem with closing the connections
in org.keycloak.adapters.ServerRequest#invokeClientManagementRequest method.

I'm facing problems with number of opened files on a linux machine and
trying to identify the source...querying the open connections with netstat
I see a couple of connections in CLOSE_WAIT status from my microservice
instances towards Keycloak...

Can someone confirm me that the ServerRequest class closes the connections
in a proper way?

Best regards
Maksym

From colin.morey at stfc.ac.uk  Mon May 13 08:11:48 2019
From: colin.morey at stfc.ac.uk (Colin Morey - UKRI STFC)
Date: Mon, 13 May 2019 12:11:48 +0000
Subject: [keycloak-user] Announcement: KeyConf19 - a community focused event
Message-ID: <F160B395-C20D-40F3-8F81-466CC19FDFAE@contoso.com>

Hi All,
      I?m pleased to invite you to?KeyConf19, a new open source identity and account management event focused primarily on?Keycloak?and its use-cases: part conference, part un-conference, all community driven.
?
Its 2 days long on?12-13 June 2019, in (mostly) sunny Cheshire, in the north west of the UK and?_free_to_attend_ (we?re even covering lunch and coffee during the day)!
?
For more information and to register:?https://www.hartree.stfc.ac.uk/Pages/KeyConf.aspx
?
We will be fleshing out the agenda in the next few weeks, and if you?d like to present a short overview of how you?re using Keycloak or other related topics for discussion, please use the sign-up form to let us know.
?
If you have any questions, please do let us know via hartree at stfc.ac.uk

Hope to see some of you there,


Colin Morey
Systems Architect
STFC Hartree Centre
Daresbury Laboratory



From orivat at janua.fr  Mon May 13 08:16:06 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 13 May 2019 14:16:06 +0200
Subject: [keycloak-user] [keycloak-dev] Cannot get UMA photoz example
 working (keycloak quickstart 6.0.1)
In-Reply-To: <CAMZCGg83kW0KcUJdxXdh4mNm3aNR-P06xthXJqgNmVZsRn8B1Q@mail.gmail.com>
References: <cc06972f-f4d5-dad5-f30d-fb2c14dbabd1@janua.fr>
	<0dfe4a55-5308-ae3d-d3cc-302a8646a289@janua.fr>
	<CAMZCGg83kW0KcUJdxXdh4mNm3aNR-P06xthXJqgNmVZsRn8B1Q@mail.gmail.com>
Message-ID: <646ae16a-96a3-1f24-2b31-62642dd7134e@janua.fr>

discrepancy is :

1) I was using the import command of the master realm to upload 
photoz-realm.json
(it was my mistake)

2) you should do as follows:
a) select "Add realm"
b) select "Select File" and upload photoz-realm.json

---> quickstart realm and everything is created succesfully


It is following text which has confused me quite a lot, and which should 
be clearer documented (indicating to use the button add-realm for exampkle)



https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz


    /Create the Example Realm and a Resource Server/

//

/Considering that your Keycloak Server is up and running, log in to the 
Keycloak Administration Console./

//

/Now, create a new realm based on the following configuration file:/

//

/|keycloak-quickstarts/app-authz-photoz/photoz-realm.json |/

//

/That will import a pre-configured realm with everything you need to run 
this quickstart. For more details about how to import a realm into 
Keycloak, check the Keycloak's reference documentation./

//

/After importing that file, you'll have a new realm called //|photoz|//./




Regarsd,

Olivier




Le 12/05/2019 ? 07:56, Sebastien Blanc a ?crit?:
> I have used the import command, whereas one should use the "add
> realm"/select file and doc should you mention to upload file here.
> I think keycloak quikstart guide doc example clarity could be improved
> with above comment to avoid any further confusion
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From huwmcnamara at msn.com  Mon May 13 14:07:45 2019
From: huwmcnamara at msn.com (Huw McNamara)
Date: Mon, 13 May 2019 18:07:45 +0000
Subject: [keycloak-user] Show Username in Admin Events / Login Events
In-Reply-To: <5de83ea9-9227-106f-50af-e0176b1aa492@gmx.de>
References: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>,
	<5de83ea9-9227-106f-50af-e0176b1aa492@gmx.de>
Message-ID: <DB6P192MB0231B4343FFF9B71F571B5B5B10F0@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>

Hi Guido,

One possible way you could achieve what you want is to implement a custom event listener. See https://github.com/zekidkiller/keycloak/tree/master/examples/providers/event-listener-sysout for an example.

Then using a combination of the API https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_users_resource and/or Keycloak classes https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/storage/user/UserLookupProvider.html#getUserById-java.lang.String-org.keycloak.models.RealmModel- you should be able to get real values for IDs.

The easiest way might be the API as it is very frequently a 1-1 mapping for any resource path (given in the event details).

Kind regards,
Huw

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Guido Wimmel <guido_99 at gmx.de>
Sent: 08 May 2019 20:04
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Show Username in Admin Events / Login Events

Hi,

does anyone possibly have similar concerns / a workaround? The Admin
Events View
in the Administration Console is of limited use for our Keycloak admins
if they have to lookup
the usernames of the concerned users.

In addition, it seems that the Admin Events do not contain information
on which role(s)
were assigned to / removed from a user - I can only see a general update
of the
client-role-mapping.
Is this true? Is there a way to extend the Admin Events such that it is
possible to see which role(s) were
added/removed?

Thanks in advance, best regards,
   Guido

On 06.04.19 10:39 Guido Wimmel wrote:
> Hi,
>
> in the Admin Events / Login Events - View in the Administration Console
> in Keycloak, I can see e.g. if users logged in or were assigned to a role.
> However, the users are only referenced by their id.
>
> I can determine the username by constructing an URL (e.g.
> .../realms/<MY_REALM>/users/<UserId> ) and navigating to it.
>
> Is there an easier way?
>
> Best regards,
>      Guido
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From keats.kirsch at axleinfo.com  Mon May 13 15:08:01 2019
From: keats.kirsch at axleinfo.com (Keats Kirsch)
Date: Mon, 13 May 2019 19:08:01 +0000
Subject: [keycloak-user] Setting X-Frame-Options in jobs/undertow
Message-ID: <FDFFB388-A579-41D1-AB66-814A90D49ED7@contoso.com>

Posting in case anyone else has this issue.  We were getting errors loading iframes in the KeyCloak console due to the X-Frame-Options being set to ?deny? by default in our environment (Cloud Foundry).  The fix was to set the X-Frame-Options explicitly in the undertow/jboss subsystem configuration in the configuration file (e.g., standalone.xml).  We just added a response-header filter and pointed to it with a filter-ref under the default-host setting.

Our XML looks like this:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
   <buffer-cache name="default" />
   <server name="default-server">
      <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
      <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" />
      <host name="default-host">
         <location name="/" handler="welcome-content" />
         <filter-ref name="xFrameOptions" />
      </host>
   </server>
   <servlet-container name="default" eager-filter-initialization="true">
      <jsp-config />
      <websockets />
   </servlet-container>
   <handlers>
      <file name="welcome-content" path="${jboss.home.dir}/welcome-content" />
   </handlers>
   <filters>
      <response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN" />
   </filters>
</subsystem>

Hope this helps.
--
Keats Kirsch
Auth Lead
Axle Informatics
http://axleinfo.com/
Keats.Kirsch at axleinfo.com<mailto:Keats.Kirsch at axleinfo.com>


From dennis.knorr at gmx.net  Tue May 14 04:09:41 2019
From: dennis.knorr at gmx.net (Dennis Knorr)
Date: Tue, 14 May 2019 10:09:41 +0200
Subject: [keycloak-user] reset password procedure without email and non
	visible keycloak
Message-ID: <0fdcd345-2b4b-9fe9-da73-fdcccf4cf6d8@gmx.net>

Hi,
we want to use keycloak as OIDC Provider and are not sure how to handle
password reset (with temporary password/TOTP). But we have a few
architectural constraints. Our constraints are the following:

1. we have no email system, where we send mails to the provider. We
MIGHT have later in the process an SMS System, which could send TOTP
Token to the use
2. Because of customer requirements we shall not expose Keycloak to users.

My Question would be therefore, what is the best practice/standard way
to to password reset? is there a proxy for that which handles that? are
there REST Apis? Are there Authentication Flows for it? I did not see
anything.

Please enlighten me, i am not sure, if we do that right, Documentation
and Examples are better than for other OIDC Providers, but the concept
is still complex and complicated and i fear we could do stuff wrong.



From msc at onesty-tech.de  Tue May 14 04:57:55 2019
From: msc at onesty-tech.de (Markus Schulz)
Date: Tue, 14 May 2019 08:57:55 +0000
Subject: [keycloak-user] use custom FormAction implementation on "edit
	account" page
Message-ID: <11627977.rNddfDAECs@seat>

hello,

I've implemented an "extended profile validation" FormAction provider 
which validates (required fields, field-format) some additional user 
attributes (contained in our custom theme). 

But now there is a major problem, i don't know how i can use this 
provider for the "edit account" page. 
Currently the user needs to enter some additional fields on the 
registration page, but after this, he can freely choose to edit/delete 
the content on the "edit account" page. 

How can i prevent this?

regards,
msc


From mohamad.khayat at esis.ae  Tue May 14 05:10:57 2019
From: mohamad.khayat at esis.ae (Mohamad KHAYAT)
Date: Tue, 14 May 2019 13:10:57 +0400
Subject: [keycloak-user] help
Message-ID: <75AF973B9D9D984899A02A2DCCD87A904E42B6778F@adexchange3.adess.intra>

Hi all,

I am trying to build an application which requires access to PostgreSQL DB and I don't want to use the hardcoded username and password in my code instead I want to rely on keycloak for authentication.

Any idea if this is possible?

Thanks,

MK



From ahmadzadehasl at outlook.com  Tue May 14 06:01:04 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Tue, 14 May 2019 10:01:04 +0000
Subject: [keycloak-user] Help for using Keycloak in Spring Boot
In-Reply-To: <1557351594.3565.8.camel@carretti.pro>
References: <VI1P193MB03035ECC50F853EEE0ADCF49B1360@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CACv4bCQOXovi6hhBLrmrk_6hW-E2-VpPjZ-DpwbJsS=H5PdHFg@mail.gmail.com>
	<VI1P193MB0303030D2932C4CCC1ACA232B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
	<CAMZCGg9+ATW4Q8-NafFH-LVWxz-NXcVEZR8QqU58qiS1fd_Sig@mail.gmail.com>	, 
	<CACv4bCQ3B1XCJAbi53XT_vPSaTqOAsmveB=vg89RCRQgVm6Ciw@mail.gmail.com>
	<VI1P193MB03037CE928F335F511BF29A0B1310@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>,
	<1557351594.3565.8.camel@carretti.pro>
Message-ID: <VI1P193MB0303D5F138F9E3F5AB1B30A2B1080@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>

Hi Dmitry,

Based on the previous emails, I have only one problem now. When I set the config 'on-deny-redirect-to' in application.properties file, I have to define at least one securityConstraints in this file too. How can I define this securityConstraints as a permit all constraint? something like this:

keycloak.securityConstraints[0].authRoles[0] = none
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /


________________________________
From: Dmitry Telegin <demetrio at carretti.pro>
Sent: Thursday, May 9, 2019 2:09 AM
To: Ali Ahmadzadeh Asl; Michal Hajas; Sebastien Blanc
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot

Hello Ali,

It would be helpful if you could share your application.properties (scrubbing the secrets, if any) as well as authorization settings in Keycloak.

Please also mind that security constraints (role-based) and authorization are separate concepts, in the sense that they are configured and enforced differently.

Cheers,
Dmitry Telegin
Opensource IAM consultant
https://www.linkedin.com/in/d-telegin

On Tue, 2019-05-07 at 08:08 +0000, Ali Ahmadzadeh Asl wrote:
> Hi guys,
>
> Thank you Michal, Thank you Sebastien. As you know, in the application.properties file of this project there is a keycloak.securityConstraints which enforce visitors for having role "user", when I remove this securityConstraints and run the project, every requests redirects to "/accessDenied" page, though based on permissions defined in admin panel, url / is public.
>
> If I have to define at least one securityConstraints in application.properties (which in my opinion, is not a good constraint), how can I define it as a public patterns without any role constraint?
>
>
> ________________________________
> > From: Michal Hajas <mhajas at redhat.com>
> Sent: Tuesday, May 7, 2019 11:27 AM
> To: Sebastien Blanc
> Cc: Ali Ahmadzadeh Asl; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
>
> Hi Ali,
>
> as far as I understand, you have to specify securityContrains (it is also in authz quickstart: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-springboot/src/main/resources/application.properties#L10) so that Keycloak know about your resources. You can specify your permissions and policies afterward.
>
> Michal
>
> > > On Tue, May 7, 2019 at 7:24 AM Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>> wrote:
> Hi Ali,
>
> Have you tried this quickstart that shows how tu use the authz service from KC https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
> Also make sure you enable the policy enforcer on the app side in the configuration , i.e :
> keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied
>
> sebi
>
>
> > On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>> wrote:
>
> Hi Michal,
>
> I'm configured my server exactly like this tutorial, but I'm not defined any keycloak.securityConstraints in application.properties file, I want to define permissions and policies in Keycloak admin panel. Does this require any special setting? Do anybody have any sample or tutorial for this?
> ________________________________
> > > From: Michal Hajas <mhajas at redhat.com<mailto:mhajas at redhat.com>>
> Sent: Monday, May 6, 2019 12:09 PM
> To: Ali Ahmadzadeh Asl
> > Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot
>
> Hi Ali,
>
> it looks like you have wrongly configured Spring Boot Keycloak adapter. Make sure you configured everything which is shown here (especially the part with security constraints): https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter
>
> Michal
>
> > > On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl <ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com><mailto:ahmadzadehasl at outlook.com<mailto:ahmadzadehasl at outlook.com>>> wrote:
> Hi
> First of all, excuse me for poor English.
>
> I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html
>
>
> There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.
>
> But after running the server, I can use rest services without any limitation and authentication.
> Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?
>
> Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ahmadzadehasl at outlook.com  Tue May 14 06:26:34 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Tue, 14 May 2019 10:26:34 +0000
Subject: [keycloak-user] HttpStatus 200 returned for unauthorized users
Message-ID: <VI1P193MB030353BB4F47F5C8205621EEB1080@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>

Hi Dears

I'm using Keycloak 6.0.0 with SpringBoot. My java application serves both a web application and web services. The config is like this:

keycloak.realm=my-realm
keycloak.resource=my-app
keycloak.ssl-required=external
keycloak.enable-basic-auth=true
keycloak.autodetect-bearer-only=true
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.credentials.secret=f3776b88-26c7-44fa-83ec-67cb72fa3111
keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied

keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*

Assume that '/rest/get-time' is a REST service served by my server for getting current date and time. When I get this address with 'Accept: application/json' header using tools like Postman, the server returns HttpStatus 200 with empty body. When I send same request without any header, the server returns HttpStatus 200 and HTML body of Keycloak login page.

How can I config Keycloak for returning HttpStatus 401 in the response of unauthorized REST or SOAP requests?

Best Regards
Ali Ahmadzdeh Asl



From Pavel.Micka at zoomint.com  Tue May 14 09:00:21 2019
From: Pavel.Micka at zoomint.com (Pavel Micka)
Date: Tue, 14 May 2019 13:00:21 +0000
Subject: [keycloak-user] help
In-Reply-To: <75AF973B9D9D984899A02A2DCCD87A904E42B6778F@adexchange3.adess.intra>
References: <75AF973B9D9D984899A02A2DCCD87A904E42B6778F@adexchange3.adess.intra>
Message-ID: <fda2e7d9b7924b22843b4035f6ffc0e4@zoomint.com>

Hi,

You are probably not looking for user management solution (such as Keycloak), but for password/secret management such as Vault: https://www.vaultproject.io/.

Regards,

Pavel

Elevate Every Encounter
Pavel Micka
Software Architect
ZOOM International
www.zoomint.com 


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Mohamad KHAYAT
Sent: Tuesday, May 14, 2019 11:11 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] help

Hi all,

I am trying to build an application which requires access to PostgreSQL DB and I don't want to use the hardcoded username and password in my code instead I want to rely on keycloak for authentication.

Any idea if this is possible?

Thanks,

MK


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From pkboucher801 at gmail.com  Tue May 14 10:03:05 2019
From: pkboucher801 at gmail.com (pkboucher801 at gmail.com)
Date: Tue, 14 May 2019 10:03:05 -0400
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
	warning in the logs after migration to 4.8.3 from 3.4.3
Message-ID: <000001d50a5d$c1042bd0$430c8370$@gmail.com>

In the meantime (before we switch to 5.0+), is there any way to automate recognition when the cluster hangs (or is about to hang) as in https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list ?

 

And is it reliable to un-hang the cluster by scaling it down to zero instances, and then scaling back up?

 

Thanks!

 

Regards,

Peter

 

From: Sebastian Laskawiec <slaskawi at redhat.com <mailto:slaskawi at redhat.com> >
Date: Fri, Apr 26, 2019 at 6:11 PM
Subject: Re: [keycloak-dev] HA mode with JDBC_PING shows warning in the logs after migration to 4.8.3 from 3.4.3
To: abhishek raghav <abhi.raghav007 at gmail.com <mailto:abhi.raghav007 at gmail.com> >
Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >, keycloak-dev <keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> >

 

There was a bunch of fixed to JGroups a while ago, including changes in JDBC_PING.

 

Could you please rerun your setup with Keycloak >= 5.0.0? I believe some of the issues (or maybe even all of them) should be fixed. 

 

On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <abhi.raghav007 at gmail.com <mailto:abhi.raghav007 at gmail.com> > wrote:

Hi

After the migration of keycloak HA configurations from 3.4.3.Final to
4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
immediately after the keycloak is started with 2 nodes. This occurs after
every time when the cluster is scaled up or whenever infinispan is trying
to update the cluster member list.
I am using JDBC_PING to achieve clustering in keycloak.

Below is the stacktrace -

2019-04-24 12:20:43,687 WARN
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 1 from dcidqdcosagent02
>
>                   at
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>
>                   at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>
>                   at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>
>                   at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
>                   at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>
>                   at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>
>                   at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
>                   at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
>                   at java.lang.Thread.run(Thread.java:748)
>
>                   Suppressed: org.infinispan.util.logging.TraceException
>
>                                     at
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>
>                                     at
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>
>                                     at
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>
>

Now after I searched, I really did not see anyone reported such error on
keycloak but there is similar bug reported in WILDLFY 14 and is categorized
as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list

Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
because of this blocker in WILDFLY 14.

What should I do to get rid this error. Is this really a problem in
keycloak 4.8.3.Final. Did anyone notice any such issue while running
keycloak 4.8.3 in HA mode.
Is there a workaround to fix this.


One more thing we noticed is - It is regarding a property in JDBC_PING
protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
but it is no more supported in 4.8 version. and thus the JGROUPSPING table
is filled up with lot of stale entries. Is there a workaround to clear the
table after view change in 4.8 also.

Thanks
Abhishek
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-dev


From Lasse.Jahn at student.hpi.uni-potsdam.de  Tue May 14 11:49:10 2019
From: Lasse.Jahn at student.hpi.uni-potsdam.de (Jahn, Lasse)
Date: Tue, 14 May 2019 15:49:10 +0000
Subject: [keycloak-user] Policy Enforcing for nodejs REST Api
Message-ID: <D1314055-0551-40D9-A4C8-1C9399F49731@student.hpi.uni-potsdam.de>

Hello,

It's the first time writing to keycloak mailing list (I hope this is the correct one?) so excuse if I forget to provide some information or any other mistakes ..
Sorry for the text wall.

Shortly what I try to do (maybe I got something completely wrong):
I create a backend (node.js Bearer Only) which shall offer an REST api. Partially it is used via a frontend (keycloak-clients) or directly by some devices.
In general I try to create an application with a lot of CRUD. User Management is done in keycloak and only I forward these requests to the admin REST Api. Other stuff like the devices ... I store in a separate database.
So the backend is the abstraction layer for frontend and other use-cases.

So far so good, but for the beginning it was enough to check weather the request comes from an authenticated person or not, so all handled via keycloak.protect() The Token from the authenticated person was passed
But now I'd want to offer different authorization level (can differ due to reasons of multitenancy, why I want to solve this via policies and co in admin-console inside the client configuariton) because the normal user shall have access to only some routes and the management shall have full access to the api, but of course don't need the keycloak admin access.
So I enabled the service account for my backend client and gave this one the realm-admin role so the client has access to everything and I can handle the authorization inside the backend client it self (using policies, permissions, .. inside the admin-console).
(Just in case no one gets what I'm talking about. Fixing [1] should help me fixing my issue I guess)

Setup
- node.js application using express
- registered as single client in keycloak admin-console (confidential, but config inside the code is bearer-only)
- Keycloak is running in a docker-container (version 4.5)
- all services are running in a docker-compose network and are behind a reverse proxy for common uri
- enabled Authorization in client and changed the default policy to Negative to always deny => to see if it is enforced)

My Problem
I don't understand how to use the policies, permissions and Co I created in the admin-console inside the backend it self. How do I enforce that these are used?
I tried to check different examples and documentation, but could get it working.
The last thing I found was that the entitlement api was removed, but a policy-enforcer was added to the nodejs adapter. In the documentation for the policy-enforcer [2] I couldn't find a documentation of the middleware (keycloak.enforcer({}) [3][4]).

My Code

*****
app.js

const express = require('express');
const app = express();
const Keycloak = require('keycloak-connect');
const session = require('express-session');
const routes = require('./routes/index');


const kcConfig = {
    'realm': 'master',
    'bearer-only': true,
    'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
    'ssl-required': 'all',
    'resource': 'fm-backend',
    'credentials': {
        secret: 'SOME_SECRET',
    },
    'confidential-port': 0,
    'policy-enforcer': {                                //tried with an without this, changed nothing
        'enforcement-mode': 'ENFORCING',
    },
};

const memoryStore = new session.MemoryStore();
const keycloak = new Keycloak({ memoryStore }, kcConfig);

app.use(keycloak.middleware({ logout: '/api/logout', protected: '/api/gates' }));

// used before, worked for well for authentication
app.use('/api', keycloak.protect(), routes);

// now unfortunately I don't understand how to use keycloak.enforcer() middleware
app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);

module.exports = app;

*****

[1] https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application
[2] https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview
[3] https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc
[4] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js


Any Help is appreciated :)


With kind regards
Lasse

From psilva at redhat.com  Tue May 14 14:33:08 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 14 May 2019 15:33:08 -0300
Subject: [keycloak-user] Policy Enforcing for nodejs REST Api
In-Reply-To: <D1314055-0551-40D9-A4C8-1C9399F49731@student.hpi.uni-potsdam.de>
References: <D1314055-0551-40D9-A4C8-1C9399F49731@student.hpi.uni-potsdam.de>
Message-ID: <CAJrcDBdkry+1nVBMLUyywmsM3Z9mCpRxbn9fZx7MaPDY531upA@mail.gmail.com>

Hi,

We've added more docs to NodeJS PEP recently [1]. They should be available
in the next release. Please, let me know if that is enough or if we need to
add more information.

In your case, this code:

app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);

Would be:

app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'),
routes);

If you have a resource in Keycloak called "foo" and a scope associated with
this resource called "bar", the code would be:

app.use('/api', keycloak.enforcer('foo:bar'), routes);

Hope it helps.

[1] https://github.com/keycloak/keycloak-documentation/pull/654

On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse <
Lasse.Jahn at student.hpi.uni-potsdam.de> wrote:

> Hello,
>
> It's the first time writing to keycloak mailing list (I hope this is the
> correct one?) so excuse if I forget to provide some information or any
> other mistakes ..
> Sorry for the text wall.
>
> Shortly what I try to do (maybe I got something completely wrong):
> I create a backend (node.js Bearer Only) which shall offer an REST api.
> Partially it is used via a frontend (keycloak-clients) or directly by some
> devices.
> In general I try to create an application with a lot of CRUD. User
> Management is done in keycloak and only I forward these requests to the
> admin REST Api. Other stuff like the devices ... I store in a separate
> database.
> So the backend is the abstraction layer for frontend and other use-cases.
>
> So far so good, but for the beginning it was enough to check weather the
> request comes from an authenticated person or not, so all handled via
> keycloak.protect() The Token from the authenticated person was passed
> But now I'd want to offer different authorization level (can differ due to
> reasons of multitenancy, why I want to solve this via policies and co in
> admin-console inside the client configuariton) because the normal user
> shall have access to only some routes and the management shall have full
> access to the api, but of course don't need the keycloak admin access.
> So I enabled the service account for my backend client and gave this one
> the realm-admin role so the client has access to everything and I can
> handle the authorization inside the backend client it self (using policies,
> permissions, .. inside the admin-console).
> (Just in case no one gets what I'm talking about. Fixing [1] should help
> me fixing my issue I guess)
>
> Setup
> - node.js application using express
> - registered as single client in keycloak admin-console (confidential, but
> config inside the code is bearer-only)
> - Keycloak is running in a docker-container (version 4.5)
> - all services are running in a docker-compose network and are behind a
> reverse proxy for common uri
> - enabled Authorization in client and changed the default policy to
> Negative to always deny => to see if it is enforced)
>
> My Problem
> I don't understand how to use the policies, permissions and Co I created
> in the admin-console inside the backend it self. How do I enforce that
> these are used?
> I tried to check different examples and documentation, but could get it
> working.
> The last thing I found was that the entitlement api was removed, but a
> policy-enforcer was added to the nodejs adapter. In the documentation for
> the policy-enforcer [2] I couldn't find a documentation of the middleware
> (keycloak.enforcer({}) [3][4]).
>
> My Code
>
> *****
> app.js
>
> const express = require('express');
> const app = express();
> const Keycloak = require('keycloak-connect');
> const session = require('express-session');
> const routes = require('./routes/index');
>
>
> const kcConfig = {
>     'realm': 'master',
>     'bearer-only': true,
>     'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
>     'ssl-required': 'all',
>     'resource': 'fm-backend',
>     'credentials': {
>         secret: 'SOME_SECRET',
>     },
>     'confidential-port': 0,
>     'policy-enforcer': {                                //tried with an
> without this, changed nothing
>         'enforcement-mode': 'ENFORCING',
>     },
> };
>
> const memoryStore = new session.MemoryStore();
> const keycloak = new Keycloak({ memoryStore }, kcConfig);
>
> app.use(keycloak.middleware({ logout: '/api/logout', protected:
> '/api/gates' }));
>
> // used before, worked for well for authentication
> app.use('/api', keycloak.protect(), routes);
>
> // now unfortunately I don't understand how to use keycloak.enforcer()
> middleware
> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>
> module.exports = app;
>
> *****
>
> [1]
> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application
> [2]
> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview
> [3]
> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc
> [4]
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js
>
>
> Any Help is appreciated :)
>
>
> With kind regards
> Lasse
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Wed May 15 04:35:48 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 15 May 2019 10:35:48 +0200
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <000001d50a5d$c1042bd0$430c8370$@gmail.com>
References: <000001d50a5d$c1042bd0$430c8370$@gmail.com>
Message-ID: <CAA9R9O7ctefooy+x7DALxh0WD8qAFPDGrs0n+V2+0H0mRxiLHA@mail.gmail.com>

If you want to build an automated script to detect such situations and try
to fix them, you would need to:
- Identify that cluster experiences some problems by scanning the logs.
- Identify what node is a JGroups coordinator. You may do this by examining
JMX and looking for: jgroups/protocol/ee/GMS and the attribute name is coord
- Kill the node that is a coordinator. Then the cluster should elect the
new coordinator and should reconcile.

However, the proper recommendation is to do the upgrade and get the proper
fix from JGroups.

On Tue, May 14, 2019 at 4:03 PM <pkboucher801 at gmail.com> wrote:

> In the meantime (before we switch to 5.0+), is there any way to automate
> recognition when the cluster hangs (or is about to hang) as in
> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
> <https://secure-web.cisco.com/1rkzdmR023GzmidXPHjPkNYaDpKjjdqm_1Dg-0EGDGbiQ3ihyMAwkODF6Qxb9zfR4nBPNb8bwSeliv847b4X0dyRDyogJhKiu-6hbcikyDnSzL-nBD2uWZvGyBvvYbsI4J3J2rdcVfV_KOPyxMCWm6eA6e8GvSZ74354QN5UnFi5Pr6n9aYqm9mPy37mFwSSrPUF2PwkhUGdrzqa-vSxgI112ykT9T9QSMmv8tXRSkb1fuNeRh5YzinMGgCDfZ9niMu5VdBKlxgco3b6g1oCXT_Fs1EDEfpIHijU9WAf9wsbPclp4KEXiTh2IFDKG8JLnCDwuJhbq6vZNlyY6r-FoOSIo6GgdSjkYYZpzlyZS7yy96liblbsUB-QhrUMyOWCm9Cxnn8O3-L6KT5SMsm13GhAV260vy-r_c59-UJQj7OMxdQ9jBBoP8o_IKSsd-YzmEhNgBZdEunVXPNaKgh-n8UsIFfo5JqwOPWhjQB0mcTh2JOxbJs5jNdrqEEkmZDR0gbqaUabNMvc0WV9jadEHBA/https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FWFLY-10736%3FattachmentViewMode%3Dlist>
> ?
>
>
>
> And is it reliable to un-hang the cluster by scaling it down to zero
> instances, and then scaling back up?
>
>
>
> Thanks!
>
>
>
> Regards,
>
> Peter
>
>
>
> From: *Sebastian Laskawiec* <slaskawi at redhat.com>
> Date: Fri, Apr 26, 2019 at 6:11 PM
> Subject: Re: [keycloak-dev] HA mode with JDBC_PING shows warning in the
> logs after migration to 4.8.3 from 3.4.3
> To: abhishek raghav <abhi.raghav007 at gmail.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>, keycloak-dev <
> keycloak-dev at lists.jboss.org>
>
>
>
> There was a bunch of fixed to JGroups a while ago, including changes in
> JDBC_PING.
>
>
>
> Could you please rerun your setup with Keycloak >= 5.0.0? I believe some
> of the issues (or maybe even all of them) should be fixed.
>
>
>
> On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <abhi.raghav007 at gmail.com>
> wrote:
>
> Hi
>
> After the migration of keycloak HA configurations from 3.4.3.Final to
> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
> immediately after the keycloak is started with 2 nodes. This occurs after
> every time when the cluster is scaled up or whenever infinispan is trying
> to update the cluster member list.
> I am using JDBC_PING to achieve clustering in keycloak.
>
> Below is the stacktrace -
>
> 2019-04-24 12:20:43,687 WARN
> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
> >> ISPN000197: Error updating cluster member list:
> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
> >> waiting for responses for request 1 from dcidqdcosagent02
> >
> >                   at
> >>
> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
> >
> >                   at
> >>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
> >
> >                   at
> >>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
> >
> >                   at
> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >
> >                   at
> >>
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> >
> >                   at
> >>
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> >
> >                   at
> >>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >
> >                   at
> >>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >
> >                   at java.lang.Thread.run(Thread.java:748)
> >
> >                   Suppressed: org.infinispan.util.logging.TraceException
> >
> >                                     at
> >>
> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
> >
> >                                     at
> >>
> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
> >
> >                                     at
> >>
> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
> >
> >
>
> Now after I searched, I really did not see anyone reported such error on
> keycloak but there is similar bug reported in WILDLFY 14 and is categorized
> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
> <https://secure-web.cisco.com/1rkzdmR023GzmidXPHjPkNYaDpKjjdqm_1Dg-0EGDGbiQ3ihyMAwkODF6Qxb9zfR4nBPNb8bwSeliv847b4X0dyRDyogJhKiu-6hbcikyDnSzL-nBD2uWZvGyBvvYbsI4J3J2rdcVfV_KOPyxMCWm6eA6e8GvSZ74354QN5UnFi5Pr6n9aYqm9mPy37mFwSSrPUF2PwkhUGdrzqa-vSxgI112ykT9T9QSMmv8tXRSkb1fuNeRh5YzinMGgCDfZ9niMu5VdBKlxgco3b6g1oCXT_Fs1EDEfpIHijU9WAf9wsbPclp4KEXiTh2IFDKG8JLnCDwuJhbq6vZNlyY6r-FoOSIo6GgdSjkYYZpzlyZS7yy96liblbsUB-QhrUMyOWCm9Cxnn8O3-L6KT5SMsm13GhAV260vy-r_c59-UJQj7OMxdQ9jBBoP8o_IKSsd-YzmEhNgBZdEunVXPNaKgh-n8UsIFfo5JqwOPWhjQB0mcTh2JOxbJs5jNdrqEEkmZDR0gbqaUabNMvc0WV9jadEHBA/https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FWFLY-10736%3FattachmentViewMode%3Dlist>
>
> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
> because of this blocker in WILDFLY 14.
>
> What should I do to get rid this error. Is this really a problem in
> keycloak 4.8.3.Final. Did anyone notice any such issue while running
> keycloak 4.8.3 in HA mode.
> Is there a workaround to fix this.
>
>
> One more thing we noticed is - It is regarding a property in JDBC_PING
> protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
> but it is no more supported in 4.8 version. and thus the JGROUPSPING table
> is filled up with lot of stale entries. Is there a workaround to clear the
> table after view change in 4.8 also.
>
> Thanks
> Abhishek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://secure-web.cisco.com/17Y97-5o4x23f7qOJVpqrPG_ucegGkNCivunRvLWIYKMfct4L7jrNrcSJ-GOyXmluwLLVbrWhq8BVwk389drzM-cJXO3sT4tE4FBfMUllGuCgseOpvv4Ww4O0CjPMb2_L5oioy2XqmW6PC6KADWbqAB6IMesziLIk8E10zluypdXNUo3EgbqVWhdsyR6LjGBRJ_zvUGBF7_6-rocGWvYy6ZxXBsJsh5gfph_qtcvXbt0qSn7_ivTAuqwpwiSnnmyCifcDKKBY7035q0LDDamQjS9vEaZjcM7gsj7yWrLWPVxfU97b08C2SrkVy1pilyz65gFn4Ug1U__U1Xve-Ov-lJPsY6MFUQ9QCyJDoa49TVFRO4CCwE_4yQGJsPX0dYl9qUX3N3AhR_3VMU24Sf2QIHTxyXPwNUdvpwo3zmBIekJCg1VWuqITTHCUebr9Ul1mV1cW5omrk_UZc467XLthjQJZTcNGzdPapqQu5nBUwgNlnNKqioqdWdCi8658SAE1SXnR-WOL7VhIv6P53VVVuA/https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev>
>
>

From lasse.jahn at student.hpi.de  Wed May 15 07:52:24 2019
From: lasse.jahn at student.hpi.de (Lasse Jahn)
Date: Wed, 15 May 2019 13:52:24 +0200
Subject: [keycloak-user] Policy Enforcing for nodejs REST Api
In-Reply-To: <CAJrcDBdkry+1nVBMLUyywmsM3Z9mCpRxbn9fZx7MaPDY531upA@mail.gmail.com>
References: <D1314055-0551-40D9-A4C8-1C9399F49731@student.hpi.uni-potsdam.de>
	<CAJrcDBdkry+1nVBMLUyywmsM3Z9mCpRxbn9fZx7MaPDY531upA@mail.gmail.com>
Message-ID: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de>

Hi Pedro,

thanks for the quick reply. So I got it working now, that the resource I 
created is enforcing the one policy. For a single resource this is great.

Later on I would like to have an multi tenant solution, short 
explanation what I mean:

Different companies have the same functionality but maybe want to change 
the restriction for there self. But still with only one backend 
application running. So each company should get one realm with the 
backend application registered as a client. When they call the api? the 
backend should enforce the policies of the company specific client.

Therefore I have 2 questions:

1. Is it possible to configure the enforcer to enforce all policies for 
all resources only depending on the requested on the path. So I only to 
have to add the middleware once before the express router. So for 
example we have a route /api/devices and /api/users (GET,POST,DELETE 
each). Both are represented by a resource in the keycloak admin console.

I would like to have something like this:

router.js

****

const express = require('express');
const router = express.Router();
const users = require('../controllers/users.controller');
const devices = require('../controllers/devices.controller');

router.post('/users/', users.create);
router.delete('/users/', users.deleteAll);
router.get('/users/', users.findAll);

router.post('/devices/', devies.create);
router.delete('/devices/', devicese.deleteAll);
router.get('/devices/', devices.findAll);

module.exports = router;

****


app.js

****

.... //all from before

app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes);

****


I dont want to write keycloak.enforcer(...) to each line of users or 
devices...

Maybe this can done by the claims and the context information? But if 
yes I don't get how.


2. For now the solution is only single tenant, but If I want to have it 
multi tenant and have realm per company with similar clients (only 
different in policies and permissions). Do you have an idea how I can 
solve the problem that the keycloak object is configured realm specific?
I would probably build a middleware which checks for a custom HTTP 
header or looks for a subdomain for referencing the company. Depending 
on the company I would set the keycloak object.
Do you think this can work ? Or do you have a better idea?


Some suggestions for your documentation:

- Could you somewhere describe what the middleware option protected is 
doing? The Logout, ... options are explained, but the protected I 
couldn't find.
- Your default resource is called 'Default Resource' but in the example 
the resource is renamed to 'resource' the rest is untouched and default 
config. Maybe a comment or adjustment of the example might be helpful.

Regards,
Lasse

On 14.05.19 20:33, Pedro Igor Silva wrote:
> Hi,
>
> We've added more docs to NodeJS PEP recently [1]. They should be 
> available in the next release. Please, let me know if that is enough 
> or if we need to add more information.
>
> In your case, this code:
>
> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>
> Would be:
>
> app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), 
> routes);
>
> If you have a resource in Keycloak called "foo" and a scope associated 
> with this resource called "bar", the code would be:
>
> app.use('/api', keycloak.enforcer('foo:bar'), routes);
>
> Hope it helps.
>
> [1] https://github.com/keycloak/keycloak-documentation/pull/654
>
> On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote:
>
>     Hello,
>
>     It's the first time writing to keycloak mailing list (I hope this
>     is the correct one?) so excuse if I forget to provide some
>     information or any other mistakes ..
>     Sorry for the text wall.
>
>     Shortly what I try to do (maybe I got something completely wrong):
>     I create a backend (node.js Bearer Only) which shall offer an REST
>     api. Partially it is used via a frontend (keycloak-clients) or
>     directly by some devices.
>     In general I try to create an application with a lot of CRUD. User
>     Management is done in keycloak and only I forward these requests
>     to the admin REST Api. Other stuff like the devices ... I store in
>     a separate database.
>     So the backend is the abstraction layer for frontend and other
>     use-cases.
>
>     So far so good, but for the beginning it was enough to check
>     weather the request comes from an authenticated person or not, so
>     all handled via keycloak.protect() The Token from the
>     authenticated person was passed
>     But now I'd want to offer different authorization level (can
>     differ due to reasons of multitenancy, why I want to solve this
>     via policies and co in admin-console inside the client
>     configuariton) because the normal user shall have access to only
>     some routes and the management shall have full access to the api,
>     but of course don't need the keycloak admin access.
>     So I enabled the service account for my backend client and gave
>     this one the realm-admin role so the client has access to
>     everything and I can handle the authorization inside the backend
>     client it self (using policies, permissions, .. inside the
>     admin-console).
>     (Just in case no one gets what I'm talking about. Fixing [1]
>     should help me fixing my issue I guess)
>
>     Setup
>     - node.js application using express
>     - registered as single client in keycloak admin-console
>     (confidential, but config inside the code is bearer-only)
>     - Keycloak is running in a docker-container (version 4.5)
>     - all services are running in a docker-compose network and are
>     behind a reverse proxy for common uri
>     - enabled Authorization in client and changed the default policy
>     to Negative to always deny => to see if it is enforced)
>
>     My Problem
>     I don't understand how to use the policies, permissions and Co I
>     created in the admin-console inside the backend it self. How do I
>     enforce that these are used?
>     I tried to check different examples and documentation, but could
>     get it working.
>     The last thing I found was that the entitlement api was removed,
>     but a policy-enforcer was added to the nodejs adapter. In the
>     documentation for the policy-enforcer [2] I couldn't find a
>     documentation of the middleware (keycloak.enforcer({}) [3][4]).
>
>     My Code
>
>     *****
>     app.js
>
>     const express = require('express');
>     const app = express();
>     const Keycloak = require('keycloak-connect');
>     const session = require('express-session');
>     const routes = require('./routes/index');
>
>
>     const kcConfig = {
>     ? ? 'realm': 'master',
>     ? ? 'bearer-only': true,
>     ? ? 'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
>     ? ? 'ssl-required': 'all',
>     ? ? 'resource': 'fm-backend',
>     ? ? 'credentials': {
>     ? ? ? ? secret: 'SOME_SECRET',
>     ? ? },
>     ? ? 'confidential-port': 0,
>     ? ? 'policy-enforcer': { //tried with an without this, changed nothing
>     ? ? ? ? 'enforcement-mode': 'ENFORCING',
>     ? ? },
>     };
>
>     const memoryStore = new session.MemoryStore();
>     const keycloak = new Keycloak({ memoryStore }, kcConfig);
>
>     app.use(keycloak.middleware({ logout: '/api/logout', protected:
>     '/api/gates' }));
>
>     // used before, worked for well for authentication
>     app.use('/api', keycloak.protect(), routes);
>
>     // now unfortunately I don't understand how to use
>     keycloak.enforcer() middleware
>     app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>
>     module.exports = app;
>
>     *****
>
>     [1]
>     https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application
>     [2]
>     https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview
>     [3]
>     https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc
>     [4]
>     https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js
>
>
>     Any Help is appreciated :)
>
>
>     With kind regards
>     Lasse
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed May 15 09:59:37 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 May 2019 15:59:37 +0200
Subject: [keycloak-user] Request for review: Chinese translation of email
	verification page
Message-ID: <CAJgngAc7oMNbq-z8VV1RMuHKSS7v6xKv4cyWeEHUv4PL=WsDfg@mail.gmail.com>

I need help from the community to review:

https://github.com/keycloak/keycloak/pull/5778

From sthorger at redhat.com  Wed May 15 10:00:08 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 May 2019 16:00:08 +0200
Subject: [keycloak-user] Review request: Arabic translation
Message-ID: <CAJgngAcysH=usW4FuOboEaMj41AuHJ81UQkr=ev+N2__sDPXAg@mail.gmail.com>

I need help from the community to review $sub:

https://github.com/keycloak/keycloak/pull/5962

From luke at code-house.org  Wed May 15 11:33:51 2019
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Wed, 15 May 2019 17:33:51 +0200
Subject: [keycloak-user] use custom FormAction implementation on "edit
 account" page
In-Reply-To: <11627977.rNddfDAECs@seat>
References: <11627977.rNddfDAECs@seat>
Message-ID: <caed3515-587f-c04c-0e3c-af11ceff14b4@code-house.org>

Dear Markus,
FormActions are valid for registration and login purposes but as far I
know they do not cover account editing.

Main difficulty is extension of validation because AccountProvider is
called by AccountFormService (you hit it with browser). There is also
AccountRestService used when you work with account using HTTP directly.
Both are embedded in Keycloak and have no "extension" points.
In order to have more customized processing of tempaltes for account
edit you need to implement AccountProvider SPI.
There are several pages which are covered by it. Base implementation is
FreeMarkerAccountProvider.

Sadly at this stage the only way to get custom REST resource. For
reference I just leave account handling logic which is available out of
the box:
org.keycloak.services.resources.RealmsResource#getAccountService
org.keycloak.services.resources.account.AccountLoader#getAccountService
org.keycloak.services.resources.account.AccountRestService
org.keycloak.services.resources.account.AccountFormService

Kind regards,
?ukasz
--
http://code-house.org

On 14.05.2019 10:57, Markus Schulz wrote:
> hello,
> 
> I've implemented an "extended profile validation" FormAction provider 
> which validates (required fields, field-format) some additional user 
> attributes (contained in our custom theme). 
> 
> But now there is a major problem, i don't know how i can use this 
> provider for the "edit account" page. 
> Currently the user needs to enter some additional fields on the 
> registration page, but after this, he can freely choose to edit/delete 
> the content on the "edit account" page. 
> 
> How can i prevent this?
> 
> regards,
> msc
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From psilva at redhat.com  Wed May 15 13:55:58 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 15 May 2019 14:55:58 -0300
Subject: [keycloak-user] Policy Enforcing for nodejs REST Api
In-Reply-To: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de>
References: <D1314055-0551-40D9-A4C8-1C9399F49731@student.hpi.uni-potsdam.de>
	<CAJrcDBdkry+1nVBMLUyywmsM3Z9mCpRxbn9fZx7MaPDY531upA@mail.gmail.com>
	<2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de>
Message-ID: <CAJrcDBf4QU=9JuFQcUsz8yU4Ho=eHdA70gN6sbZ3h-Bjg8+Dow@mail.gmail.com>

On Wed, May 15, 2019 at 8:52 AM Lasse Jahn <lasse.jahn at student.hpi.de>
wrote:

> Hi Pedro,
>
> thanks for the quick reply. So I got it working now, that the resource I
> created is enforcing the one policy. For a single resource this is great.
>
> Later on I would like to have an multi tenant solution, short explanation
> what I mean:
>
> Different companies have the same functionality but maybe want to change
> the restriction for there self. But still with only one backend application
> running. So each company should get one realm with the backend application
> registered as a client. When they call the api  the backend should enforce
> the policies of the company specific client.
>
> Therefore I have 2 questions:
>
> 1. Is it possible to configure the enforcer to enforce all policies for
> all resources only depending on the requested on the path. So I only to
> have to add the middleware once before the express router. So for example
> we have a route /api/devices and /api/users (GET,POST,DELETE each). Both
> are represented by a resource in the keycloak admin console.
>
> I would like to have something like this:
>
> router.js
>
> ****
>
> const express = require('express');
> const router = express.Router();
> const users = require('../controllers/users.controller');
> const devices = require('../controllers/devices.controller');
>
> router.post('/users/', users.create);
> router.delete('/users/', users.deleteAll);
> router.get('/users/', users.findAll);
>
> router.post('/devices/', devies.create);
> router.delete('/devices/', devicese.deleteAll);
> router.get('/devices/', devices.findAll);
>
> module.exports = router;
>
> ****
>
>
> app.js
>
> ****
>
> .... //all from before
>
> app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes);
>
> ****
>
>
> I dont want to write keycloak.enforcer(...) to each line of users or
> devices...
>
> Maybe this can done by the claims and the context information? But if yes
> I don't get how.
>
Yes, by using claims you are allowed to use them in your policies. Here is
an example:
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90.
More details here
https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
.

Your keycloak.enforce would be similar to
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177
.

>
> 2. For now the solution is only single tenant, but If I want to have it
> multi tenant and have realm per company with similar clients (only
> different in policies and permissions). Do you have an idea how I can solve
> the problem that the keycloak object is configured realm specific?
> I would probably build a middleware which checks for a custom HTTP header
> or looks for a subdomain for referencing the company. Depending on the
> company I would set the keycloak object.
> Do you think this can work ? Or do you have a better idea?
>
AFAIK, this is how you do it. So that accordingly with the request you
build a new Keycloak object using a specific realm.


>
> Some suggestions for your documentation:
>
> - Could you somewhere describe what the middleware option protected is
> doing? The Logout, ... options are explained, but the protected I couldn't
> find.
> - Your default resource is called 'Default Resource' but in the example
> the resource is renamed to 'resource' the rest is untouched and default
> config. Maybe a comment or adjustment of the example might be helpful.
>
Thanks for the feedback. Feel free to create a JIRA so that we can track
and plan the improvements you are proposing.

>
> Regards,
> Lasse
> On 14.05.19 20:33, Pedro Igor Silva wrote:
>
> Hi,
>
> We've added more docs to NodeJS PEP recently [1]. They should be available
> in the next release. Please, let me know if that is enough or if we need to
> add more information.
>
> In your case, this code:
>
> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>
> Would be:
>
> app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'),
> routes);
>
> If you have a resource in Keycloak called "foo" and a scope associated
> with this resource called "bar", the code would be:
>
> app.use('/api', keycloak.enforcer('foo:bar'), routes);
>
> Hope it helps.
>
> [1] https://github.com/keycloak/keycloak-documentation/pull/654
>
> On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote:
>
>> Hello,
>>
>> It's the first time writing to keycloak mailing list (I hope this is the
>> correct one?) so excuse if I forget to provide some information or any
>> other mistakes ..
>> Sorry for the text wall.
>>
>> Shortly what I try to do (maybe I got something completely wrong):
>> I create a backend (node.js Bearer Only) which shall offer an REST api.
>> Partially it is used via a frontend (keycloak-clients) or directly by some
>> devices.
>> In general I try to create an application with a lot of CRUD. User
>> Management is done in keycloak and only I forward these requests to the
>> admin REST Api. Other stuff like the devices ... I store in a separate
>> database.
>> So the backend is the abstraction layer for frontend and other use-cases.
>>
>> So far so good, but for the beginning it was enough to check weather the
>> request comes from an authenticated person or not, so all handled via
>> keycloak.protect() The Token from the authenticated person was passed
>> But now I'd want to offer different authorization level (can differ due
>> to reasons of multitenancy, why I want to solve this via policies and co in
>> admin-console inside the client configuariton) because the normal user
>> shall have access to only some routes and the management shall have full
>> access to the api, but of course don't need the keycloak admin access.
>> So I enabled the service account for my backend client and gave this one
>> the realm-admin role so the client has access to everything and I can
>> handle the authorization inside the backend client it self (using policies,
>> permissions, .. inside the admin-console).
>> (Just in case no one gets what I'm talking about. Fixing [1] should help
>> me fixing my issue I guess)
>>
>> Setup
>> - node.js application using express
>> - registered as single client in keycloak admin-console (confidential,
>> but config inside the code is bearer-only)
>> - Keycloak is running in a docker-container (version 4.5)
>> - all services are running in a docker-compose network and are behind a
>> reverse proxy for common uri
>> - enabled Authorization in client and changed the default policy to
>> Negative to always deny => to see if it is enforced)
>>
>> My Problem
>> I don't understand how to use the policies, permissions and Co I created
>> in the admin-console inside the backend it self. How do I enforce that
>> these are used?
>> I tried to check different examples and documentation, but could get it
>> working.
>> The last thing I found was that the entitlement api was removed, but a
>> policy-enforcer was added to the nodejs adapter. In the documentation for
>> the policy-enforcer [2] I couldn't find a documentation of the middleware
>> (keycloak.enforcer({}) [3][4]).
>>
>> My Code
>>
>> *****
>> app.js
>>
>> const express = require('express');
>> const app = express();
>> const Keycloak = require('keycloak-connect');
>> const session = require('express-session');
>> const routes = require('./routes/index');
>>
>>
>> const kcConfig = {
>>     'realm': 'master',
>>     'bearer-only': true,
>>     'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
>>     'ssl-required': 'all',
>>     'resource': 'fm-backend',
>>     'credentials': {
>>         secret: 'SOME_SECRET',
>>     },
>>     'confidential-port': 0,
>>     'policy-enforcer': {                                //tried with an
>> without this, changed nothing
>>         'enforcement-mode': 'ENFORCING',
>>     },
>> };
>>
>> const memoryStore = new session.MemoryStore();
>> const keycloak = new Keycloak({ memoryStore }, kcConfig);
>>
>> app.use(keycloak.middleware({ logout: '/api/logout', protected:
>> '/api/gates' }));
>>
>> // used before, worked for well for authentication
>> app.use('/api', keycloak.protect(), routes);
>>
>> // now unfortunately I don't understand how to use keycloak.enforcer()
>> middleware
>> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>>
>> module.exports = app;
>>
>> *****
>>
>> [1]
>> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application
>> [2]
>> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview
>> [3]
>> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc
>> [4]
>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js
>>
>>
>> Any Help is appreciated :)
>>
>>
>> With kind regards
>> Lasse
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From hroussel at alphinat.com  Wed May 15 14:50:23 2019
From: hroussel at alphinat.com (Harold Roussel)
Date: Wed, 15 May 2019 14:50:23 -0400
Subject: [keycloak-user] Getting compile errors related to BouncyCastle.
Message-ID: <0eafa470-719c-b77f-6059-0efca09206e5@alphinat.com>

Hello,

I'm trying to compile the project with Maven on the command line.

I'm getting errors like the following,

[ERROR] 
/c:/data/projects/keycloak-master/common/src/main/java/org/keycloak/common/util/OCSPUtils.java:[230,41] 
no suitable constructor found for 
Extension(org.bouncycastle.asn1.DERObjectIdentifier,boolean,org.bouncycastle.asn1.DEROctetString)
 ??? constructor 
org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,org.bouncycastle.asn1.ASN1Boolean,org.bouncycastle.asn1.ASN1OctetString) 
is not applicable
 ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
 ??? constructor 
org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,boolean,byte[]) 
is not applicable
 ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
 ??? constructor 
org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,boolean,org.bouncycastle.asn1.ASN1OctetString) 
is not applicable
 ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
[ERROR] 
/c:/data/projects/keycloak-master/common/src/main/java/org/keycloak/common/util/OCSPUtils.java:[320,72] 
cannot find symbol
 ? symbol:?? method toASN1Primitive()
 ? location: class org.bouncycastle.cert.ocsp.RespID

My Maven version is 3.3.9.? Using JDK 1.8.0_172.? I have the latest 
source for Keycloak (downloaded this morning).

Any help would be appreciated.

Thanks.

Harold


---
L'absence de virus dans ce courrier ?lectronique a ?t? v?rifi?e par le logiciel antivirus Avast.
https://www.avast.com/antivirus

From vegard.vaage at evry.com  Thu May 16 02:28:14 2019
From: vegard.vaage at evry.com (Vegard Vaage)
Date: Thu, 16 May 2019 06:28:14 +0000
Subject: [keycloak-user] Status of PolicyProvider SPI for authorization
Message-ID: <HE1PR0601MB2347C052D2C5F0ECAFAC238AF40A0@HE1PR0601MB2347.eurprd06.prod.outlook.com>

Hi!

I have two similar use cases that both would benefit from the policy provider SPI.

In one use case there's an external authorization service with its own database that I'd like to keep, but I'd also like to use Keycloak as a frontend to get a standardized way of performing authorization. One way to achieve this would be to write a custom policy provider SPI that fetches what it needs from the external database.

Similarly there's another datastore that has authorization information in a non-relational database, that I'd also like to be able to use to make authorization decisions.

1.     Before I go any further down this path - according to KEYCLOAK-4901<https://issues.jboss.org/browse/KEYCLOAK-4901> the policy provider SPI is supported now, but I can't find anything in the official docs. Is it (still) supported?

Best regards,
Vegard


From clehingue at gmail.com  Thu May 16 05:34:23 2019
From: clehingue at gmail.com (Christophe Lehingue)
Date: Thu, 16 May 2019 11:34:23 +0200
Subject: [keycloak-user] add user.username on email-verification.ftl file
	?????
Message-ID: <CADf9yZOOEncJdNGBTkv8HbPKoog7BJLBUtoSkGmhiWfTivWmWw@mail.gmail.com>

Hello,

I would like to add the nominative information in the template "themes
/ base / email / html / email-verification.ftl".

I would like to make the user's name appear, but it does not work.

I do this: I add this tag "$ {(user.username!") "in this file, but
nothing appears.

Do you know how I could do it?

Thank you.

==== In FR ======
Bonjour,

Je souhaiterais ajouter les informations nominatives dans le template
"themes / base / email / html / email-verification.ftl".

Je souhaiterais faire para?tre le nom de l'utilisateur, mais cela ne
fonctionne pas.

je fais ainsi : j'ajoute cette balise "${(user.username!'')" dans ce
fichier, mais rien n'apparait.

Savez-vous comment je pourrais faire ?

Merci ? vous.

From clehingue at gmail.com  Thu May 16 07:48:24 2019
From: clehingue at gmail.com (Christophe Lehingue)
Date: Thu, 16 May 2019 13:48:24 +0200
Subject: [keycloak-user] How to change subject of mail
Message-ID: <CADf9yZPhjWSjk45NrmXgzPAyGB7L5AETrm_By22qgnTk+bHOEA@mail.gmail.com>

Hello,

For customization "themes / base / email / html / email-verification.ftl".

When sending the email to the user concerned: I would like to change
the title / subject of the email.

Do you know how I could do it?

Thank you.

From psilva at redhat.com  Thu May 16 08:39:44 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 16 May 2019 09:39:44 -0300
Subject: [keycloak-user] Status of PolicyProvider SPI for authorization
In-Reply-To: <HE1PR0601MB2347C052D2C5F0ECAFAC238AF40A0@HE1PR0601MB2347.eurprd06.prod.outlook.com>
References: <HE1PR0601MB2347C052D2C5F0ECAFAC238AF40A0@HE1PR0601MB2347.eurprd06.prod.outlook.com>
Message-ID: <CAJrcDBeGwnjs7SA4cTwLcS9oWHnbH_6JkOCe6zfc3xXAVSXjWg@mail.gmail.com>

Hi Vegard,

Community wise, you are free to use it. As you noticed we are missing docs
and examples about how to use it.

We have quite a few examples in Keycloak codebase that you can use as a
guideline to implement your own policy provider.

I can also help you with this implementation and update docs accordingly.
We can discuss more here https://issues.jboss.org/browse/KEYCLOAK-9254.

Regards.
Pedro Igor

On Thu, May 16, 2019 at 3:30 AM Vegard Vaage <vegard.vaage at evry.com> wrote:

> Hi!
>
> I have two similar use cases that both would benefit from the policy
> provider SPI.
>
> In one use case there's an external authorization service with its own
> database that I'd like to keep, but I'd also like to use Keycloak as a
> frontend to get a standardized way of performing authorization. One way to
> achieve this would be to write a custom policy provider SPI that fetches
> what it needs from the external database.
>
> Similarly there's another datastore that has authorization information in
> a non-relational database, that I'd also like to be able to use to make
> authorization decisions.
>
> 1.     Before I go any further down this path - according to KEYCLOAK-4901<
> https://issues.jboss.org/browse/KEYCLOAK-4901> the policy provider SPI is
> supported now, but I can't find anything in the official docs. Is it
> (still) supported?
>
> Best regards,
> Vegard
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From luke at code-house.org  Thu May 16 08:49:34 2019
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Thu, 16 May 2019 14:49:34 +0200
Subject: [keycloak-user] add user.username on email-verification.ftl
 file ?????
In-Reply-To: <CADf9yZOOEncJdNGBTkv8HbPKoog7BJLBUtoSkGmhiWfTivWmWw@mail.gmail.com>
References: <CADf9yZOOEncJdNGBTkv8HbPKoog7BJLBUtoSkGmhiWfTivWmWw@mail.gmail.com>
Message-ID: <aa82ecce-5d6a-6ab2-d5c7-9afa70800946@code-house.org>

Not sure if you did it by mistake, but proper variable reference in
freemarker template is ${varX}, in your case ${user.username}.

Two places which are involved in processing email you looking for:
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailTemplateProvider.java#L167

https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/email/freemarker/beans/ProfileBean.java#L54

Kind regards,
?ukasz
--
Code-House
http://code-house.org


On 16.05.2019 11:34, Christophe Lehingue wrote:
> Hello,
> 
> I would like to add the nominative information in the template "themes
> / base / email / html / email-verification.ftl".
> 
> I would like to make the user's name appear, but it does not work.
> 
> I do this: I add this tag "$ {(user.username!") "in this file, but
> nothing appears.
> 
> Do you know how I could do it?
> 
> Thank you.
> 
> ==== In FR ======
> Bonjour,
> 
> Je souhaiterais ajouter les informations nominatives dans le template
> "themes / base / email / html / email-verification.ftl".
> 
> Je souhaiterais faire para?tre le nom de l'utilisateur, mais cela ne
> fonctionne pas.
> 
> je fais ainsi : j'ajoute cette balise "${(user.username!'')" dans ce
> fichier, mais rien n'apparait.
> 
> Savez-vous comment je pourrais faire ?
> 
> Merci ? vous.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From luke at code-house.org  Thu May 16 08:50:22 2019
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Thu, 16 May 2019 14:50:22 +0200
Subject: [keycloak-user] How to change subject of mail
In-Reply-To: <CADf9yZPhjWSjk45NrmXgzPAyGB7L5AETrm_By22qgnTk+bHOEA@mail.gmail.com>
References: <CADf9yZPhjWSjk45NrmXgzPAyGB7L5AETrm_By22qgnTk+bHOEA@mail.gmail.com>
Message-ID: <b05264b9-4dc4-a3a5-c444-54c4ea1ba5c4@code-house.org>

You need to create your mail theme and attach it to realm.

Theme must have own messages_en.properties with following keys:
- emailVerificationSubject
- identityProviderLinkSubject
- passwordResetSubject
- executeActionsSubject
- eventLoginErrorSubject
- eventRemoveTotpSubject
- eventUpdateTotpSubject

Each of these have also "Body" and "BodyHtml" variant (ie.
passwordResetBody, passwordResetBodyHtml) which determine mail contents.

See more here:
https://github.com/keycloak/keycloak/blob/4.8.3.Final/themes/src/main/resources/theme/base/email/messages/messages_en.properties

Cheers,
?ukasz
--
Code-House
http://code-house.org

On 16.05.2019 13:48, Christophe Lehingue wrote:
> Hello,
> 
> For customization "themes / base / email / html / email-verification.ftl".
> 
> When sending the email to the user concerned: I would like to change
> the title / subject of the email.
> 
> Do you know how I could do it?
> 
> Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stuarta at squashedfrog.net  Thu May 16 09:22:07 2019
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Thu, 16 May 2019 14:22:07 +0100
Subject: [keycloak-user] Keycloak 6.0.1 released
In-Reply-To: <CAJgngAfT4-_Zb54VnqXhXHZm_FEF3hobb4iW2FwhRoVyEvqRYw@mail.gmail.com>
References: <CAJgngAfT4-_Zb54VnqXhXHZm_FEF3hobb4iW2FwhRoVyEvqRYw@mail.gmail.com>
Message-ID: <16362775-fdfb-f10f-83e9-3e706523409a@squashedfrog.net>

On 25/04/2019 08:27, Stian Thorgersen wrote:
> https://www.keycloak.org/2019/04/keycloak-601-released.html

Is there any particular reason that the latest tag at
quay.io/keycloak/keycloak
points to a container with 5.0.0 in it, and not 6.0.x???


Regards
Stuart

From bob.skd at googlemail.com  Thu May 16 09:56:58 2019
From: bob.skd at googlemail.com (bob sheknowdas)
Date: Thu, 16 May 2019 15:56:58 +0200
Subject: [keycloak-user] OIDC-IDP: dont want username to equal email
Message-ID: <CAJombDdSoo=GLc0oJKTzh-LTEQp3P5OZL3H6s0KcouHCShWq+A@mail.gmail.com>

 Hi,

I've written a custom OIDC-Provider and connected it to keycloak.
After the first login in via my provider, the user gets asked to enter a
username, email, first name and last name.

When sending no 'email' claim, the username is prefilled with what is in
the 'sub' claim.
But when sending an 'email' claim, the username is prefilled with the email.

How can I prefill the username with something else than my email, while
also sending an 'email' claim?

So far I've tried sending a 'name', a 'username' and a 'preferred_username'
claim  -  no success.

I figured out that the IdpReviewProfileAuthenticator checks for
isRegistrationEmailAsUsername().
So I've deactivated "Login with email" in my realm settings  -  no success.

Is there any way for keycloak to not use the 'email' claim for the username?

Best
Bob

From sthorger at redhat.com  Thu May 16 10:11:36 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 16 May 2019 16:11:36 +0200
Subject: [keycloak-user] Keycloak 6.0.1 released
In-Reply-To: <16362775-fdfb-f10f-83e9-3e706523409a@squashedfrog.net>
References: <CAJgngAfT4-_Zb54VnqXhXHZm_FEF3hobb4iW2FwhRoVyEvqRYw@mail.gmail.com>
	<16362775-fdfb-f10f-83e9-3e706523409a@squashedfrog.net>
Message-ID: <CAJgngAfXY-AVX3yODW0Fa3YzN-o25UpwjFsvY54+ud1UOgjX4g@mail.gmail.com>

Not sure. It was pointing to 6.0.1, but has changed somehow. Will look into
it.

On Thu, 16 May 2019 at 15:46, Stuart Auchterlonie <stuarta at squashedfrog.net>
wrote:

> On 25/04/2019 08:27, Stian Thorgersen wrote:
> > https://www.keycloak.org/2019/04/keycloak-601-released.html
>
> Is there any particular reason that the latest tag at
> quay.io/keycloak/keycloak
> points to a container with 5.0.0 in it, and not 6.0.x???
>
>
> Regards
> Stuart
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Thu May 16 10:48:44 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 16 May 2019 16:48:44 +0200
Subject: [keycloak-user] Keycloak 6.0.1 released
In-Reply-To: <CAJgngAfXY-AVX3yODW0Fa3YzN-o25UpwjFsvY54+ud1UOgjX4g@mail.gmail.com>
References: <CAJgngAfT4-_Zb54VnqXhXHZm_FEF3hobb4iW2FwhRoVyEvqRYw@mail.gmail.com>
	<16362775-fdfb-f10f-83e9-3e706523409a@squashedfrog.net>
	<CAJgngAfXY-AVX3yODW0Fa3YzN-o25UpwjFsvY54+ud1UOgjX4g@mail.gmail.com>
Message-ID: <CAJgngAdebfJ_wU1xofPfp=Ck7zNUZFPztRE01omGZwVmREKZ7w@mail.gmail.com>

Fixed now

On Thu, 16 May 2019 at 16:11, Stian Thorgersen <sthorger at redhat.com> wrote:

> Not sure. It was pointing to 6.0.1, but has changed somehow. Will look
> into it.
>
> On Thu, 16 May 2019 at 15:46, Stuart Auchterlonie <
> stuarta at squashedfrog.net> wrote:
>
>> On 25/04/2019 08:27, Stian Thorgersen wrote:
>> > https://www.keycloak.org/2019/04/keycloak-601-released.html
>>
>> Is there any particular reason that the latest tag at
>> quay.io/keycloak/keycloak
>> points to a container with 5.0.0 in it, and not 6.0.x???
>>
>>
>> Regards
>> Stuart
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From kkcmadhu at yahoo.com  Thu May 16 11:13:31 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Thu, 16 May 2019 15:13:31 +0000 (UTC)
Subject: [keycloak-user] enabling token exchange between multiple relams
References: <948994960.1552829.1558019611296.ref@mail.yahoo.com>
Message-ID: <948994960.1552829.1558019611296@mail.yahoo.com>

? Hi,

I have a weird use case where i am running 3 keycloaks? different keycloak instances, i have same? a common set of users in all the 3 instances, and i want token minted from one keycloak instance to be honored in another,? i.e. if i log in to keycloak 1 and get a bearer token, i want this token to be valid in keycloak 2 and keycloak 3, is there a way to achieve this, i refered the token exchange links (internal to external) ,but what i am not sure is, how should i invoke the 2nd keycloak instance? ?( should a bearer token alone is sufficient, or do i need to pass additional parameters in the post).? I generally use the keycloakResttemplate for any invocation, will keycloakresttemplate be able to handle token exchange cases as well?
RegardsMadhu

From bruno at abstractj.org  Thu May 16 14:05:14 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 16 May 2019 15:05:14 -0300
Subject: [keycloak-user] Getting compile errors related to BouncyCastle.
In-Reply-To: <0eafa470-719c-b77f-6059-0efca09206e5@alphinat.com>
References: <0eafa470-719c-b77f-6059-0efca09206e5@alphinat.com>
Message-ID: <20190516180513.GA16068@abstractj.org>

Hi Harold, could you please describe your environment setup like: Maven
version, JDK version...and also what exactly you did to compile the
project?

On 2019-05-15, Harold Roussel wrote:
> Hello,
> 
> I'm trying to compile the project with Maven on the command line.
> 
> I'm getting errors like the following,
> 
> [ERROR] 
> /c:/data/projects/keycloak-master/common/src/main/java/org/keycloak/common/util/OCSPUtils.java:[230,41] 
> no suitable constructor found for 
> Extension(org.bouncycastle.asn1.DERObjectIdentifier,boolean,org.bouncycastle.asn1.DEROctetString)
>  ??? constructor 
> org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,org.bouncycastle.asn1.ASN1Boolean,org.bouncycastle.asn1.ASN1OctetString) 
> is not applicable
>  ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
> cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
>  ??? constructor 
> org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,boolean,byte[]) 
> is not applicable
>  ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
> cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
>  ??? constructor 
> org.bouncycastle.asn1.x509.Extension.Extension(org.bouncycastle.asn1.ASN1ObjectIdentifier,boolean,org.bouncycastle.asn1.ASN1OctetString) 
> is not applicable
>  ????? (argument mismatch; org.bouncycastle.asn1.DERObjectIdentifier 
> cannot be converted to org.bouncycastle.asn1.ASN1ObjectIdentifier)
> [ERROR] 
> /c:/data/projects/keycloak-master/common/src/main/java/org/keycloak/common/util/OCSPUtils.java:[320,72] 
> cannot find symbol
>  ? symbol:?? method toASN1Primitive()
>  ? location: class org.bouncycastle.cert.ocsp.RespID
> 
> My Maven version is 3.3.9.? Using JDK 1.8.0_172.? I have the latest 
> source for Keycloak (downloaded this morning).
> 
> Any help would be appreciated.
> 
> Thanks.
> 
> Harold
> 
> 
> ---
> L'absence de virus dans ce courrier ?lectronique a ?t? v?rifi?e par le logiciel antivirus Avast.
> https://www.avast.com/antivirus
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From guido_99 at gmx.de  Thu May 16 15:06:30 2019
From: guido_99 at gmx.de (Guido Wimmel)
Date: Thu, 16 May 2019 21:06:30 +0200
Subject: [keycloak-user] Show Username in Admin Events / Login Events
In-Reply-To: <DB6P192MB0231B4343FFF9B71F571B5B5B10F0@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>
References: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>
	<5de83ea9-9227-106f-50af-e0176b1aa492@gmx.de>
	<DB6P192MB0231B4343FFF9B71F571B5B5B10F0@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>
Message-ID: <7f7b09d5-eb10-3203-b6f0-e48b5cade574@gmx.de>

Hi Huw,

thank you very much for the helpful advice.

The event listener would be able to get the real user names - but
probably the Admin Console would have to be extended somehow to make the
user names appear in the Admin Events view?

BTW, the solution for the second question (seeing which roles were
added/removed) is simple - just turning on "Include Representation".
Sorry for overlooking this.

Best regards,
 ?? Guido

Am 13.05.19 um 20:07 schrieb Huw McNamara:
> Hi Guido,
>
> One possible way you could achieve what you want is to implement a
> custom event listener. See
> https://github.com/zekidkiller/keycloak/tree/master/examples/providers/event-listener-sysout?for
> an example.
>
> Then using a combination of the API
> https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_users_resource?and/or
> Keycloak classes
> https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/storage/user/UserLookupProvider.html#getUserById-java.lang.String-org.keycloak.models.RealmModel-?you
> should be able to get real values for IDs.
>
> The easiest way might be the API as it is very frequently a 1-1
> mapping for any resource path (given in the event details).
>
> Kind regards,
> Huw
>
> ------------------------------------------------------------------------
> *From:* keycloak-user-bounces at lists.jboss.org
> <keycloak-user-bounces at lists.jboss.org> on behalf of Guido Wimmel
> <guido_99 at gmx.de>
> *Sent:* 08 May 2019 20:04
> *To:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Show Username in Admin Events / Login
> Events
> Hi,
>
> does anyone possibly have similar concerns / a workaround? The Admin
> Events View
> in the Administration Console is of limited use for our Keycloak admins
> if they have to lookup
> the usernames of the concerned users.
>
> In addition, it seems that the Admin Events do not contain information
> on which role(s)
> were assigned to / removed from a user - I can only see a general update
> of the
> client-role-mapping.
> Is this true? Is there a way to extend the Admin Events such that it is
> possible to see which role(s) were
> added/removed?
>
> Thanks in advance, best regards,
> ?? Guido
>
> On 06.04.19 10:39 Guido Wimmel wrote:
> > Hi,
> >
> > in the Admin Events / Login Events - View in the Administration Console
> > in Keycloak, I can see e.g. if users logged in or were assigned to a
> role.
> > However, the users are only referenced by their id.
> >
> > I can determine the username by constructing an URL (e.g.
> > .../realms/<MY_REALM>/users/<UserId> ) and navigating to it.
> >
> > Is there an easier way?
> >
> > Best regards,
> >?? ?? Guido
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From farzad.panahi at gmail.com  Thu May 16 19:39:46 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Thu, 16 May 2019 16:39:46 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
Message-ID: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>

Hi,

I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.

I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.

My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123

My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?

What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?

Thanks

Farzad

From bruno at abstractj.org  Thu May 16 20:06:19 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 16 May 2019 21:06:19 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
Message-ID: <CAM5SUC7sZFBEeTTkyeVOUJLdbJPAYdXrHfVmPhaO9SohJUdR6A@mail.gmail.com>

Hi Farzad, have you tried one of our quickstarts[1]? I believe they may be
helpful.

[1] - https://github.com/keycloak/keycloak-quickstarts

On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi at gmail.com> wrote:

> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From farzad.panahi at gmail.com  Thu May 16 20:32:34 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Thu, 16 May 2019 17:32:34 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAM5SUC7sZFBEeTTkyeVOUJLdbJPAYdXrHfVmPhaO9SohJUdR6A@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAM5SUC7sZFBEeTTkyeVOUJLdbJPAYdXrHfVmPhaO9SohJUdR6A@mail.gmail.com>
Message-ID: <CACueeY1DiLO51aukBSzJAs6y9+YNSc7ymAZacqbX9Xnv0-DDsA@mail.gmail.com>

Tnx Bruno.
I looked into the REST examples. They are good examples but they are
simple.
I am looking for best practices for a bit more sophisticated scenario where
each user has a dynamic set of resources associate with it.
What would be the best practices to do this sort of mapping in Keycloak? To
add every individual resource into Keycloak and define individual
permissions?

On Thu, May 16, 2019 at 5:06 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Farzad, have you tried one of our quickstarts[1]? I believe they may be
> helpful.
>
> [1] - https://github.com/keycloak/keycloak-quickstarts
>
> On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>
>> I just want to ask the Keycloak community for best practices when it comes
>> to securing RESTful APIs.
>>
>> My endpoints will be something like:
>> GET /api/books --> return all books the user has access for
>> GET /api/books/123 --> return book with id = 123
>>
>> My challenge now is to figure out how to define resources in Keycloak.
>> Should I add all my books as resources to Keycloak? And then define the
>> permission between each user and resource?
>>
>> What would be the best practice to implement "GET /api/books" to return
>> only the books the logged in user has access to? Should I query the
>> Keycloak API to get all the resources the logged in user has access to, in
>> the backend?
>>
>> Thanks
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From lrozenblyum at gmail.com  Fri May 17 03:46:50 2019
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 17 May 2019 10:46:50 +0300
Subject: [keycloak-user] Single Logout in Identity brokering mode
Message-ID: <CANZPfwS15M7bp-rB93w+NV+y9gUOX2nZE5+DbRDjsNN-F7L+Jw@mail.gmail.com>

Hello!

I'm working on Single Logout in Identity broker mode.

App -> Keycloak (OpenIdConnect)
Keycloak -> 3'd party (SAML)

Documentation to keycloak states that there are 2 ways to execute logout.
1) HttpServletRequest.logout().
2) redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri

If I execute 2) it indeed causes Keycloak send SAML Logout request to the
3'd party Idp.
However if I execute 1) SAML logout request is not sent thus 3'd party
session is still valid.

(I see that by enabling trace logging in keycloak and by fact that user is
still logged in)

Is it something by design/misconfiguration at my side or a bug?

From tdudgeon.ml at gmail.com  Fri May 17 06:54:49 2019
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Fri, 17 May 2019 11:54:49 +0100
Subject: [keycloak-user] LinkedIn identity provider no longer working
Message-ID: <42d68278-aed6-d3c0-a9e6-b6b8e6f961db@gmail.com>

Since May 1 the v1.0 OIDC API at LinkedIn is no longer available.
This was handled in this issue [1] and associated PR [2] where the v2.0 
API at LinkedIn was used instead.

 From the timing of the merge it looks like this would first have 
appeared in Keycloak version 4.0.0.

For people still running older versions of Keycloak are there any ways 
of using the v2.0 API at Linked in or is that IdP essentially broken for 
ever?


[1] https://issues.jboss.org/browse/KEYCLOAK-6849

[2] https://github.com/keycloak/keycloak/pull/5125


From ece8537 at upnet.gr  Fri May 17 09:09:12 2019
From: ece8537 at upnet.gr (Konstantinos Schoinas)
Date: Fri, 17 May 2019 16:09:12 +0300
Subject: [keycloak-user] join
Message-ID: <a71bf25321359fd326e6c569900b927c@upnet.gr>



From ece8537 at upnet.gr  Fri May 17 09:10:49 2019
From: ece8537 at upnet.gr (Konstantinos Schoinas)
Date: Fri, 17 May 2019 16:10:49 +0300
Subject: [keycloak-user] =?utf-8?q?Fwd=3A_Keycloak=5FRefresh=5FToken?=
In-Reply-To: <f3ed129baeefc3e2a2a7b85b6a008f1c@upnet.gr>
References: <307a1a3adddb6632ef505324f16f8efd@upnet.gr>
	<f3ed129baeefc3e2a2a7b85b6a008f1c@upnet.gr>
Message-ID: <81fbe22a73484a951fdf42475b3af566@upnet.gr>

Hi there,

i have a setup where i use a node js application and  Keycloak-connect 
NPM module in order to align it with keycloak single-sign on flow.

Everything is working fine except of one thing.

When my refresh token is expired and i am trying to access a resource in 
application  that is protected by keycloak.protect() i am getting a 
redirect to keycloak page (a flow that i find it correct ) and my user 
is automatically getting re-logged in without posting any credentials.

i don;t know if that behavior is right.

My Keycloak Realm-Settings on Token tab  are:

Revoke Refresh Token --> Off

SSO Session idle --> 2 minutes

SSO Session Max --> 4 minutes

Access Token Lifespan --> 1 minute

I also noticed this type of behavior on the nodejs-example that keycloak 
connect provides so i believe that there isn't something wrong with my 
application.

Also i put some logs inside keycloak-middleware to make sure that the 
refresh Token is expired by going to the relative function and made sure 
that the refresh is expired.

In addition this is happening of course when the 2 minutes are past and 
i am trying to do a request to the Refresh token is definetly getting 
expired there but still Keycloak seems to getting me logged in again and 
NOT redirecting me to the Login page.

Thanks in Advance for the help,

Konstantinos

From psilva at redhat.com  Fri May 17 09:50:54 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 May 2019 10:50:54 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
Message-ID: <CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>

Hi Farzad,

How do you check if a user has access to a book ? Is the user the book
owner or you have more conditions that should be taken into account to
grant access to books ?

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#examples


On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From farzad.panahi at gmail.com  Fri May 17 12:41:40 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Fri, 17 May 2019 09:41:40 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
Message-ID: <CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>

Hi Pedro,

The user is not the book owner. You can think about it this way that if B
is the set of all books then each user has access to a subset of B such
that these subsets are not mutually exclusive and do overlap.

On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
wrote:

> Hi Farzad,
>
> How do you check if a user has access to a book ? Is the user the book
> owner or you have more conditions that should be taken into account to
> grant access to books ?
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>
>
> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>
>> I just want to ask the Keycloak community for best practices when it comes
>> to securing RESTful APIs.
>>
>> My endpoints will be something like:
>> GET /api/books --> return all books the user has access for
>> GET /api/books/123 --> return book with id = 123
>>
>> My challenge now is to figure out how to define resources in Keycloak.
>> Should I add all my books as resources to Keycloak? And then define the
>> permission between each user and resource?
>>
>> What would be the best practice to implement "GET /api/books" to return
>> only the books the logged in user has access to? Should I query the
>> Keycloak API to get all the resources the logged in user has access to, in
>> the backend?
>>
>> Thanks
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From orivat at janua.fr  Fri May 17 12:55:23 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Fri, 17 May 2019 18:55:23 +0200
Subject: [keycloak-user] app-authz-rest-employee example generates error
 during mvn spring-boot:run
Message-ID: <cea64e4f-f9eb-5a3f-ce04-eb5b8613a9d6@janua.fr>



Hi,

I am trying to bring the app-authz-rest-employee example, but is failing 
when trying to luanch mvn spring-boot:run
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee


1) keycloak is started with

cd {KEYCLOAK_HOME}/bin
./standalone.sh -Djboss.socket.binding.port-offset=100

2) wilfly is started with
sh stanalone.sh (port 8080)


3)launching maven
mvn spring-boot:run

I obtain following errors

 ? at java.lang.Thread.run (Thread.java:745)
Caused by: 
org.springframework.boot.web.embedded.tomcat.ConnectorStartFailedException: 
Connector configured to listen on port 8080 failed to start
 ??? at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.checkThatConnectorsHaveStarted 
(TomcatWebServer.java:228)


[INFO] 
------------------------------------------------------------------------
[ERROR] Failed to execute goal 
org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
(default-cli) on project app-authz-rest-employee: An exception occurred 
while running. null: InvocationTargetException: Connector configured to 
listen on port 8080 failed to start -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to 
execute goal 
org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
(default-cli) on project app-authz-rest-employee: An exception occurred 
while running. null
 ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:215)
 ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:156)
 ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:148)
 ??? at 
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject 
(Lifecyc


What do you think about it ? Did I mistake following README fiel of 
example ?



Regards,

Olivier

=============================================================================================================================

Full stack trace

mvn spring-boot:run
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective 
model for org.keycloak.quickstarts:app-authz-rest-employee:jar:6.0.1
[WARNING] 'build.plugins.plugin.version' for 
org.springframework.boot:spring-boot-maven-plugin is missing. @ 
org.keycloak.quickstarts:app-authz-rest-employee:[unknown-version], 
/home/orivat/dev/keycloak_6.01/keycloak-quickstarts-latest/app-authz-rest-employee/pom.xml, 
line 106, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they 
threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support 
building such malformed projects.
[WARNING]
[INFO]
[INFO] ----------< org.keycloak.quickstarts:app-authz-rest-employee 
 >----------
[INFO] Building Spring Boot Web Keycloak Authorization Services Sample 6.0.1
[INFO] --------------------------------[ jar 
]---------------------------------
[INFO]
[INFO] >>> spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) > 
test-compile @ app-authz-rest-employee >>>
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ 
app-authz-rest-employee ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1 resource
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ 
app-authz-rest-employee ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources 
(default-testResources) @ app-authz-rest-employee ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 2 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ 
app-authz-rest-employee ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] <<< spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) < 
test-compile @ app-authz-rest-employee <<<
[INFO]
[INFO]
[INFO] --- spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) @ 
app-authz-rest-employee ---
[WARNING]
java.lang.reflect.InvocationTargetException
 ??? at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
 ??? at sun.reflect.NativeMethodAccessorImpl.invoke 
(NativeMethodAccessorImpl.java:62)
 ??? at sun.reflect.DelegatingMethodAccessorImpl.invoke 
(DelegatingMethodAccessorImpl.java:43)
 ??? at java.lang.reflect.Method.invoke (Method.java:498)
 ??? at org.springframework.boot.maven.AbstractRunMojo$LaunchRunner.run 
(AbstractRunMojo.java:558)
 ??? at java.lang.Thread.run (Thread.java:745)
Caused by: 
org.springframework.boot.web.embedded.tomcat.ConnectorStartFailedException: 
Connector configured to listen on port 8080 failed to start
 ??? at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.checkThatConnectorsHaveStarted 
(TomcatWebServer.java:228)
 ??? at 
org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start 
(TomcatWebServer.java:203)
 ??? at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer 
(ServletWebServerApplicationContext.java:300)
 ??? at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh 
(ServletWebServerApplicationContext.java:162)
 ??? at 
org.springframework.context.support.AbstractApplicationContext.refresh 
(AbstractApplicationContext.java:553)
 ??? at 
org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh 
(ServletWebServerApplicationContext.java:140)
 ??? at org.springframework.boot.SpringApplication.refresh 
(SpringApplication.java:759)
 ??? at org.springframework.boot.SpringApplication.refreshContext 
(SpringApplication.java:395)
 ??? at org.springframework.boot.SpringApplication.run 
(SpringApplication.java:327)
 ??? at org.springframework.boot.SpringApplication.run 
(SpringApplication.java:1255)
 ??? at org.springframework.boot.SpringApplication.run 
(SpringApplication.java:1243)
 ??? at org.keycloak.quickstart.springboot.MyApplication.main 
(MyApplication.java:31)
 ??? at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
 ??? at sun.reflect.NativeMethodAccessorImpl.invoke 
(NativeMethodAccessorImpl.java:62)
 ??? at sun.reflect.DelegatingMethodAccessorImpl.invoke 
(DelegatingMethodAccessorImpl.java:43)
 ??? at java.lang.reflect.Method.invoke (Method.java:498)
 ??? at org.springframework.boot.maven.AbstractRunMojo$LaunchRunner.run 
(AbstractRunMojo.java:558)
 ??? at java.lang.Thread.run (Thread.java:745)
[INFO] 
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] 
------------------------------------------------------------------------
[INFO] Total time:? 4.711 s
[INFO] Finished at: 2019-05-17T18:53:20+02:00
[INFO] 
------------------------------------------------------------------------
[ERROR] Failed to execute goal 
org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
(default-cli) on project app-authz-rest-employee: An exception occurred 
while running. null: InvocationTargetException: Connector configured to 
listen on port 8080 failed to start -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the 
-e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, 
please read the following articles:
[ERROR] [Help 1] 
http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException




-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From joel at spotx.tv  Fri May 17 13:24:56 2019
From: joel at spotx.tv (Joel DuBien)
Date: Fri, 17 May 2019 11:24:56 -0600
Subject: [keycloak-user] Keycloak 5.0.0 SAML ID Brokering Provider User ID
	Problems
Message-ID: <CAFE1BYYy7jsL7VghyuNBZj2VNgbdSngX68BwqVc0LjOyBMpnQQ@mail.gmail.com>

Hello,

I'm investigating using Keycloak as an Identity Broker to connect to some
SAML IdPs. I'm running into a problem where the SAML IdP is returning a
response to Keycloak that somehow contains a unique Provider User ID and
Provider Username with each login, even when the same identity logins in
mulitple times. This results in a duplicate key error for keycloak, since
keycloak expects a single identity to have a single Provider User ID, not a
new one with each login.

I'm using Keycloak 5.0.0.

This is an example of the Provider User ID and the Provider Username that
Keycloak is seeing from the SAML response:
_0663be72e9e02b5d40f320b3a42ec757d6b842539f

I have verified that my SAML response is using a NameID Policy Format of
"Persistent", and that the NameID returned by the SAML response is based on
a consistent ID that wouldn't change for the same account.

Does anyone have experience with this? I'm at a loss as to how to proceed
to get this integration working correctly.

TYIA for your help!

-Joel

From ahmadzadehasl at outlook.com  Fri May 17 13:34:11 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Fri, 17 May 2019 17:34:11 +0000
Subject: [keycloak-user] HttpStatus 200 returned for unauthorized users
In-Reply-To: <VI1P193MB030353BB4F47F5C8205621EEB1080@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
References: <VI1P193MB030353BB4F47F5C8205621EEB1080@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>
Message-ID: <VI1P193MB0303176D931ED1CF7ABA328FB10B0@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>

Hi Dears

So, there was no way to do this?


From: Ali Ahmadzadeh Asl
Sent: Tuesday, May 14, 3:07 PM
Subject: [keycloak-user] HttpStatus 200 returned for unauthorized users
To: keycloak-user at lists.jboss.org


Hi Dears

I'm using Keycloak 6.0.0 with SpringBoot. My java application serves both a web application and web services. The config is like this:

keycloak.realm=my-realm
keycloak.resource=my-app
keycloak.ssl-required=external
keycloak.enable-basic-auth=true
keycloak.autodetect-bearer-only=true
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.credentials.secret=f3776b88-26c7-44fa-83ec-67cb72fa3111
keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied

keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*

Assume that '/rest/get-time' is a REST service served by my server for getting current date and time. When I get this address with 'Accept: application/json' header using tools like Postman, the server returns HttpStatus 200 with empty body. When I send same request without any header, the server returns HttpStatus 200 and HTML body of Keycloak login page.

How can I config Keycloak for returning HttpStatus 401 in the response of unauthorized REST or SOAP requests?

Best Regards
Ali Ahmadzdeh Asl


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



From psilva at redhat.com  Fri May 17 14:45:34 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 17 May 2019 15:45:34 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
Message-ID: <CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>

Sorry, but is still not clear to me how a "user has access to a subset of
B" is this access based on roles, groups or any other information that you
gather from the context ? I'm wondering if this is not a business rule
instead ....

On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Hi Pedro,
>
> The user is not the book owner. You can think about it this way that if B
> is the set of all books then each user has access to a subset of B such
> that these subsets are not mutually exclusive and do overlap.
>
> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
> wrote:
>
>> Hi Farzad,
>>
>> How do you check if a user has access to a book ? Is the user the book
>> owner or you have more conditions that should be taken into account to
>> grant access to books ?
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>
>>
>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>
>>> I just want to ask the Keycloak community for best practices when it
>>> comes
>>> to securing RESTful APIs.
>>>
>>> My endpoints will be something like:
>>> GET /api/books --> return all books the user has access for
>>> GET /api/books/123 --> return book with id = 123
>>>
>>> My challenge now is to figure out how to define resources in Keycloak.
>>> Should I add all my books as resources to Keycloak? And then define the
>>> permission between each user and resource?
>>>
>>> What would be the best practice to implement "GET /api/books" to return
>>> only the books the logged in user has access to? Should I query the
>>> Keycloak API to get all the resources the logged in user has access to,
>>> in
>>> the backend?
>>>
>>> Thanks
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From huwmcnamara at msn.com  Fri May 17 15:17:55 2019
From: huwmcnamara at msn.com (Huw McNamara)
Date: Fri, 17 May 2019 19:17:55 +0000
Subject: [keycloak-user] Show Username in Admin Events / Login Events
In-Reply-To: <7f7b09d5-eb10-3203-b6f0-e48b5cade574@gmx.de>
References: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>
	<5de83ea9-9227-106f-50af-e0176b1aa492@gmx.de>
	<DB6P192MB0231B4343FFF9B71F571B5B5B10F0@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>,
	<7f7b09d5-eb10-3203-b6f0-e48b5cade574@gmx.de>
Message-ID: <DB6P192MB0231CE27A78F43FEEAAAE429B10B0@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>

Hi Guido,

Apologies, I misread your question. I answered from the perspective of outputting the information to an external logging system. As far as extending the admin console goes, I do not know if that is possible. Hopefully, someone else on the mailing list can help.

Glad you got an answer to your second question.

Kind regards,
Huw
________________________________
From: Guido Wimmel <guido_99 at gmx.de>
Sent: 16 May 2019 20:06
To: Huw McNamara; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Show Username in Admin Events / Login Events

Hi Huw,

thank you very much for the helpful advice.

The event listener would be able to get the real user names - but probably the Admin Console would have to be extended somehow to make the user names appear in the Admin Events view?

BTW, the solution for the second question (seeing which roles were added/removed) is simple - just turning on "Include Representation".
Sorry for overlooking this.

Best regards,
   Guido

Am 13.05.19 um 20:07 schrieb Huw McNamara:
Hi Guido,

One possible way you could achieve what you want is to implement a custom event listener. See https://github.com/zekidkiller/keycloak/tree/master/examples/providers/event-listener-sysout for an example.

Then using a combination of the API https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_users_resource and/or Keycloak classes https://www.keycloak.org/docs-api/6.0/javadocs/org/keycloak/storage/user/UserLookupProvider.html#getUserById-java.lang.String-org.keycloak.models.RealmModel- you should be able to get real values for IDs.

The easiest way might be the API as it is very frequently a 1-1 mapping for any resource path (given in the event details).

Kind regards,
Huw

________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org> on behalf of Guido Wimmel <guido_99 at gmx.de><mailto:guido_99 at gmx.de>
Sent: 08 May 2019 20:04
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Show Username in Admin Events / Login Events

Hi,

does anyone possibly have similar concerns / a workaround? The Admin
Events View
in the Administration Console is of limited use for our Keycloak admins
if they have to lookup
the usernames of the concerned users.

In addition, it seems that the Admin Events do not contain information
on which role(s)
were assigned to / removed from a user - I can only see a general update
of the
client-role-mapping.
Is this true? Is there a way to extend the Admin Events such that it is
possible to see which role(s) were
added/removed?

Thanks in advance, best regards,
   Guido

On 06.04.19 10:39 Guido Wimmel wrote:
> Hi,
>
> in the Admin Events / Login Events - View in the Administration Console
> in Keycloak, I can see e.g. if users logged in or were assigned to a role.
> However, the users are only referenced by their id.
>
> I can determine the username by constructing an URL (e.g.
> .../realms/<MY_REALM>/users/<UserId> ) and navigating to it.
>
> Is there an easier way?
>
> Best regards,
>      Guido
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bruno at abstractj.org  Fri May 17 16:10:15 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 17 May 2019 17:10:15 -0300
Subject: [keycloak-user] app-authz-rest-employee example generates error
 during mvn spring-boot:run
In-Reply-To: <cea64e4f-f9eb-5a3f-ce04-eb5b8613a9d6@janua.fr>
References: <cea64e4f-f9eb-5a3f-ce04-eb5b8613a9d6@janua.fr>
Message-ID: <20190517201015.GA14937@abstractj.org>

Looking at the steps you provided, to me it looks like you're starting
WildFly and Sprint boot on the same port (8080). Try to change the
WildFly port or Spring boot and see if it works.

On 2019-05-17, Olivier Rivat wrote:
> 
> 
> Hi,
> 
> I am trying to bring the app-authz-rest-employee example, but is failing 
> when trying to luanch mvn spring-boot:run
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
> 
> 
> 1) keycloak is started with
> 
> cd {KEYCLOAK_HOME}/bin
> ./standalone.sh -Djboss.socket.binding.port-offset=100
> 
> 2) wilfly is started with
> sh stanalone.sh (port 8080)
> 
> 
> 3)launching maven
> mvn spring-boot:run
> 
> I obtain following errors
> 
>  ? at java.lang.Thread.run (Thread.java:745)
> Caused by: 
> org.springframework.boot.web.embedded.tomcat.ConnectorStartFailedException: 
> Connector configured to listen on port 8080 failed to start
>  ??? at 
> org.springframework.boot.web.embedded.tomcat.TomcatWebServer.checkThatConnectorsHaveStarted 
> (TomcatWebServer.java:228)
> 
> 
> [INFO] 
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal 
> org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
> (default-cli) on project app-authz-rest-employee: An exception occurred 
> while running. null: InvocationTargetException: Connector configured to 
> listen on port 8080 failed to start -> [Help 1]
> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to 
> execute goal 
> org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
> (default-cli) on project app-authz-rest-employee: An exception occurred 
> while running. null
>  ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
> (MojoExecutor.java:215)
>  ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
> (MojoExecutor.java:156)
>  ??? at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
> (MojoExecutor.java:148)
>  ??? at 
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject 
> (Lifecyc
> 
> 
> What do you think about it ? Did I mistake following README fiel of 
> example ?
> 
> 
> 
> Regards,
> 
> Olivier
> 
> =============================================================================================================================
> 
> Full stack trace
> 
> mvn spring-boot:run
> [INFO] Scanning for projects...
> [WARNING]
> [WARNING] Some problems were encountered while building the effective 
> model for org.keycloak.quickstarts:app-authz-rest-employee:jar:6.0.1
> [WARNING] 'build.plugins.plugin.version' for 
> org.springframework.boot:spring-boot-maven-plugin is missing. @ 
> org.keycloak.quickstarts:app-authz-rest-employee:[unknown-version], 
> /home/orivat/dev/keycloak_6.01/keycloak-quickstarts-latest/app-authz-rest-employee/pom.xml, 
> line 106, column 21
> [WARNING]
> [WARNING] It is highly recommended to fix these problems because they 
> threaten the stability of your build.
> [WARNING]
> [WARNING] For this reason, future Maven versions might no longer support 
> building such malformed projects.
> [WARNING]
> [INFO]
> [INFO] ----------< org.keycloak.quickstarts:app-authz-rest-employee 
>  >----------
> [INFO] Building Spring Boot Web Keycloak Authorization Services Sample 6.0.1
> [INFO] --------------------------------[ jar 
> ]---------------------------------
> [INFO]
> [INFO] >>> spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) > 
> test-compile @ app-authz-rest-employee >>>
> [INFO]
> [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ 
> app-authz-rest-employee ---
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
> [INFO] Copying 1 resource
> [INFO]
> [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ 
> app-authz-rest-employee ---
> [INFO] Nothing to compile - all classes are up to date
> [INFO]
> [INFO] --- maven-resources-plugin:2.6:testResources 
> (default-testResources) @ app-authz-rest-employee ---
> [INFO] Using 'UTF-8' encoding to copy filtered resources.
> [INFO] Copying 2 resources
> [INFO]
> [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ 
> app-authz-rest-employee ---
> [INFO] Nothing to compile - all classes are up to date
> [INFO]
> [INFO] <<< spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) < 
> test-compile @ app-authz-rest-employee <<<
> [INFO]
> [INFO]
> [INFO] --- spring-boot-maven-plugin:2.1.3.RELEASE:run (default-cli) @ 
> app-authz-rest-employee ---
> [WARNING]
> java.lang.reflect.InvocationTargetException
>  ??? at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>  ??? at sun.reflect.NativeMethodAccessorImpl.invoke 
> (NativeMethodAccessorImpl.java:62)
>  ??? at sun.reflect.DelegatingMethodAccessorImpl.invoke 
> (DelegatingMethodAccessorImpl.java:43)
>  ??? at java.lang.reflect.Method.invoke (Method.java:498)
>  ??? at org.springframework.boot.maven.AbstractRunMojo$LaunchRunner.run 
> (AbstractRunMojo.java:558)
>  ??? at java.lang.Thread.run (Thread.java:745)
> Caused by: 
> org.springframework.boot.web.embedded.tomcat.ConnectorStartFailedException: 
> Connector configured to listen on port 8080 failed to start
>  ??? at 
> org.springframework.boot.web.embedded.tomcat.TomcatWebServer.checkThatConnectorsHaveStarted 
> (TomcatWebServer.java:228)
>  ??? at 
> org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start 
> (TomcatWebServer.java:203)
>  ??? at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer 
> (ServletWebServerApplicationContext.java:300)
>  ??? at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh 
> (ServletWebServerApplicationContext.java:162)
>  ??? at 
> org.springframework.context.support.AbstractApplicationContext.refresh 
> (AbstractApplicationContext.java:553)
>  ??? at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh 
> (ServletWebServerApplicationContext.java:140)
>  ??? at org.springframework.boot.SpringApplication.refresh 
> (SpringApplication.java:759)
>  ??? at org.springframework.boot.SpringApplication.refreshContext 
> (SpringApplication.java:395)
>  ??? at org.springframework.boot.SpringApplication.run 
> (SpringApplication.java:327)
>  ??? at org.springframework.boot.SpringApplication.run 
> (SpringApplication.java:1255)
>  ??? at org.springframework.boot.SpringApplication.run 
> (SpringApplication.java:1243)
>  ??? at org.keycloak.quickstart.springboot.MyApplication.main 
> (MyApplication.java:31)
>  ??? at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>  ??? at sun.reflect.NativeMethodAccessorImpl.invoke 
> (NativeMethodAccessorImpl.java:62)
>  ??? at sun.reflect.DelegatingMethodAccessorImpl.invoke 
> (DelegatingMethodAccessorImpl.java:43)
>  ??? at java.lang.reflect.Method.invoke (Method.java:498)
>  ??? at org.springframework.boot.maven.AbstractRunMojo$LaunchRunner.run 
> (AbstractRunMojo.java:558)
>  ??? at java.lang.Thread.run (Thread.java:745)
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time:? 4.711 s
> [INFO] Finished at: 2019-05-17T18:53:20+02:00
> [INFO] 
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal 
> org.springframework.boot:spring-boot-maven-plugin:2.1.3.RELEASE:run 
> (default-cli) on project app-authz-rest-employee: An exception occurred 
> while running. null: InvocationTargetException: Connector configured to 
> listen on port 8080 failed to start -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the 
> -e switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, 
> please read the following articles:
> [ERROR] [Help 1] 
> http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
> 
> 
> 
> 
> -- 
> 
> 
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
> 
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From farzad.panahi at gmail.com  Fri May 17 16:21:39 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Fri, 17 May 2019 13:21:39 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
Message-ID: <CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>

This is exactly where I want to use Keycloak to set this business
rule/mapping. Basically I need to associate each user with a subset of B
(books) to which the user has access to. This association is not based on
roles or groups. It is based on individual users.
That's why I was thinking that the only way I can think of doing this to
add every individual book as a resource in Keycloak and then I have to
create a permission for each of them to grant access to any individual user.
It would help if Keycloak had a concept like a resource group I guess. Then
I could put all those resources in a resource group and grant access to
that resource group for an individual user.
Then in order to see which resources each user has access to, I need to
query Keycloak somehow (I need to figure out how exactly) and get the
resources that user has access to, and return only those resources for that
user.

That's what I can think of right now. I am just wondering if there is a
better way to do this sort of resource oriented access control where each
user has access to specific set of resources only.



On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Sorry, but is still not clear to me how a "user has access to a subset of
> B" is this access based on roles, groups or any other information that you
> gather from the context ? I'm wondering if this is not a business rule
> instead ....
>
> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi Pedro,
>>
>> The user is not the book owner. You can think about it this way that if B
>> is the set of all books then each user has access to a subset of B such
>> that these subsets are not mutually exclusive and do overlap.
>>
>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> How do you check if a user has access to a book ? Is the user the book
>>> owner or you have more conditions that should be taken into account to
>>> grant access to books ?
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>
>>>
>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>> json:api
>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>>
>>>> I just want to ask the Keycloak community for best practices when it
>>>> comes
>>>> to securing RESTful APIs.
>>>>
>>>> My endpoints will be something like:
>>>> GET /api/books --> return all books the user has access for
>>>> GET /api/books/123 --> return book with id = 123
>>>>
>>>> My challenge now is to figure out how to define resources in Keycloak.
>>>> Should I add all my books as resources to Keycloak? And then define the
>>>> permission between each user and resource?
>>>>
>>>> What would be the best practice to implement "GET /api/books" to return
>>>> only the books the logged in user has access to? Should I query the
>>>> Keycloak API to get all the resources the logged in user has access to,
>>>> in
>>>> the backend?
>>>>
>>>> Thanks
>>>>
>>>> Farzad
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From bruno at abstractj.org  Fri May 17 16:30:05 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 17 May 2019 17:30:05 -0300
Subject: [keycloak-user] Keycloak 4.3 could not use sssd federation
 after upgrade to Fedora 30
In-Reply-To: <CAJTWkdstaYVQH8ZEKFyXTE7iP8rjN6cFOWJwP_HTV7s1jkYaPA@mail.gmail.com>
References: <CAJTWkdstaYVQH8ZEKFyXTE7iP8rjN6cFOWJwP_HTV7s1jkYaPA@mail.gmail.com>
Message-ID: <20190517203005.GB14937@abstractj.org>

Hi Patrick, sssctl user-checks will help you to make sure that
everything is working as expected for SSSD. Although, the communication
between Keycloak and SSSD happens over DBus and we rely on other
packages like described here[1]. Some troubleshooting might be
necessary. I'd try dbus-send and pamtester to validate the setup.

Another thing that might be helpful is to isolate the problem. I'd
recommend to try Fedora 29 + Keycloak 4.3 and later Fedora 30 + Keycloak
4.3.

[1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd

On 2019-05-12, Patrick Dung wrote:
> Hello,
> 
> I was using Fedora 29 with Keycloak, FreeIPA and sssd on the same machine.
> After upgrading to Fedora 30. All service can start normally but sssd
> federation is not loaded when Keycloak is started. It is missing from the
> list for user federation. It only have LDAP and Kerberos authentication to
> choose from.
> 
> On the problem local machine, I can run "sssctl user-checks admin -s
> keycloak" without problem.
> 
> Any help would be appreciated, thanks.
> 
> Patrick
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From bruno at abstractj.org  Fri May 17 16:34:28 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 17 May 2019 17:34:28 -0300
Subject: [keycloak-user] LDAP User Storage Provider web interface
In-Reply-To: <DM6PR09MB30658D0D5E210C8389089E3CDC0C0@DM6PR09MB3065.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<20190510130147.GC10675@abstractj.org>
	<DM6PR09MB30658D0D5E210C8389089E3CDC0C0@DM6PR09MB3065.namprd09.prod.outlook.com>
Message-ID: <20190517203428.GC14937@abstractj.org>

Hi Ryan, I'm not sure if we have enough bandwidth to implement this, but
we would gladly review any contribution. If you would like to jump in,
please discuss the implementation details on keycloak-dev and if the
others agree, file a Jira.

Thank you.

On 2019-05-10, Ryan Slominski wrote:
> Hi Bruno,
>   Sounds like all the buttons should be hidden in the scenario where users are not imported, defined, or even cached in Keycloak at all.   They aren?t currently and clicking the buttons is undefined in this case (hopefully they just do nothing).  Should I create a JIRA for this?
> Ryan
> 
> ________________________________
> From: Bruno Oliveira <bruno at abstractj.org>
> Sent: Friday, May 10, 2019 9:01:47 AM
> To: Ryan Slominski
> Cc: keycloak-user
> Subject: Re: [keycloak-user] LDAP User Storage Provider web interface
> 
> Please take a look at our documentation:
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_development%2Findex.html%23import-implementation-strategy&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=2g0UDriht%2BYgeEdXFiT%2B9h0YKt9UfWwobcw%2BxRePxlM%3D&amp;reserved=0.
> 
> I believe the item clarifies the "Unlink users":
> 
> "If you are moving to Keycloak as your official user store and
> deprecating the old external store, you can slowly migrate applications
> to use Keycloak. When all applications have been migrated, unlink the
> imported user, and retire the old legacy external store."
> 
> Regards your other comments. I can be wrong, but I don't believe these
> buttons will be hidden.
> 
> On 2019-05-09, Ryan Slominski wrote:
> > On the admin web interface what do the buttons at the bottom of the LDAP User Storage Provider settings page do?  Specifically the buttons:
> >
> > Synchronize changed users
> > Synchronize all users
> > Remove imported
> > Unlink users
> >
> > I don't want Keycloak caching much / anything so I've configured Cache Policy NO_CACHE, Edit Mode READ_ONLY, and Import Users OFF.  It seems like these buttons should not be shown with this configuration as it isn't clear they do anything.  I'm especially mystified by Unlink users button since I can't find any reference on what the heck that does.
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=zaMgw4b74aDwQSLoJOr9vlFiai2uxulZRrLaVBldOOI%3D&amp;reserved=0
> 
> --
> 
> abstractj

-- 

abstractj

From patdung100 at gmail.com  Sat May 18 14:59:31 2019
From: patdung100 at gmail.com (Patrick Dung)
Date: Sun, 19 May 2019 02:59:31 +0800
Subject: [keycloak-user] Keycloak 4.3 could not use sssd federation
 after upgrade to Fedora 30
In-Reply-To: <20190517203005.GB14937@abstractj.org>
References: <CAJTWkdstaYVQH8ZEKFyXTE7iP8rjN6cFOWJwP_HTV7s1jkYaPA@mail.gmail.com>
	<20190517203005.GB14937@abstractj.org>
Message-ID: <CAJTWkduh2ktXUezyt-zp1f1zdP--FcuF_gJdGg1Z04ykEcfp-A@mail.gmail.com>

Hi Bruno,

When I run dbus-send, it returned the correct group of a IPA user:
$ sudo dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups string:user1
method return time=1558205517.749921 sender=:1.18 -> destination=:1.50475
serial=8 reply_serial=2
   array [
      string "ipausers"
   ]

It also passed pamtester:

# pamtester keycloak user1 authenticate
Password:
pamtester: successfully authenticated

I had no problem using the sssd federation in keycloak 4.3 with Fedora 29.
It only have problem after I upgraded to Fedora 30. There are no changes
for the keycloak 4.3 application server.
Please note the sssd option is missing from the list for user federation.
Other options are ldap and kerberos.

Thanks and regards,
Patrick

On Sat, 18 May 2019 at 04:30, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Patrick, sssctl user-checks will help you to make sure that
> everything is working as expected for SSSD. Although, the communication
> between Keycloak and SSSD happens over DBus and we rely on other
> packages like described here[1]. Some troubleshooting might be
> necessary. I'd try dbus-send and pamtester to validate the setup.
>
> Another thing that might be helpful is to isolate the problem. I'd
> recommend to try Fedora 29 + Keycloak 4.3 and later Fedora 30 + Keycloak
> 4.3.
>
> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>
> On 2019-05-12, Patrick Dung wrote:
> > Hello,
> >
> > I was using Fedora 29 with Keycloak, FreeIPA and sssd on the same
> machine.
> > After upgrading to Fedora 30. All service can start normally but sssd
> > federation is not loaded when Keycloak is started. It is missing from the
> > list for user federation. It only have LDAP and Kerberos authentication
> to
> > choose from.
> >
> > On the problem local machine, I can run "sssctl user-checks admin -s
> > keycloak" without problem.
> >
> > Any help would be appreciated, thanks.
> >
> > Patrick
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From mposolda at redhat.com  Mon May 20 03:40:52 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 20 May 2019 09:40:52 +0200
Subject: [keycloak-user] LDAP User Storage Provider web interface
In-Reply-To: <20190517203428.GC14937@abstractj.org>
References: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<20190510130147.GC10675@abstractj.org>
	<DM6PR09MB30658D0D5E210C8389089E3CDC0C0@DM6PR09MB3065.namprd09.prod.outlook.com>
	<20190517203428.GC14937@abstractj.org>
Message-ID: <79b6e4f8-84d0-7248-a31e-93291d571a3b@redhat.com>

I agree that probably none of the buttons makes much sense in case that? 
"Import users" is switched to OFF. It will be good to add tooltips to 
them in the admin console and change UI to hide the 4 buttons with 
"Import Users" switched to OFF. Agree with Bruno that it will be nice if 
you contribute this as we probably won't have time to look at it in near 
future.

Marek

On 17/05/2019 22:34, Bruno Oliveira wrote:
> Hi Ryan, I'm not sure if we have enough bandwidth to implement this, but
> we would gladly review any contribution. If you would like to jump in,
> please discuss the implementation details on keycloak-dev and if the
> others agree, file a Jira.
>
> Thank you.
>
> On 2019-05-10, Ryan Slominski wrote:
>> Hi Bruno,
>>    Sounds like all the buttons should be hidden in the scenario where users are not imported, defined, or even cached in Keycloak at all.   They aren?t currently and clicking the buttons is undefined in this case (hopefully they just do nothing).  Should I create a JIRA for this?
>> Ryan
>>
>> ________________________________
>> From: Bruno Oliveira <bruno at abstractj.org>
>> Sent: Friday, May 10, 2019 9:01:47 AM
>> To: Ryan Slominski
>> Cc: keycloak-user
>> Subject: Re: [keycloak-user] LDAP User Storage Provider web interface
>>
>> Please take a look at our documentation:
>> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_development%2Findex.html%23import-implementation-strategy&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=2g0UDriht%2BYgeEdXFiT%2B9h0YKt9UfWwobcw%2BxRePxlM%3D&amp;reserved=0.
>>
>> I believe the item clarifies the "Unlink users":
>>
>> "If you are moving to Keycloak as your official user store and
>> deprecating the old external store, you can slowly migrate applications
>> to use Keycloak. When all applications have been migrated, unlink the
>> imported user, and retire the old legacy external store."
>>
>> Regards your other comments. I can be wrong, but I don't believe these
>> buttons will be hidden.
>>
>> On 2019-05-09, Ryan Slominski wrote:
>>> On the admin web interface what do the buttons at the bottom of the LDAP User Storage Provider settings page do?  Specifically the buttons:
>>>
>>> Synchronize changed users
>>> Synchronize all users
>>> Remove imported
>>> Unlink users
>>>
>>> I don't want Keycloak caching much / anything so I've configured Cache Policy NO_CACHE, Edit Mode READ_ONLY, and Import Users OFF.  It seems like these buttons should not be shown with this configuration as it isn't clear they do anything.  I'm especially mystified by Unlink users button since I can't find any reference on what the heck that does.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7Cdf7d703b46c54d2c493c08d6d547ab46%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636930901124223180&amp;sdata=zaMgw4b74aDwQSLoJOr9vlFiai2uxulZRrLaVBldOOI%3D&amp;reserved=0
>> --
>>
>> abstractj



From shiva.prasad.thagadur.prakash at ericsson.com  Mon May 20 04:23:35 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Mon, 20 May 2019 08:23:35 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
Message-ID: <1558340615.12963.4.camel@ericsson.com>

Hi Guys,

Does keycloak/Liquibase support multi-hop schema migration?

Thanks & regards,
Shiva


From mohamad.khayat at esis.ae  Mon May 20 05:46:46 2019
From: mohamad.khayat at esis.ae (Mohamad KHAYAT)
Date: Mon, 20 May 2019 13:46:46 +0400
Subject: [keycloak-user] help
Message-ID: <75AF973B9D9D984899A02A2DCCD87A904E449841F3@adexchange3.adess.intra>

Hi All,
I am trying to run keycloak quickstart 6.0.1 but it keeps failing.
The attached file shows the error I receive when I run "mvn clean wildfly:deploy"
The wildfly version is 16 and I tried different maven versions (3.3.1, 3.3.9, 3.5.4, 3.6.0, 3.6.1) and I am using Centos 7.
Any idea why this is happening?
Please help!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: output.log
Type: application/octet-stream
Size: 26806 bytes
Desc: output.log
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190520/8097b46a/attachment-0001.obj 

From mohamad.khayat at esis.ae  Mon May 20 06:32:37 2019
From: mohamad.khayat at esis.ae (Mohamad KHAYAT)
Date: Mon, 20 May 2019 14:32:37 +0400
Subject: [keycloak-user] help
Message-ID: <75AF973B9D9D984899A02A2DCCD87A904E449841FB@adexchange3.adess.intra>

Issue resolved. Keycloak.jason was missing
Kr. MK

From: Mohamad KHAYAT
Sent: Monday, May 20, 2019 1:47 PM
To: 'keycloak-user at lists.jboss.org'
Subject: help

Hi All,
I am trying to run keycloak quickstart 6.0.1 but it keeps failing.
The attached file shows the error I receive when I run "mvn clean wildfly:deploy"
The wildfly version is 16 and I tried different maven versions (3.3.1, 3.3.9, 3.5.4, 3.6.0, 3.6.1) and I am using Centos 7.
Any idea why this is happening?
Please help!


From srinivas.nangunoori at microfocus.com  Mon May 20 07:41:52 2019
From: srinivas.nangunoori at microfocus.com (Srinivas Nangunoori)
Date: Mon, 20 May 2019 11:41:52 +0000
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
Message-ID: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>

Hi experts,

We are planning to upgrade wildfly from 10 to 16. Currently we are using keycloak 2.5.5-final. My question here is,

*        Can I still use keycloak 2.5.5 with wildfly 16.0

*        If no for first question, what version is hould use?


Thanks,
Srini


From ryans at jlab.org  Mon May 20 07:45:02 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Mon, 20 May 2019 11:45:02 +0000
Subject: [keycloak-user] LDAP User Storage Provider web interface
In-Reply-To: <79b6e4f8-84d0-7248-a31e-93291d571a3b@redhat.com>
References: <BL0PR0901MB3059B9A1B7376F1841751210DC330@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<20190510130147.GC10675@abstractj.org>
	<DM6PR09MB30658D0D5E210C8389089E3CDC0C0@DM6PR09MB3065.namprd09.prod.outlook.com>
	<20190517203428.GC14937@abstractj.org>,
	<79b6e4f8-84d0-7248-a31e-93291d571a3b@redhat.com>
Message-ID: <BL0PR0901MB3059245F5E24DF756C264C34DC060@BL0PR0901MB3059.namprd09.prod.outlook.com>

Created Jira: https://issues.jboss.org/browse/KEYCLOAK-10325

Can't promise I'll get to it either, but I'll try.

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Monday, May 20, 2019 3:40 AM
To: Bruno Oliveira; Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] LDAP User Storage Provider web interface

I agree that probably none of the buttons makes much sense in case that
"Import users" is switched to OFF. It will be good to add tooltips to
them in the admin console and change UI to hide the 4 buttons with
"Import Users" switched to OFF. Agree with Bruno that it will be nice if
you contribute this as we probably won't have time to look at it in near
future.

Marek




From vramik at redhat.com  Mon May 20 08:02:41 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Mon, 20 May 2019 14:02:41 +0200
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
Message-ID: <9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>

Hey Srini,

keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might work 
but it's not certain, it's definitely not supported.

Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider 
upgrade both WF and keycloak.

Regads,

Vlasta

On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
> Hi experts,
>
> We are planning to upgrade wildfly from 10 to 16. Currently we are using keycloak 2.5.5-final. My question here is,
>
> *        Can I still use keycloak 2.5.5 with wildfly 16.0
>
> *        If no for first question, what version is hould use?
>
>
> Thanks,
> Srini
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From saloniudani.tech at gmail.com  Mon May 20 09:03:31 2019
From: saloniudani.tech at gmail.com (Saloni Udani)
Date: Mon, 20 May 2019 18:33:31 +0530
Subject: [keycloak-user] SAML attribute to Keycloak group mapping
Message-ID: <CAN7s9krx7tZ-itpsDRfryhz1NeVdDzZVWzRoDXV-tfo6FrduYw@mail.gmail.com>

Hi

Is there a way out of the box to map SAML attribute to keycloak group in
IDP integration with the keycloak?
If not then what is the thought process behind that?



Thanks

From bruno at abstractj.org  Mon May 20 09:28:12 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 20 May 2019 10:28:12 -0300
Subject: [keycloak-user] help
In-Reply-To: <75AF973B9D9D984899A02A2DCCD87A904E449841F3@adexchange3.adess.intra>
References: <75AF973B9D9D984899A02A2DCCD87A904E449841F3@adexchange3.adess.intra>
Message-ID: <CAM5SUC49BsHstBB74n4+j6cgmz0fBd7nVsMKase3g8YiOWyTSw@mail.gmail.com>

I believe your issue is related with the error message below:

[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final:deploy
(default-cli) on project keycloak-quickstart-parent: The plugin
org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final requires Maven
version 3.3.1 -> [Help 1]

Try to upgrade your Maven version and see if it works.

On Mon, May 20, 2019 at 6:46 AM Mohamad KHAYAT <mohamad.khayat at esis.ae> wrote:
>
> Hi All,
> I am trying to run keycloak quickstart 6.0.1 but it keeps failing.
> The attached file shows the error I receive when I run "mvn clean wildfly:deploy"
> The wildfly version is 16 and I tried different maven versions (3.3.1, 3.3.9, 3.5.4, 3.6.0, 3.6.1) and I am using Centos 7.
> Any idea why this is happening?
> Please help!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From Soroush.Shirali at flexigroup.com.au  Mon May 20 20:57:35 2019
From: Soroush.Shirali at flexigroup.com.au (Soroush Shirali)
Date: Tue, 21 May 2019 00:57:35 +0000
Subject: [keycloak-user] SPI - Verifying user's password in
	UserStorageProvider
Message-ID: <ME1PR01MB13477AA2A3E2EA90D4BD996CAB070@ME1PR01MB1347.ausprd01.prod.outlook.com>

Hi,

I have created a userStorageProvider in keycloak's SPI by implementing several interfaces as follows:

public class MigrationStorageProvider
        implements UserStorageProvider,CredentialProvider,
         UserLookupProvider,
         CredentialInputValidator,
         CredentialInputUpdater
        {

But to my surprise the only method which keycloak calls during login flow is "getUserByUsername()". It does not call "isValid()"
Method. The problem is that I don't have access to CredentialInput to verify user's password in "getUserByUsername()".

Anyone knows what I am doing wrong?

Thanks,


Soroush Shirali
Software Developer

[ph]  08 8232 2828
[at]  Soroush.Shirali at flexigroup.com.au

[image003]

Please consider the environment before printing this e-mail


The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy or circulate this information. Such unauthorised use may be unlawful. If you have received this email in error, please inform FlexiGroup Limited immediately and delete it and all copies from your system. While FlexiGroup Limited makes every effort to keep our network free from viruses we take no responsibility for any computer virus which might be transferred by way of this email.  The views expressed in this email are those of the sender and may not be representative of the views of FlexiGroup Limited or any subsidiary of the group
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 299 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190521/84bb3d96/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 758 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190521/84bb3d96/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 12486 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190521/84bb3d96/attachment-0005.png 

From mohamad.khayat at esis.ae  Tue May 21 01:47:32 2019
From: mohamad.khayat at esis.ae (Mohamad KHAYAT)
Date: Tue, 21 May 2019 09:47:32 +0400
Subject: [keycloak-user] help
In-Reply-To: <CAM5SUC49BsHstBB74n4+j6cgmz0fBd7nVsMKase3g8YiOWyTSw@mail.gmail.com>
References: <75AF973B9D9D984899A02A2DCCD87A904E449841F3@adexchange3.adess.intra>
	<CAM5SUC49BsHstBB74n4+j6cgmz0fBd7nVsMKase3g8YiOWyTSw@mail.gmail.com>
Message-ID: <75AF973B9D9D984899A02A2DCCD87A904E44984203@adexchange3.adess.intra>

Hi Bruno,

Thanks for your reply,

The issue was due to missing keyclaok.jasn file in the config directory. 

Its working fine now.

Kr. MK

-----Original Message-----
From: Bruno Oliveira [mailto:bruno at abstractj.org] 
Sent: Monday, May 20, 2019 5:28 PM
To: Mohamad KHAYAT
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] help

I believe your issue is related with the error message below:

[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final:deploy
(default-cli) on project keycloak-quickstart-parent: The plugin
org.wildfly.plugins:wildfly-maven-plugin:1.2.2.Final requires Maven
version 3.3.1 -> [Help 1]

Try to upgrade your Maven version and see if it works.

On Mon, May 20, 2019 at 6:46 AM Mohamad KHAYAT <mohamad.khayat at esis.ae> wrote:
>
> Hi All,
> I am trying to run keycloak quickstart 6.0.1 but it keeps failing.
> The attached file shows the error I receive when I run "mvn clean wildfly:deploy"
> The wildfly version is 16 and I tried different maven versions (3.3.1, 3.3.9, 3.5.4, 3.6.0, 3.6.1) and I am using Centos 7.
> Any idea why this is happening?
> Please help!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


From shivaprasadtp8 at gmail.com  Tue May 21 02:20:20 2019
From: shivaprasadtp8 at gmail.com (Shiva Prasad Thagadur Prakash)
Date: Tue, 21 May 2019 09:20:20 +0300
Subject: [keycloak-user] Does keycloak support multi-hop database schema
	upgrades
Message-ID: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>

Hi Guys,

Does keycloak/Liquibase support multi-hop schema migration?

Thanks & regards,
Shiva

From orivat at janua.fr  Tue May 21 02:59:05 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Tue, 21 May 2019 08:59:05 +0200
Subject: [keycloak-user] SAML attribute to Keycloak group mapping
In-Reply-To: <CAN7s9krx7tZ-itpsDRfryhz1NeVdDzZVWzRoDXV-tfo6FrduYw@mail.gmail.com>
References: <CAN7s9krx7tZ-itpsDRfryhz1NeVdDzZVWzRoDXV-tfo6FrduYw@mail.gmail.com>
Message-ID: <fc054b36-3a4d-14f2-5564-44f510a3f155@janua.fr>

Hi,

yes. It is possible.

Just craete a saml mapper, create mappers. You can choose between 
various types such as attribute importer

Regards,

Olivier Rivat

-


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>





Le 20/05/2019 ? 15:03, Saloni Udani a ?crit?:
> Hi
>
> Is there a way out of the box to map SAML attribute to keycloak group in
> IDP integration with the keycloak?
> If not then what is the thought process behind that?
>
>
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From CEMirabel at psbank.com.ph  Tue May 21 04:11:16 2019
From: CEMirabel at psbank.com.ph (Mirabel Christopher E - PSB)
Date: Tue, 21 May 2019 08:11:16 +0000
Subject: [keycloak-user] SAML attribute to Keycloak group mapping
In-Reply-To: <fc054b36-3a4d-14f2-5564-44f510a3f155@janua.fr>
References: <CAN7s9krx7tZ-itpsDRfryhz1NeVdDzZVWzRoDXV-tfo6FrduYw@mail.gmail.com>
	<fc054b36-3a4d-14f2-5564-44f510a3f155@janua.fr>
Message-ID: <569e78f1525a4c03aba922a9b1f50543@PSBANKMX2.psbank.local>

Hi Sirs,

Can you pls provide me sample create user via 
jquery, react or .net core

Thanks!

Warmest regards, 

Christopher E. Mirabel
Systems Analyst | ITD - Systems Development Division II
Philippine Savings Bank
7/F PSBank Center
777 Paseo de Roxas cor. Sede?o St., Makati City, 1226 PH
? (632) 885-8208 Local: 1642
? cemirabel at psbank.com.ph | ? www.psbank.com.ph

?
This message is for the designated recipient only and may contain confidential and/or privileged information. If you received it in error, please delete it and advise the sender immediately.
We request that you do not copy or use it for any other purpose, or disclose its contents to any other person/individual/entity. 



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Olivier Rivat
Sent: Tuesday, May 21, 2019 2:59 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SAML attribute to Keycloak group mapping

Hi,

yes. It is possible.

Just craete a saml mapper, create mappers. You can choose between 
various types such as attribute importer

Regards,

Olivier Rivat

-


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>





Le 20/05/2019 ? 15:03, Saloni Udani a ?crit?:
> Hi
>
> Is there a way out of the box to map SAML attribute to keycloak group in
> IDP integration with the keycloak?
> If not then what is the thought process behind that?
>
>
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Tue May 21 04:44:03 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 21 May 2019 10:44:03 +0200
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
	<9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
Message-ID: <CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>

Do NOT use Keycloak 2.5.5, upgrade as soon as possible! There are known
CVEs in older versions of Keycloak and unless you upgrade you are
vulnerable to these.

On Mon, 20 May 2019 at 14:04, Vlasta Ramik <vramik at redhat.com> wrote:

> Hey Srini,
>
> keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might work
> but it's not certain, it's definitely not supported.
>
> Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider
> upgrade both WF and keycloak.
>
> Regads,
>
> Vlasta
>
> On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
> > Hi experts,
> >
> > We are planning to upgrade wildfly from 10 to 16. Currently we are using
> keycloak 2.5.5-final. My question here is,
> >
> > *        Can I still use keycloak 2.5.5 with wildfly 16.0
> >
> > *        If no for first question, what version is hould use?
> >
> >
> > Thanks,
> > Srini
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From srinivas.nangunoori at microfocus.com  Tue May 21 05:27:35 2019
From: srinivas.nangunoori at microfocus.com (Srinivas Nangunoori)
Date: Tue, 21 May 2019 09:27:35 +0000
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
	<9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
	<CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>
Message-ID: <MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>

Hi Stian and Vlasta,

Thanks for the reply.
Do you recommend specific version of keycloak with wildfly 16.0?

-Srini

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, May 21, 2019 2:14 PM
To: Vlasta Ramik <vramik at redhat.com>
Cc: Srinivas Nangunoori <srinivas.nangunoori at microfocus.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final

Do NOT use Keycloak 2.5.5, upgrade as soon as possible! There are known CVEs in older versions of Keycloak and unless you upgrade you are vulnerable to these.

On Mon, 20 May 2019 at 14:04, Vlasta Ramik <vramik at redhat.com<mailto:vramik at redhat.com>> wrote:
Hey Srini,

keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might work
but it's not certain, it's definitely not supported.

Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider
upgrade both WF and keycloak.

Regads,

Vlasta

On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
> Hi experts,
>
> We are planning to upgrade wildfly from 10 to 16. Currently we are using keycloak 2.5.5-final. My question here is,
>
> *        Can I still use keycloak 2.5.5 with wildfly 16.0
>
> *        If no for first question, what version is hould use?
>
>
> Thanks,
> Srini
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Tue May 21 06:11:12 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Tue, 21 May 2019 12:11:12 +0200
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
	<9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
	<CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>
	<MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>
Message-ID: <371335ab-6c9b-c4b4-ed1d-62bd359d4dfb@redhat.com>

I can recommend last 6.0.1 release.

On 5/21/19 11:27 AM, Srinivas Nangunoori wrote:
>
> Hi Stian and Vlasta,
>
> Thanks for the reply.
>
> Do you recommend specific version of keycloak with wildfly 16.0?
>
> -Srini
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, May 21, 2019 2:14 PM
> *To:* Vlasta Ramik <vramik at redhat.com>
> *Cc:* Srinivas Nangunoori <srinivas.nangunoori at microfocus.com>; 
> keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
>
> Do NOT use Keycloak 2.5.5, upgrade as soon as possible! There are 
> known CVEs in older versions of Keycloak and unless you upgrade you 
> are vulnerable to these.
>
> On Mon, 20 May 2019 at 14:04, Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     Hey Srini,
>
>     keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might
>     work
>     but it's not certain, it's definitely not supported.
>
>     Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider
>     upgrade both WF and keycloak.
>
>     Regads,
>
>     Vlasta
>
>     On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
>     > Hi experts,
>     >
>     > We are planning to upgrade wildfly from 10 to 16. Currently we
>     are using keycloak 2.5.5-final. My question here is,
>     >
>     > *? ? ? ? Can I still use keycloak 2.5.5 with wildfly 16.0
>     >
>     > *? ? ? ? If no for first question, what version is hould use?
>     >
>     >
>     > Thanks,
>     > Srini
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From manuel.waltschek at prisma-solutions.at  Tue May 21 08:19:27 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Tue, 21 May 2019 12:19:27 +0000
Subject: [keycloak-user] Map single role
Message-ID: <65d0895ea5cb4ee0b5b989ee78cd8f4a@EXMBX24.SFP-Net.skyfillers.local>

Hello KC community,

I am trying to map a specific user role to an attribute mapper in a client scope. Is there a way to filter the role list to only show specific roles to the client?

Regards,


[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190521/16be95c4/attachment.png 

From ahmadzadehasl at outlook.com  Tue May 21 08:53:06 2019
From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl)
Date: Tue, 21 May 2019 12:53:06 +0000
Subject: [keycloak-user] Keycloak, SpringBoot, and Swagger-UI
Message-ID: <VI1P193MB0303C9A3AC06322DE5E43A0BB1070@VI1P193MB0303.EURP193.PROD.OUTLOOK.COM>

Hi Dears

I have a Spring Boot project which uses Swagger-UI library for describing and testing REST services. Everything was ok until I added Keycloak library and settings to my project. The Keycloak settings are:

keycloak.realm=my-realm
keycloak.resource=my-app
keycloak.ssl-required=external
keycloak.enable-basic-auth=true
keycloak.autodetect-bearer-only=true
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.credentials.secret=f3776b88-2600-44fa-83ec-67cb72fa0000
keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied

keycloak.securityConstraints[0].authRoles[0] = USER
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*

Now, when a logged in user wants to see Swagger-UI page using a URL like http://127.0.0.1:6060/swagger-ui.html, a message containing bellow text and a text box shown:

"Unable to infer base url. This is common when using dynamic servlet registration or when the API is behind an API Gateway. The base url is the root of where all the swagger resources are served. For e.g. if the api is available at http://example.org/api/v2/api-docs then the base url is http://example.org/api/. Please enter the location manually: "

But the JSON of services' definitions is accessible from http://127.0.0.1:6060/v2/api-docs address.

Can anybody help me to solve this problem? What is the reason for this matter? How can I resolve?

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SwaggerUIPNG.PNG
Type: image/png
Size: 10729 bytes
Desc: SwaggerUIPNG.PNG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190521/45acca45/attachment-0001.png 

From tsjnsn at gmail.com  Tue May 21 08:59:10 2019
From: tsjnsn at gmail.com (Tyler Johnson)
Date: Tue, 21 May 2019 07:59:10 -0500
Subject: [keycloak-user] keycloak-gatekeeper + fine-grained authorization
Message-ID: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>

I'm trying to figure out how to use keycloak-gatekeeper with the
fine-grained authorization option in Keycloak.

I set up the authorization and ran an evaluation within the Keycloak UI
that correctly gave DENY for user 'test', but when I use that same user to
log in through gatekeeper, it says it's permitted and directs me to
upstream.

Is there anything I need to enable on gatekeeper side to have it enforce,
or any pointers here?

Thanks,
Tyler

From bruno at abstractj.org  Tue May 21 09:15:14 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 21 May 2019 10:15:14 -0300
Subject: [keycloak-user] keycloak-gatekeeper + fine-grained authorization
In-Reply-To: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>
References: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>
Message-ID: <20190521131514.GA31816@abstractj.org>

It seems to me that you're trying to use authorization services with
Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
not supported yet. But certainly something that we might consider in the
future.

If I guessed it all wrong, please share how you're configuring
Gatekeeper.

On 2019-05-21, Tyler Johnson wrote:
> I'm trying to figure out how to use keycloak-gatekeeper with the
> fine-grained authorization option in Keycloak.
> 
> I set up the authorization and ran an evaluation within the Keycloak UI
> that correctly gave DENY for user 'test', but when I use that same user to
> log in through gatekeeper, it says it's permitted and directs me to
> upstream.
> 
> Is there anything I need to enable on gatekeeper side to have it enforce,
> or any pointers here?
> 
> Thanks,
> Tyler
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From shiva.prasad.thagadur.prakash at ericsson.com  Tue May 21 09:38:11 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Tue, 21 May 2019 13:38:11 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
Message-ID: <1558445890.12963.11.camel@ericsson.com>

Hi Guys,
Eagerly waiting for your responses!

Thanks,
Shiva
On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash wrote:
> Hi Guys,
> 
> Does keycloak/Liquibase support multi-hop schema migration?
> 
> Thanks & regards,
> Shiva
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From tsjnsn at gmail.com  Tue May 21 10:08:50 2019
From: tsjnsn at gmail.com (Tyler Johnson)
Date: Tue, 21 May 2019 09:08:50 -0500
Subject: [keycloak-user] keycloak-gatekeeper + fine-grained authorization
In-Reply-To: <20190521131514.GA31816@abstractj.org>
References: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>
	<20190521131514.GA31816@abstractj.org>
Message-ID: <CAG6KNShpsB1Bxs7JPYENCGZR18HFnBbQ_dx3V_G3tAAdhfgidw@mail.gmail.com>

Yeah, that's exactly what I was trying to do.

My goal is to stand up something that sits in front of services and
enforces the authorization I defined in Keycloak so I don't have to include
any authorization logic or use any keycloak adapters in the services
themselves. It sounds like gatekeeper doesn't have that functionality
though. Are there any other options around that?

On Tue, May 21, 2019 at 8:15 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> It seems to me that you're trying to use authorization services with
> Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
> not supported yet. But certainly something that we might consider in the
> future.
>
> If I guessed it all wrong, please share how you're configuring
> Gatekeeper.
>
> On 2019-05-21, Tyler Johnson wrote:
> > I'm trying to figure out how to use keycloak-gatekeeper with the
> > fine-grained authorization option in Keycloak.
> >
> > I set up the authorization and ran an evaluation within the Keycloak UI
> > that correctly gave DENY for user 'test', but when I use that same user
> to
> > log in through gatekeeper, it says it's permitted and directs me to
> > upstream.
> >
> > Is there anything I need to enable on gatekeeper side to have it enforce,
> > or any pointers here?
> >
> > Thanks,
> > Tyler
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From sthorger at redhat.com  Tue May 21 11:52:39 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 21 May 2019 17:52:39 +0200
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
	<9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
	<CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>
	<MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>
Message-ID: <CAJgngAdjcBBuQW6CRysGVAH2GAf=Jyq226WE1kRsp5E1yR=Sdw@mail.gmail.com>

Latest. That'll be the only version actually tested with WF 16

On Tue, 21 May 2019, 11:44 Srinivas Nangunoori, <
srinivas.nangunoori at microfocus.com> wrote:

> Hi Stian and Vlasta,
>
> Thanks for the reply.
> Do you recommend specific version of keycloak with wildfly 16.0?
>
> -Srini
>
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Tuesday, May 21, 2019 2:14 PM
> To: Vlasta Ramik <vramik at redhat.com>
> Cc: Srinivas Nangunoori <srinivas.nangunoori at microfocus.com>;
> keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
>
> Do NOT use Keycloak 2.5.5, upgrade as soon as possible! There are known
> CVEs in older versions of Keycloak and unless you upgrade you are
> vulnerable to these.
>
> On Mon, 20 May 2019 at 14:04, Vlasta Ramik <vramik at redhat.com<mailto:
> vramik at redhat.com>> wrote:
> Hey Srini,
>
> keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might work
> but it's not certain, it's definitely not supported.
>
> Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider
> upgrade both WF and keycloak.
>
> Regads,
>
> Vlasta
>
> On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
> > Hi experts,
> >
> > We are planning to upgrade wildfly from 10 to 16. Currently we are using
> keycloak 2.5.5-final. My question here is,
> >
> > *        Can I still use keycloak 2.5.5 with wildfly 16.0
> >
> > *        If no for first question, what version is hould use?
> >
> >
> > Thanks,
> > Srini
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From aechols at bfcsaz.com  Tue May 21 13:14:23 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 21 May 2019 10:14:23 -0700
Subject: [keycloak-user] LDAP Mapped groups from AD
Message-ID: <CAHj77GUjvo+yxu1YuDinEKs5FNtcDS+=z_HVntn788inHNbXpQ@mail.gmail.com>

Hello All,

I've got a group I'd like to sync from AD that is mapped. The group has
about 3500 users in it. The group won't sync properly and while it is
synced, it is empty in Keycloak. I'm not seeing anything in the Keycloak
logs when attempting to sync. Any ideas on what I'm missing? Thanks
in advance. :)
--
Aaron Echols

From Kevin.Fox at pnnl.gov  Tue May 21 13:48:17 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Tue, 21 May 2019 17:48:17 +0000
Subject: [keycloak-user] direct access grant + kerberos
Message-ID: <1A3C52DFCD06494D8528644858247BF01C331E1C@EX10MBOX03.pnnl.gov>

Is there a way to get back an id token by doing a direct access grant with kerberos negotiate instead of a password?

Thanks,
Kevin

From farzad.panahi at gmail.com  Tue May 21 13:59:47 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Tue, 21 May 2019 10:59:47 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
Message-ID: <CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>

Any hint or example project to look at would really help to put me in the
right direction.

Should I post this question with a better and more specific title with more
elaborate body to present the question better?

On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
wrote:

> This is exactly where I want to use Keycloak to set this business
> rule/mapping. Basically I need to associate each user with a subset of B
> (books) to which the user has access to. This association is not based on
> roles or groups. It is based on individual users.
> That's why I was thinking that the only way I can think of doing this to
> add every individual book as a resource in Keycloak and then I have to
> create a permission for each of them to grant access to any individual user.
> It would help if Keycloak had a concept like a resource group I guess.
> Then I could put all those resources in a resource group and grant access
> to that resource group for an individual user.
> Then in order to see which resources each user has access to, I need to
> query Keycloak somehow (I need to figure out how exactly) and get the
> resources that user has access to, and return only those resources for that
> user.
>
> That's what I can think of right now. I am just wondering if there is a
> better way to do this sort of resource oriented access control where each
> user has access to specific set of resources only.
>
>
>
> On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Sorry, but is still not clear to me how a "user has access to a subset of
>> B" is this access based on roles, groups or any other information that you
>> gather from the context ? I'm wondering if this is not a business rule
>> instead ....
>>
>> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi Pedro,
>>>
>>> The user is not the book owner. You can think about it this way that if
>>> B is the set of all books then each user has access to a subset of B such
>>> that these subsets are not mutually exclusive and do overlap.
>>>
>>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> How do you check if a user has access to a book ? Is the user the book
>>>> owner or you have more conditions that should be taken into account to
>>>> grant access to books ?
>>>>
>>>> [1]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>
>>>>
>>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>> json:api
>>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>>>
>>>>> I just want to ask the Keycloak community for best practices when it
>>>>> comes
>>>>> to securing RESTful APIs.
>>>>>
>>>>> My endpoints will be something like:
>>>>> GET /api/books --> return all books the user has access for
>>>>> GET /api/books/123 --> return book with id = 123
>>>>>
>>>>> My challenge now is to figure out how to define resources in Keycloak.
>>>>> Should I add all my books as resources to Keycloak? And then define the
>>>>> permission between each user and resource?
>>>>>
>>>>> What would be the best practice to implement "GET /api/books" to return
>>>>> only the books the logged in user has access to? Should I query the
>>>>> Keycloak API to get all the resources the logged in user has access
>>>>> to, in
>>>>> the backend?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Farzad
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

From psilva at redhat.com  Tue May 21 14:34:49 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 21 May 2019 15:34:49 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
Message-ID: <CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>

Hi Farzad,

Sorry for the late reply.

Our authorization model is targeted for enforcing security-related
constraints, not business rules. Maybe you could consider Drools/BRMS.

Some time ago we had a discussion about data filtering and how to fetch
resources based on policy decisions. If you look at our documentation [1]
you'll see that policies can push arbitrary claims back to your application
when granting access to a permission. This capability allows you to send a
specific claim along with the permission that represents some filter that
you can use to query your database.

As a result, you'll have within your token something like:

"permissions": [
    {
      "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
      "resource_name": "Book Resource",
      "claims": ["data.filter": ["book.type = 'foo' or book.type = 'bar'"]]
    }
  ]

We do have a "resource group" concept. Resources can have a type and you
can also have a single resource representing a set of one or more "real"
resources.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server

On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Any hint or example project to look at would really help to put me in the
> right direction.
>
> Should I post this question with a better and more specific title with more
> elaborate body to present the question better?
>
> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
> wrote:
>
> > This is exactly where I want to use Keycloak to set this business
> > rule/mapping. Basically I need to associate each user with a subset of B
> > (books) to which the user has access to. This association is not based on
> > roles or groups. It is based on individual users.
> > That's why I was thinking that the only way I can think of doing this to
> > add every individual book as a resource in Keycloak and then I have to
> > create a permission for each of them to grant access to any individual
> user.
> > It would help if Keycloak had a concept like a resource group I guess.
> > Then I could put all those resources in a resource group and grant access
> > to that resource group for an individual user.
> > Then in order to see which resources each user has access to, I need to
> > query Keycloak somehow (I need to figure out how exactly) and get the
> > resources that user has access to, and return only those resources for
> that
> > user.
> >
> > That's what I can think of right now. I am just wondering if there is a
> > better way to do this sort of resource oriented access control where each
> > user has access to specific set of resources only.
> >
> >
> >
> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
> > wrote:
> >
> >> Sorry, but is still not clear to me how a "user has access to a subset
> of
> >> B" is this access based on roles, groups or any other information that
> you
> >> gather from the context ? I'm wondering if this is not a business rule
> >> instead ....
> >>
> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> >> wrote:
> >>
> >>> Hi Pedro,
> >>>
> >>> The user is not the book owner. You can think about it this way that if
> >>> B is the set of all books then each user has access to a subset of B
> such
> >>> that these subsets are not mutually exclusive and do overlap.
> >>>
> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
> >>> wrote:
> >>>
> >>>> Hi Farzad,
> >>>>
> >>>> How do you check if a user has access to a book ? Is the user the book
> >>>> owner or you have more conditions that should be taken into account to
> >>>> grant access to books ?
> >>>>
> >>>> [1]
> >>>>
> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
> >>>>
> >>>>
> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
> farzad.panahi at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
> >>>>> json:api
> >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
> >>>>>
> >>>>> I just want to ask the Keycloak community for best practices when it
> >>>>> comes
> >>>>> to securing RESTful APIs.
> >>>>>
> >>>>> My endpoints will be something like:
> >>>>> GET /api/books --> return all books the user has access for
> >>>>> GET /api/books/123 --> return book with id = 123
> >>>>>
> >>>>> My challenge now is to figure out how to define resources in
> Keycloak.
> >>>>> Should I add all my books as resources to Keycloak? And then define
> the
> >>>>> permission between each user and resource?
> >>>>>
> >>>>> What would be the best practice to implement "GET /api/books" to
> return
> >>>>> only the books the logged in user has access to? Should I query the
> >>>>> Keycloak API to get all the resources the logged in user has access
> >>>>> to, in
> >>>>> the backend?
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Farzad
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Shweta.Shetty at Teradata.com  Tue May 21 14:59:50 2019
From: Shweta.Shetty at Teradata.com (Shetty, Shweta)
Date: Tue, 21 May 2019 18:59:50 +0000
Subject: [keycloak-user] LDAP configuration ID info with User information
Message-ID: <CY4PR13MB09688D04B2BB24F3EBD574D392070@CY4PR13MB0968.namprd13.prod.outlook.com>

Is there an easy way to get the information of LDAP id on the user which he/she got authenticated. If we have multiple  LDAP scenarios I would like to know the information on the User as in which LDAP they got authenticated.

Shweta

From mechanix at live.de  Tue May 21 15:30:50 2019
From: mechanix at live.de (=?utf-8?B?Q2hyaXN0aWFuIEjDvGdlbA==?=)
Date: Tue, 21 May 2019 19:30:50 +0000
Subject: [keycloak-user] keycloak-gatekeeper + fine-grained authorization
In-Reply-To: <20190521131514.GA31816@abstractj.org>
References: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>
	<20190521131514.GA31816@abstractj.org>
Message-ID: <VI1PR04MB63359BC21982140BA594D7B9DE070@VI1PR04MB6335.eurprd04.prod.outlook.com>



> On 21. May 2019, at 15:15, Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> It seems to me that you're trying to use authorization services with
> Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
> not supported yet. But certainly something that we might consider in the
> future.

That would be great. We?re somehow managed to do that with roles and scopes.

> 
> If I guessed it all wrong, please share how you're configuring
> Gatekeeper.
> 
> On 2019-05-21, Tyler Johnson wrote:
>> I'm trying to figure out how to use keycloak-gatekeeper with the
>> fine-grained authorization option in Keycloak.
>> 
>> I set up the authorization and ran an evaluation within the Keycloak UI
>> that correctly gave DENY for user 'test', but when I use that same user to
>> log in through gatekeeper, it says it's permitted and directs me to
>> upstream.
>> 
>> Is there anything I need to enable on gatekeeper side to have it enforce,
>> or any pointers here?
>> 
>> Thanks,
>> Tyler
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> 
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From aechols at bfcsaz.com  Tue May 21 16:55:23 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 21 May 2019 13:55:23 -0700
Subject: [keycloak-user] Meraki SP
In-Reply-To: <CAHj77GUbiWFNmuSuaB8VYV8Dud77VcoZYkHKE-DtUO6Qubbzhg@mail.gmail.com>
References: <CAHj77GXPJ7uRMWsc38W-Qi7m4vtVoGTi=V6t=jsh08jHe7=XNw@mail.gmail.com>
	<CAHj77GUbiWFNmuSuaB8VYV8Dud77VcoZYkHKE-DtUO6Qubbzhg@mail.gmail.com>
Message-ID: <CAHj77GXas2sjSOHUxHHvNbKLyNkwRX0APE6MDhyS=+JynKyG2w@mail.gmail.com>

I was able to resolve this by mapping global Roles with the appropriate
names to the client scope, disabling full scope and assigning the roles.
They match exactly the name as I use them in Meraki.

I then created a Role Mapper with Role list type. The Role attribute name
is: role, friendly name: Role and used SAML Attribute NameFormat: Basic and
enable Single Role Attribute.

I'm able to login properly now and the snippet below is what the proper
role attribute looks like in SAML:

<saml:Attribute FriendlyName="Role" Name="role" NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT </
saml:AttributeValue>

I was missing the Name="role" part of the attribute with the User
Properties and User Attributes, which broke login. All user roles can now
login properly to Meraki with the proper rights. :)
--
Aaron Echols

On Thu, Apr 25, 2019 at 5:45 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi,
>
> I just wanted to see if anyone had any other ideas about this. Thanks! :)
> --
> Aaron Echols
>
> On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Hello All,
>>
>> I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
>> Keycloak be setup for idP initiated SSO, which I've configured. I have
>> everything working great, but I'm running into an issue where Keycloak will
>> not passthrough a SAML attribute using mappers.
>>
>> Per the docs here:
>> https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard
>>
>> I need to pass a role attribute through that matches what I've setup as
>> the SAML Administrator Roles in Meraki. I've done that and have a role
>> setup as IT, Management, etc.
>>
>> In Active Directory the 'department' attribute is set to the role that is
>> needed. I've created the federated mapper 'dept' that is mapped to
>> 'department' in AD. Users in Keycloak have that attribute populated
>> successfully with the correct data.
>>
>> In the client for Meraki, I've created a mapper name '
>> https://dashboard.meraki.com/saml/attributes/role' and set the it as a
>> 'user property' with a property of 'dept' and a general friendly name and
>> then set the 'SAML Attribute Name' to role.
>>
>> Looking at the SAML login, this never is passed through at all. The only
>> way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
>> Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
>> https://dashboard.meraki.com/saml/attributes/role', it will then login
>> successfully to Meraki. There are other groups that will be logging into
>> Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
>> transaction when hardcoding the attribute:
>>
>> <saml:Attribute
>>                 FriendlyName="Department"
>>                 Name="role"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>>                 <saml:AttributeValue
>>                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
>>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>> "
>>                     xsi:type="xs:string">IT
>> </saml:AttributeValue>
>>
>> I've never had this issue of passing other attributes through before, can
>> anyone let me know if I'm going about this wrong and if so, what am I
>> missing? Thanks :)
>> --
>> Aaron Echols
>>
>

From farzad.panahi at gmail.com  Tue May 21 17:41:03 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Tue, 21 May 2019 14:41:03 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
Message-ID: <CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>

Thanks Pedro. I really appreciate your reply.

I think arbitrary claims are what I need to pass the filtering required to
the backend (if I can generate those claims). Also resource types look
interesting. I think as you said I can use that to group my resources.
These two should solve my problems at hand.

That would be also great if you could elaborate on what you meant by
"security constraints" vs "business rules". I just want to have a better
understanding of Keycloak.
My understanding is that Keycloak is an identity and "access management"
system. And when it comes to "access management" my understanding is that
it means "who" has "what" access to "which" resource under "what
conditions".
If this definition is true, wouldn't "who has access to which resources" be
a security constraint under Keycloak's authorization model?

As you said I might need to look into other solutions but I before I do
that I want to make sure I really cannot do what I want to do with Keycloak
and I really cannot implement my requirements under Keycloal's
authorization model, since I have already happily invested lots of time on
Keycloak :)



On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Farzad,
>
> Sorry for the late reply.
>
> Our authorization model is targeted for enforcing security-related
> constraints, not business rules. Maybe you could consider Drools/BRMS.
>
> Some time ago we had a discussion about data filtering and how to fetch
> resources based on policy decisions. If you look at our documentation [1]
> you'll see that policies can push arbitrary claims back to your application
> when granting access to a permission. This capability allows you to send a
> specific claim along with the permission that represents some filter that
> you can use to query your database.
>
> As a result, you'll have within your token something like:
>
> "permissions": [
>     {
>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>       "resource_name": "Book Resource",
>       "claims": ["data.filter": ["book.type = 'foo' or book.type = 'bar'"]]
>     }
>   ]
>
> We do have a "resource group" concept. Resources can have a type and you
> can also have a single resource representing a set of one or more "real"
> resources.
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>
> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Any hint or example project to look at would really help to put me in the
>> right direction.
>>
>> Should I post this question with a better and more specific title with
>> more
>> elaborate body to present the question better?
>>
>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
>> wrote:
>>
>> > This is exactly where I want to use Keycloak to set this business
>> > rule/mapping. Basically I need to associate each user with a subset of B
>> > (books) to which the user has access to. This association is not based
>> on
>> > roles or groups. It is based on individual users.
>> > That's why I was thinking that the only way I can think of doing this to
>> > add every individual book as a resource in Keycloak and then I have to
>> > create a permission for each of them to grant access to any individual
>> user.
>> > It would help if Keycloak had a concept like a resource group I guess.
>> > Then I could put all those resources in a resource group and grant
>> access
>> > to that resource group for an individual user.
>> > Then in order to see which resources each user has access to, I need to
>> > query Keycloak somehow (I need to figure out how exactly) and get the
>> > resources that user has access to, and return only those resources for
>> that
>> > user.
>> >
>> > That's what I can think of right now. I am just wondering if there is a
>> > better way to do this sort of resource oriented access control where
>> each
>> > user has access to specific set of resources only.
>> >
>> >
>> >
>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
>> > wrote:
>> >
>> >> Sorry, but is still not clear to me how a "user has access to a subset
>> of
>> >> B" is this access based on roles, groups or any other information that
>> you
>> >> gather from the context ? I'm wondering if this is not a business rule
>> >> instead ....
>> >>
>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com
>> >
>> >> wrote:
>> >>
>> >>> Hi Pedro,
>> >>>
>> >>> The user is not the book owner. You can think about it this way that
>> if
>> >>> B is the set of all books then each user has access to a subset of B
>> such
>> >>> that these subsets are not mutually exclusive and do overlap.
>> >>>
>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com
>> >
>> >>> wrote:
>> >>>
>> >>>> Hi Farzad,
>> >>>>
>> >>>> How do you check if a user has access to a book ? Is the user the
>> book
>> >>>> owner or you have more conditions that should be taken into account
>> to
>> >>>> grant access to books ?
>> >>>>
>> >>>> [1]
>> >>>>
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>> >>>>
>> >>>>
>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>> farzad.panahi at gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>> >>>>> json:api
>> >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>> >>>>>
>> >>>>> I just want to ask the Keycloak community for best practices when it
>> >>>>> comes
>> >>>>> to securing RESTful APIs.
>> >>>>>
>> >>>>> My endpoints will be something like:
>> >>>>> GET /api/books --> return all books the user has access for
>> >>>>> GET /api/books/123 --> return book with id = 123
>> >>>>>
>> >>>>> My challenge now is to figure out how to define resources in
>> Keycloak.
>> >>>>> Should I add all my books as resources to Keycloak? And then define
>> the
>> >>>>> permission between each user and resource?
>> >>>>>
>> >>>>> What would be the best practice to implement "GET /api/books" to
>> return
>> >>>>> only the books the logged in user has access to? Should I query the
>> >>>>> Keycloak API to get all the resources the logged in user has access
>> >>>>> to, in
>> >>>>> the backend?
>> >>>>>
>> >>>>> Thanks
>> >>>>>
>> >>>>> Farzad
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user at lists.jboss.org
>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>
>> >>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From srinivas.nangunoori at microfocus.com  Tue May 21 23:49:54 2019
From: srinivas.nangunoori at microfocus.com (Srinivas Nangunoori)
Date: Wed, 22 May 2019 03:49:54 +0000
Subject: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final
In-Reply-To: <CAJgngAdjcBBuQW6CRysGVAH2GAf=Jyq226WE1kRsp5E1yR=Sdw@mail.gmail.com>
References: <MN2PR18MB25594D14A7B43B65AEDC263280060@MN2PR18MB2559.namprd18.prod.outlook.com>
	<9d389a0e-d608-afa8-5d1a-fd839b4e365e@redhat.com>
	<CAJgngAeRRdGnyRoq6w+UZLrFKV9936Nks5iQhzXiaA-obsWL1Q@mail.gmail.com>
	<MN2PR18MB255972EE56C1E05D7FFDA0CE80070@MN2PR18MB2559.namprd18.prod.outlook.com>
	<CAJgngAdjcBBuQW6CRysGVAH2GAf=Jyq226WE1kRsp5E1yR=Sdw@mail.gmail.com>
Message-ID: <MN2PR18MB2559371C7E3259F6365BAC0580000@MN2PR18MB2559.namprd18.prod.outlook.com>

Thanks Stian and Vlasta for the information.

-Srini

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, May 21, 2019 9:23 PM
To: Srinivas Nangunoori <srinivas.nangunoori at microfocus.com>
Cc: Vlasta Ramik <vramik at redhat.com>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final

Latest. That'll be the only version actually tested with WF 16

On Tue, 21 May 2019, 11:44 Srinivas Nangunoori, <srinivas.nangunoori at microfocus.com<mailto:srinivas.nangunoori at microfocus.com>> wrote:
Hi Stian and Vlasta,

Thanks for the reply.
Do you recommend specific version of keycloak with wildfly 16.0?

-Srini

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Tuesday, May 21, 2019 2:14 PM
To: Vlasta Ramik <vramik at redhat.com<mailto:vramik at redhat.com>>
Cc: Srinivas Nangunoori <srinivas.nangunoori at microfocus.com<mailto:srinivas.nangunoori at microfocus.com>>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Wildfly 16.0 and keycloak 2.5.5-final

Do NOT use Keycloak 2.5.5, upgrade as soon as possible! There are known CVEs in older versions of Keycloak and unless you upgrade you are vulnerable to these.

On Mon, 20 May 2019 at 14:04, Vlasta Ramik <vramik at redhat.com<mailto:vramik at redhat.com><mailto:vramik at redhat.com<mailto:vramik at redhat.com>>> wrote:
Hey Srini,

keycloak 2.5.5.Final was tested with Wildfly10, for WF16 it might work
but it's not certain, it's definitely not supported.

Wildfly 16 adapter was tested with Keycloak 6.0.0. You may consider
upgrade both WF and keycloak.

Regads,

Vlasta

On 5/20/19 1:41 PM, Srinivas Nangunoori wrote:
> Hi experts,
>
> We are planning to upgrade wildfly from 10 to 16. Currently we are using keycloak 2.5.5-final. My question here is,
>
> *        Can I still use keycloak 2.5.5 with wildfly 16.0
>
> *        If no for first question, what version is hould use?
>
>
> Thanks,
> Srini
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From Per.Erik.Gransoe at Systematic.com  Wed May 22 03:41:33 2019
From: Per.Erik.Gransoe at Systematic.com (=?iso-8859-1?Q?Per_Erik_Grans=F8e?=)
Date: Wed, 22 May 2019 07:41:33 +0000
Subject: [keycloak-user] Transfer role claim from OIDC identity broker to
	keycloak JWT
In-Reply-To: <HE1P191MB0169D092309BEFE74395692CBE000@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>
References: <HE1P191MB0169D092309BEFE74395692CBE000@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>
Message-ID: <HE1P191MB0169C4722DA15B63D773B544BE000@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>

Hi

I've setup my KeyCloak with an Azure AD as OIDC identity provider. The Azure AD IdP replies with user application roles in its token reply to KeyCloak, and I would like to add these roles to the resulting JWT token to the relaying parties. Can this be archived with one of the built-in identity provider mappers (if so, which one and how do I map/transfer the "roles" claim?), or will I need to implement a custom mapper?

Med venlig hilsen / Kind regards

[Systematic Logo]<http://www.systematic.com/>
Per Erik Grans?e
Senior Systems Engineer

S?ren Frichs Vej 39, 8000 Aarhus C
Denmark

Mobile: +45 3038 6841
Per.Erik.Gransoe at Systematic.com<mailto:Per.Erik.Gransoe at Systematic.com>
www.systematic.com<http://www.systematic.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1239 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190522/88e85183/attachment.png 

From ece8537 at upnet.gr  Wed May 22 03:57:12 2019
From: ece8537 at upnet.gr (Konstantinos Schoinas)
Date: Wed, 22 May 2019 10:57:12 +0300
Subject: [keycloak-user] Refresh Token Question
Message-ID: <a1fb9d88fcc6395731db5ce587e91c28@upnet.gr>

Hi there,

i have a setup where i use a node js application and  Keycloak-connect 
NPM module in order to align it with keycloak single-sign on flow.

Everything is working fine except of one thing.

When my refresh token is expired and i am trying to access a resource in 
application  that is protected by keycloak.protect() i am getting a 
redirect to keycloak page (a flow that i find it correct ) and my user 
is automatically getting re-logged in without posting any credentials.

i don;t know if that behavior is right.

My Keycloak Realm-??Settings on Token tab  are:

Revoke Refresh Token -??-??> Off

SSO Session idle -??-??> 2 minutes

SSO Session Max -??-??> 4 minutes

Access Token Lifespan -??-??> 1 minute

I also noticed this type of behavior on the nodejs-example that keycloak 
connect provides so i believe that there isn't something wrong with my 
application.

Also i put some logs inside keycloak-middleware to make sure that the 
refresh Token is expired by going to the relative function and made sure 
that the refresh is expired.

In addition this is happening of course when the 2 minutes are past and 
i am trying to do a request to the Refresh token is definetly getting 
expired there but still Keycloak seems to getting me logged in again and 
NOT redirecting me to the Login page.

Thanks in Advance for the help,

Konstantinos

From michael.isvy at gmail.com  Wed May 22 04:00:43 2019
From: michael.isvy at gmail.com (Michael Isvy)
Date: Wed, 22 May 2019 16:00:43 +0800
Subject: [keycloak-user] Adding information from a 3rd party service into
	JWT token
Message-ID: <CAM4=zzJ6cOj3ePsiK=jztSYX-zCPafoKMJvQ2OVHrF6Rnw4uhg@mail.gmail.com>

hi,
thanks a lot for the hard work on Keycloak! I've been using it for a few
days and have been quite impressed by the UI, features and level of
documentation.

I have a custom requirement. When users authenticate, in case of successful
authentication,I need to call a 3rd party API, collect additional
information and place it into my JWT token.

I am in the process of doing it by coding my own Mapper (extending
AbstractOIDCProtocolMapper). I was wondering if this is the correct way to
do it or if there is a simpler way to achieve my goal.

Regards,
Michael.

From abegou.ext at orange.com  Wed May 22 04:08:46 2019
From: abegou.ext at orange.com (abegou.ext at orange.com)
Date: Wed, 22 May 2019 08:08:46 +0000
Subject: [keycloak-user] Docker and Outgoing HTTPS Request Truststore
Message-ID: <32211_1558512526_5CE5038E_32211_436_2_C23F23BE8107ED4F8E4CDE5F99D86E2F14CFDCF4@OPEXCAUBM24.corporate.adroot.infra.ftgroup>

Hello,

I'm having some issue with the docker image and the "Outgoing HTTPS Request Truststore".
My goal is to make Keycloak working on kubernetes and that keycloak use an internal certificate to call internal IDP(OIDC) providers.

I tried to use the following documentation without success.
https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore

i tried to use a config map to override the standalone.xml file without success.

How could I achieve this configuration ? How can I add a truststore using the docker image?
I used the latest image of keycloak jboss/keycloak at sha256:bab7816c55a912dcaaa4250b5b661823f5c43259433b350ad6167eee68cb1d9a

Thanks in advance for your help
Best regards / Cordialement
Aurelien Begou



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


From orivat at janua.fr  Wed May 22 04:15:18 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Wed, 22 May 2019 10:15:18 +0200
Subject: [keycloak-user] keycloak quick start example Uma Photoz:
 authorization request to resource owner not working
Message-ID: <e3f98cca-e6f2-5b81-93f6-8d426b5ca8d0@janua.fr>


Hi,

I am using

Keycloak 6.0.1
wildfly 16
chrome 74
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz

Done the test several time
1)just unzip keycloak
2) and uploded phothoz-realm.json
3) create alice vacation album with greece view permission for joe
4) log as Joe, but cannot sent delete request

I always obtain:
You can not access or perform the requested operation on this resource.

instead of
Sent authorization request to resource owner, please, wait for approval.

Is is a misconfiguration of mine (I have been through the example 
several times) or might it be a bug ?

Regards,
Olivier Rivat




-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From erangac at gmail.com  Wed May 22 07:48:39 2019
From: erangac at gmail.com (Eranga Samararathna)
Date: Wed, 22 May 2019 17:18:39 +0530
Subject: [keycloak-user] Remove session code from URL to prevent security
	vulnerability
Message-ID: <CAAhNFmiX_LedQcz+vK6yfPN2pjniuWuMs+a_QAaQr0d6EKoOVQ@mail.gmail.com>

When authenticating from KeyCloak login page it pass session code as a
query param. Are there a way to avoid this and pass session code in
different manner (ex: as a header param)

POST
https://xxx/auth/realms/xxx/login-actions/authenticate?session_code=xxxxxxxxx&execution=xxxxxx&client_id=xxx&tab_id=xxxx
HTTP/1.1

From psilva at redhat.com  Wed May 22 08:12:38 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 May 2019 09:12:38 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
Message-ID: <CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>

Sure. I'm not telling you that you should not use us to address your
requirements, but that you should take into account whether or not you are
using our authorization capabilities to process business rules, which is
not our focus. I wanted to let you know about other projects that are
targeted for this type of work. Sometimes, the borderline between security
constraints and business rules are very clear when you are externalizing
authorization from your application.

But yeah, I think both approaches can work for you. The data filter
approach is could be very handy in order to filter resources that users can
access. So if you are able to group your users into groups and then write
policies that push back a claim based on the user membership, then you
should be able to keep your policies simple. This is probably the optimal
solution because it avoids additional requests from the server for checking
whether or not the user has access to a resource.

On the other hand, you can use resource types. Or even have resources in
Keycloak that represent your different resource sets. Based on the
permissions within the token you should also be able to build the query
accordingly in your application.

On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Thanks Pedro. I really appreciate your reply.
>
> I think arbitrary claims are what I need to pass the filtering required to
> the backend (if I can generate those claims). Also resource types look
> interesting. I think as you said I can use that to group my resources.
> These two should solve my problems at hand.
>
> That would be also great if you could elaborate on what you meant by
> "security constraints" vs "business rules". I just want to have a better
> understanding of Keycloak.
> My understanding is that Keycloak is an identity and "access management"
> system. And when it comes to "access management" my understanding is that
> it means "who" has "what" access to "which" resource under "what
> conditions".
> If this definition is true, wouldn't "who has access to which resources"
> be a security constraint under Keycloak's authorization model?
>
> As you said I might need to look into other solutions but I before I do
> that I want to make sure I really cannot do what I want to do with Keycloak
> and I really cannot implement my requirements under Keycloal's
> authorization model, since I have already happily invested lots of time on
> Keycloak :)
>
>
>
> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi Farzad,
>>
>> Sorry for the late reply.
>>
>> Our authorization model is targeted for enforcing security-related
>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>
>> Some time ago we had a discussion about data filtering and how to fetch
>> resources based on policy decisions. If you look at our documentation [1]
>> you'll see that policies can push arbitrary claims back to your application
>> when granting access to a permission. This capability allows you to send a
>> specific claim along with the permission that represents some filter that
>> you can use to query your database.
>>
>> As a result, you'll have within your token something like:
>>
>> "permissions": [
>>     {
>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>       "resource_name": "Book Resource",
>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>> 'bar'"]]
>>     }
>>   ]
>>
>> We do have a "resource group" concept. Resources can have a type and you
>> can also have a single resource representing a set of one or more "real"
>> resources.
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>
>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Any hint or example project to look at would really help to put me in the
>>> right direction.
>>>
>>> Should I post this question with a better and more specific title with
>>> more
>>> elaborate body to present the question better?
>>>
>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com
>>> >
>>> wrote:
>>>
>>> > This is exactly where I want to use Keycloak to set this business
>>> > rule/mapping. Basically I need to associate each user with a subset of
>>> B
>>> > (books) to which the user has access to. This association is not based
>>> on
>>> > roles or groups. It is based on individual users.
>>> > That's why I was thinking that the only way I can think of doing this
>>> to
>>> > add every individual book as a resource in Keycloak and then I have to
>>> > create a permission for each of them to grant access to any individual
>>> user.
>>> > It would help if Keycloak had a concept like a resource group I guess.
>>> > Then I could put all those resources in a resource group and grant
>>> access
>>> > to that resource group for an individual user.
>>> > Then in order to see which resources each user has access to, I need to
>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>> > resources that user has access to, and return only those resources for
>>> that
>>> > user.
>>> >
>>> > That's what I can think of right now. I am just wondering if there is a
>>> > better way to do this sort of resource oriented access control where
>>> each
>>> > user has access to specific set of resources only.
>>> >
>>> >
>>> >
>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
>>> > wrote:
>>> >
>>> >> Sorry, but is still not clear to me how a "user has access to a
>>> subset of
>>> >> B" is this access based on roles, groups or any other information
>>> that you
>>> >> gather from the context ? I'm wondering if this is not a business rule
>>> >> instead ....
>>> >>
>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>> farzad.panahi at gmail.com>
>>> >> wrote:
>>> >>
>>> >>> Hi Pedro,
>>> >>>
>>> >>> The user is not the book owner. You can think about it this way that
>>> if
>>> >>> B is the set of all books then each user has access to a subset of B
>>> such
>>> >>> that these subsets are not mutually exclusive and do overlap.
>>> >>>
>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>> psilva at redhat.com>
>>> >>> wrote:
>>> >>>
>>> >>>> Hi Farzad,
>>> >>>>
>>> >>>> How do you check if a user has access to a book ? Is the user the
>>> book
>>> >>>> owner or you have more conditions that should be taken into account
>>> to
>>> >>>> grant access to books ?
>>> >>>>
>>> >>>> [1]
>>> >>>>
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>> >>>>
>>> >>>>
>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>> farzad.panahi at gmail.com>
>>> >>>> wrote:
>>> >>>>
>>> >>>>> Hi,
>>> >>>>>
>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>> >>>>> json:api
>>> >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>> >>>>>
>>> >>>>> I just want to ask the Keycloak community for best practices when
>>> it
>>> >>>>> comes
>>> >>>>> to securing RESTful APIs.
>>> >>>>>
>>> >>>>> My endpoints will be something like:
>>> >>>>> GET /api/books --> return all books the user has access for
>>> >>>>> GET /api/books/123 --> return book with id = 123
>>> >>>>>
>>> >>>>> My challenge now is to figure out how to define resources in
>>> Keycloak.
>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>> define the
>>> >>>>> permission between each user and resource?
>>> >>>>>
>>> >>>>> What would be the best practice to implement "GET /api/books" to
>>> return
>>> >>>>> only the books the logged in user has access to? Should I query the
>>> >>>>> Keycloak API to get all the resources the logged in user has access
>>> >>>>> to, in
>>> >>>>> the backend?
>>> >>>>>
>>> >>>>> Thanks
>>> >>>>>
>>> >>>>> Farzad
>>> >>>>> _______________________________________________
>>> >>>>> keycloak-user mailing list
>>> >>>>> keycloak-user at lists.jboss.org
>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>
>>> >>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From psilva at redhat.com  Wed May 22 08:17:26 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 May 2019 09:17:26 -0300
Subject: [keycloak-user] keycloak quick start example Uma Photoz:
 authorization request to resource owner not working
In-Reply-To: <e3f98cca-e6f2-5b81-93f6-8d426b5ca8d0@janua.fr>
References: <e3f98cca-e6f2-5b81-93f6-8d426b5ca8d0@janua.fr>
Message-ID: <CAJrcDBfhOQ042qC1dL2U1LDkXgWCHefMT=WaSAW6ajWTy2mRtg@mail.gmail.com>

Hi Olivier,

If you go to the account console in "My Resources" as user joe, do you see
that a permission request for alice ? Or when accessing the "My Resources"
page as alice you see a request from joe pending for approval ?

On Wed, May 22, 2019 at 5:17 AM Olivier Rivat <orivat at janua.fr> wrote:

>
> Hi,
>
> I am using
>
> Keycloak 6.0.1
> wildfly 16
> chrome 74
>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
>
> Done the test several time
> 1)just unzip keycloak
> 2) and uploded phothoz-realm.json
> 3) create alice vacation album with greece view permission for joe
> 4) log as Joe, but cannot sent delete request
>
> I always obtain:
> You can not access or perform the requested operation on this resource.
>
> instead of
> Sent authorization request to resource owner, please, wait for approval.
>
> Is is a misconfiguration of mine (I have been through the example
> several times) or might it be a bug ?
>
> Regards,
> Olivier Rivat
>
>
>
>
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From orivat at janua.fr  Wed May 22 08:35:05 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Wed, 22 May 2019 14:35:05 +0200
Subject: [keycloak-user] keycloak quick start example Uma Photoz:
 authorization request to resource owner not working
In-Reply-To: <CAJrcDBfhOQ042qC1dL2U1LDkXgWCHefMT=WaSAW6ajWTy2mRtg@mail.gmail.com>
References: <e3f98cca-e6f2-5b81-93f6-8d426b5ca8d0@janua.fr>
	<CAJrcDBfhOQ042qC1dL2U1LDkXgWCHefMT=WaSAW6ajWTy2mRtg@mail.gmail.com>
Message-ID: <06127a35-304c-b702-1f19-4d85f126bddd@janua.fr>

Hi,

When accessing the "My Resources" page as alice I see a request from joe 
pending for approval(from Jdoe).
Flow is working fine afterwards.

But message is quite confusing at the beginning (as it correspondonds to 
what si mentioned in the readme)

I always obtain:
You can not access or perform the requested operation on this resource.

instead of
Sent authorization request to resource owner, please, wait for approval.

Regards,

Olivier



Le 22/05/2019 ? 14:17, Pedro Igor Silva a ?crit?:
> Hi Olivier,
>
> If you go to the account console in "My Resources" as user joe, do you 
> see that a permission request for alice ? Or when accessing the "My 
> Resources" page as alice you see a request from joe pending for approval ?
>
> On Wed, May 22, 2019 at 5:17 AM Olivier Rivat <orivat at janua.fr 
> <mailto:orivat at janua.fr>> wrote:
>
>
>     Hi,
>
>     I am using
>
>     Keycloak 6.0.1
>     wildfly 16
>     chrome 74
>     https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
>
>     Done the test several time
>     1)just unzip keycloak
>     2) and uploded phothoz-realm.json
>     3) create alice vacation album with greece view permission for joe
>     4) log as Joe, but cannot sent delete request
>
>     I always obtain:
>     You can not access or perform the requested operation on this
>     resource.
>
>     instead of
>     Sent authorization request to resource owner, please, wait for
>     approval.
>
>     Is is a misconfiguration of mine (I have been through the example
>     several times) or might it be a bug ?
>
>     Regards,
>     Olivier Rivat
>
>
>
>
>     -- 
>
>
>     <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
>     ? ? ? ? <http://www.janua.fr/images/6g_top.gif>
>
>     Olivier Rivat
>     CTO
>     orivat at janua.fr <mailto:orivat at janua.fr>
>     <mailto:dchikhaoui at janua.fr <mailto:dchikhaoui at janua.fr>>
>     Gsm: +33(0)682 801 609
>     T?l: +33(0)489 829 238
>     Fax: +33(0)955 260 370
>     http://www.janua.fr <http://www.janua.fr/>
>     ? ? ? ? <http://www.janua.fr/images/6g_top.gif>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From psilva at redhat.com  Wed May 22 08:46:31 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 May 2019 09:46:31 -0300
Subject: [keycloak-user] keycloak quick start example Uma Photoz:
 authorization request to resource owner not working
In-Reply-To: <06127a35-304c-b702-1f19-4d85f126bddd@janua.fr>
References: <e3f98cca-e6f2-5b81-93f6-8d426b5ca8d0@janua.fr>
	<CAJrcDBfhOQ042qC1dL2U1LDkXgWCHefMT=WaSAW6ajWTy2mRtg@mail.gmail.com>
	<06127a35-304c-b702-1f19-4d85f126bddd@janua.fr>
Message-ID: <CAJrcDBfQkXfACqiVZnywaj3Bj9tGZKxGYY6A1JkL-LMRkSiTDw@mail.gmail.com>

I see. That seems to be an issue with the JS running in the client. I get
that behavior sometimes when I run but I'll take a look at how to avoid it
completely. For now, please consider that the main behavior (which is
send/approve requests) are working.

Thanks for the feedback.

On Wed, May 22, 2019 at 9:35 AM Olivier Rivat <orivat at janua.fr> wrote:

> Hi,
>
> When accessing the "My Resources" page as alice I see a request from joe
> pending for approval(from Jdoe).
> Flow is working fine afterwards.
>
> But message is quite confusing at the beginning (as it correspondonds to
> what si mentioned in the readme)
>
> I always obtain:
> You can not access or perform the requested operation on this resource.
>
> instead of
> Sent authorization request to resource owner, please, wait for approval.
>
> Regards,
>
> Olivier
>
>
>
> Le 22/05/2019 ? 14:17, Pedro Igor Silva a ?crit :
>
> Hi Olivier,
>
> If you go to the account console in "My Resources" as user joe, do you see
> that a permission request for alice ? Or when accessing the "My Resources"
> page as alice you see a request from joe pending for approval ?
>
> On Wed, May 22, 2019 at 5:17 AM Olivier Rivat <orivat at janua.fr> wrote:
>
>>
>> Hi,
>>
>> I am using
>>
>> Keycloak 6.0.1
>> wildfly 16
>> chrome 74
>>
>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
>>
>> Done the test several time
>> 1)just unzip keycloak
>> 2) and uploded phothoz-realm.json
>> 3) create alice vacation album with greece view permission for joe
>> 4) log as Joe, but cannot sent delete request
>>
>> I always obtain:
>> You can not access or perform the requested operation on this resource.
>>
>> instead of
>> Sent authorization request to resource owner, please, wait for approval.
>>
>> Is is a misconfiguration of mine (I have been through the example
>> several times) or might it be a bug ?
>>
>> Regards,
>> Olivier Rivat
>>
>>
>>
>>
>> --
>>
>>
>> <http://www.janua.fr/images/logo-big-sans.png><
>> http://www.janua.fr/images/LogoSignature.gif>
>>
>>         <http://www.janua.fr/images/6g_top.gif>
>>
>> Olivier Rivat
>> CTO
>> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
>> Gsm: +33(0)682 801 609
>> T?l: +33(0)489 829 238
>> Fax: +33(0)955 260 370
>> http://www.janua.fr <http://www.janua.fr/>
>>         <http://www.janua.fr/images/6g_top.gif>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png>
> <http://www.janua.fr/images/LogoSignature.gif>
> <http://www.janua.fr/images/6g_top.gif>
> Olivier Rivat
> CTO
> orivat at janua.fr <dchikhaoui at janua.fr>
> Gsm:  +33(0)682 801 609
> T?l:    +33(0)489 829 238
> Fax:   +33(0)955 260 370
> http://www.janua.fr
> <http://www.janua.fr/images/6g_top.gif>
>

From shiva.prasad.thagadur.prakash at ericsson.com  Wed May 22 10:11:26 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Wed, 22 May 2019 14:11:26 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <1558445890.12963.11.camel@ericsson.com>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
	<1558445890.12963.11.camel@ericsson.com>
Message-ID: <1558534286.12963.21.camel@ericsson.com>

Hi Guys,

Does keycloak support migrating database schema from any keycloak
version to any keycloak version with no requirement to incrementally go
through each intermediate version. Eagerly waiting to hear from you.

Thanks,
Shiva
On ti, 2019-05-21 at 13:38 +0000, Shiva Prasad Thagadur Prakash wrote:
> Hi Guys,
> Eagerly waiting for your responses!
> 
> Thanks,
> Shiva
> On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash
> wrote:
> > 
> > Hi Guys,
> > 
> > Does keycloak/Liquibase support multi-hop schema migration?
> > 
> > Thanks & regards,
> > Shiva
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From matthew.broadhead at nbmlaw.co.uk  Wed May 22 10:11:47 2019
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Wed, 22 May 2019 16:11:47 +0200
Subject: [keycloak-user] users created through rest api not enabled
Message-ID: <e768c3cd-beee-5b9e-faf9-0171e1d4a8ff@nbmlaw.co.uk>

using Keycloak 4.5.0 standalone.? CentOS 7

we have been using the REST api to create users by POSTing a 
UserRepresentation to /{realm}/users

it still works fine but the two properties setEnabled and 
setEmailVerified are being ignored
userRepresentation.setEnabled(true);
userRepresentation.setEmailVerified(true);

even running a subsequent PUT and setting the values has no effect.

we have not changed our configuration at all for a long time. perhaps a 
system update has caused this?

From matthew.broadhead at nbmlaw.co.uk  Wed May 22 11:05:02 2019
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Wed, 22 May 2019 17:05:02 +0200
Subject: [keycloak-user] users created through rest api not enabled
In-Reply-To: <e768c3cd-beee-5b9e-faf9-0171e1d4a8ff@nbmlaw.co.uk>
References: <e768c3cd-beee-5b9e-faf9-0171e1d4a8ff@nbmlaw.co.uk>
Message-ID: <d1a43011-520a-8013-3fc5-edf1ed0369e5@nbmlaw.co.uk>

ok it seems it was upgrading from TomEE 7.0.5 to 7.1.0
must be a change in the version of Apache CXF and the way it generates Json
sorry for wasting your time

On 22/05/2019 16:11, Matthew Broadhead wrote:
> using Keycloak 4.5.0 standalone.? CentOS 7
>
> we have been using the REST api to create users by POSTing a
> UserRepresentation to /{realm}/users
>
> it still works fine but the two properties setEnabled and
> setEmailVerified are being ignored
> userRepresentation.setEnabled(true);
> userRepresentation.setEmailVerified(true);
>
> even running a subsequent PUT and setting the values has no effect.
>
> we have not changed our configuration at all for a long time. perhaps a
> system update has caused this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ryans at jlab.org  Wed May 22 13:11:12 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 22 May 2019 17:11:12 +0000
Subject: [keycloak-user] Wildfly Client Adapter Session Expiration
Message-ID: <BL0PR0901MB305926E96029D1860FA67975DC000@BL0PR0901MB3059.namprd09.prod.outlook.com>

Is there any documentation on how session expiration works with respect to the Wildfly client adapter.  If the Keycloak idle session timeout expires, it seems to automatically expire a Wildfly client session too.  In my client application web.xml I have an expiration of 8 hours.  However, it appears the 30 minute default Keycloak idle session expiration is overriding this.   After 30 minutes of idle time if I return to my client application I am logged out and the Keycloak log file contains:

WARN  [org.keycloak.events] (default task-41) type=REFRESH_TOKEN_ERROR, realmId=xxxx, clientId=xxxxx, userId=null, ipAddress=xxx.xx.xx.xxx, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

I assume I can bump up Keycloak session idle as a workaround, but this means ALL applications must have a long expiration.  I was wondering if once authenticated to an application on Wildfly that application could control its own JSESSIONID session expiration?   The fact that we set session expiration in two places is confusing as it seems the one in web.xml is not honored.

Ryan



From dpaul at cognera.com  Wed May 22 13:34:09 2019
From: dpaul at cognera.com (David Paul)
Date: Wed, 22 May 2019 17:34:09 +0000
Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load
Message-ID: <YTBPR01MB26699FD5BBB48D3211EE1673AA000@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>

Hi,

I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1.  I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here:
https://www.keycloak.org/docs/latest/upgrading/index.html

I have:
unpacked 6.0.1
mv standalone directory to standalone.old
cp -R 3.2.1/standalone to 6.0.1/
cp -R 3.2.1/modules/system/layers/keycloak/org/oracle  6.0.1/modules/system/layers/keycloak/org/
cp -R 3.2.1/themes/<our-themes> 6.0.1/themes/
6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli          (feedback indicates success on all actions)
Made sure migrationStrategy value="update"

When I run 6.0.1/bin/standalone.sh I get:
...
09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "oracle")
]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver"

Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar.  I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle.  I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations.

Is there another step or declaration of the driver or something that I must do?

Thank you for your time,
Dave

Harriscomputer

David Paul
Manager, Application Development
P: 403-218-2010 x79107
F: 403-218-2012
E: dpaul at cognera.com


[cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png]


530 - 8 Avenue SW Suite 920
Calgary, Alberta
T2P 3S8
www.cognera.com<http://www.cognera.com>


This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 23932 bytes
Desc: cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190522/e42f0272/attachment-0001.png 

From ryans at jlab.org  Wed May 22 14:23:50 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 22 May 2019 18:23:50 +0000
Subject: [keycloak-user]  Upgrade to 6.0.1 - Oracle driver failing to load
Message-ID: <BL0PR0901MB3059FAE15BCE3A5DCCD160B0DC000@BL0PR0901MB3059.namprd09.prod.outlook.com>

You might try using the Wildfly jboss-cli.sh script to execute:


/subsystem=datasources/jdbc-driver=oracle:add(driver-name=oracle,driver-module-name=com.oracle)


From frank.herrmann at modernizingmedicine.com  Wed May 22 14:50:49 2019
From: frank.herrmann at modernizingmedicine.com (Frank Herrmann)
Date: Wed, 22 May 2019 14:50:49 -0400
Subject: [keycloak-user] Keycloak Docker Domain Cluster
Message-ID: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>

Hello,

As part of our upgrade to 6.0.1 we are looking to use the Keycloak docker
images. Our currently installation (3.4.3) uses a domain cluster. While
reviewing the Keycloak docker image, it appears that it only supports
standalone or standalone-ha (for clustering). Am I missing something, or
will I need to customize the Keycloak docker image for domain clustering?
Or was it specifically left out of the official docker image for a good
reason?

Thanks,
-Frank

-- 
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT

T: 561-880-2998 x1563

E: frank.herrmann at modmed.com



[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>

[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>

-- 
*CONFIDENTIALITY NOTICE:*?This e-mail message may contain material 
protected by the Health Insurance Portability and Accountability Act of 
1996 and its implementing regulations and other state and federal laws and 
legal privileges. This message is only for the personal and confidential 
use of the individuals or organization to whom the message is addressed. If 
you are an unintended recipient, you?have received this message in error, 
and any reading, distributing, copying or disclosure is unauthorized and 
strictly prohibited.? All recipients are hereby notified that any 
unauthorized receipt does not waive any confidentiality obligations or 
privileges. If you have received this message in error, please notify the 
sender immediately?at the above?email?address and?confirm that you have 
deleted or destroyed the message.

From ryans at jlab.org  Wed May 22 15:06:59 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 22 May 2019 19:06:59 +0000
Subject: [keycloak-user] What Specification says my brokered IdP key is
	invalid?
Message-ID: <BL0PR0901MB3059D594CCEA5BCD518EE433DC000@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm seeing a lot of messages like the following in my log file:

2019-05-22 14:28:56,312 WARN  [org.keycloak.storage.jpa.KeyUtils] (default task-xx) The given key is not a valid key per specification, future migration might fail: f:jlab-ldap:ryans

(1) What specification are we talking about?  OAuth?  What does it say?
(2) I assume the problem is when I created an LDAP user storage provider I created it on the command line with specific ID "jlab-ldap".  Why is this bad?  Must it be a totally random UUID?

The log messages seems to occur whenever a user links an account from a brokered IdP to their account in the Keycloak realm.  (The brokered IdP is also Keycloak)

From pascal.jakobi at thalesgroup.com  Thu May 23 01:43:04 2019
From: pascal.jakobi at thalesgroup.com (JAKOBI Pascal)
Date: Thu, 23 May 2019 05:43:04 +0000
Subject: [keycloak-user] Vanilla not working
Message-ID: <fc91a26813a343328135f2ba200b1512@thalesgroup.com>

Hi there

I am completely new to jboss & keycloak, so...

I installed keycloak 6.0.1-2 and wildfly 16.0.0-1. Both products run after carefully following the quickstart instructions : I can create users in KC, the vanilla page displays, etc.
However, when I click on the "login" button, the basic auth window raises and the entering correct information does not unblock this (I am looping).

I ran jboss-cli and I can see keycloak stuff in my wildfly standalone.xml...

Any idea ?

Thank you in advance
P

From slaskawi at redhat.com  Thu May 23 02:51:30 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 23 May 2019 08:51:30 +0200
Subject: [keycloak-user] Keycloak Docker Domain Cluster
In-Reply-To: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
References: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
Message-ID: <CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>

That is correct. The standalone (with or without HA) configuration is by
far the most popular.

However, all the configuration files and scripts are there. I guess you'd
need to modify the bootstrap script to bootstrap domain (or host)
controllers.

On Wed, May 22, 2019 at 9:22 PM Frank Herrmann <
frank.herrmann at modernizingmedicine.com> wrote:

> Hello,
>
> As part of our upgrade to 6.0.1 we are looking to use the Keycloak docker
> images. Our currently installation (3.4.3) uses a domain cluster. While
> reviewing the Keycloak docker image, it appears that it only supports
> standalone or standalone-ha (for clustering). Am I missing something, or
> will I need to customize the Keycloak docker image for domain clustering?
> Or was it specifically left out of the official docker image for a good
> reason?
>
> Thanks,
> -Frank
>
> --
> FRANK HERRMANN
> ASSOCIATE SOFTWARE ARCHITECT
>
> T: 561-880-2998 x1563
>
> E: frank.herrmann at modmed.com
>
>
>
> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
> [image:
> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
> [image:
> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
> <http://instagram.com/modernizing_medicine>
>
> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>
> --
> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
> protected by the Health Insurance Portability and Accountability Act of
> 1996 and its implementing regulations and other state and federal laws and
> legal privileges. This message is only for the personal and confidential
> use of the individuals or organization to whom the message is addressed.
> If
> you are an unintended recipient, you have received this message in error,
> and any reading, distributing, copying or disclosure is unauthorized and
> strictly prohibited.  All recipients are hereby notified that any
> unauthorized receipt does not waive any confidentiality obligations or
> privileges. If you have received this message in error, please notify the
> sender immediately at the above email address and confirm that you have
> deleted or destroyed the message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From tom.billiet at airties.com  Thu May 23 03:22:26 2019
From: tom.billiet at airties.com (Tom Billiet)
Date: Thu, 23 May 2019 07:22:26 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <1558534286.12963.21.camel@ericsson.com>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
	<1558445890.12963.11.camel@ericsson.com>
	<1558534286.12963.21.camel@ericsson.com>
Message-ID: <AM4PR1001MB1364355660D0C396545E17E0EF010@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>

I'm not a developer of keycloak itself, but I'd say yes.
It uses liquibase internally, and every database schema change is packaged. It will figure out whatever (liquibase) changes are not applied yet and apply them one by one.

Best regards,
Tom

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Shiva Prasad Thagadur Prakash
Sent: Wednesday, 22 May 2019 16:11
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Does keycloak support multi-hop database schema upgrades

Hi Guys,

Does keycloak support migrating database schema from any keycloak version to any keycloak version with no requirement to incrementally go through each intermediate version. Eagerly waiting to hear from you.

Thanks,
Shiva
On ti, 2019-05-21 at 13:38 +0000, Shiva Prasad Thagadur Prakash wrote:
> Hi Guys,
> Eagerly waiting for your responses!
> 
> Thanks,
> Shiva
> On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash
> wrote:
> > 
> > Hi Guys,
> > 
> > Does keycloak/Liquibase support multi-hop schema migration?
> > 
> > Thanks & regards,
> > Shiva
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


This message has been scanned for malware by Websense. www.websense.com


From sthorger at redhat.com  Thu May 23 03:35:05 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 May 2019 09:35:05 +0200
Subject: [keycloak-user] Adding information from a 3rd party service
 into JWT token
In-Reply-To: <CAM4=zzJ6cOj3ePsiK=jztSYX-zCPafoKMJvQ2OVHrF6Rnw4uhg@mail.gmail.com>
References: <CAM4=zzJ6cOj3ePsiK=jztSYX-zCPafoKMJvQ2OVHrF6Rnw4uhg@mail.gmail.com>
Message-ID: <CAJgngAfqfhnbg=0GfKvp8h=DK4aip0m4ix7ziXntrnASq-JARg@mail.gmail.com>

This is not something we currently handle really well, but there should be
ways to achieve it.

A protocol mapper has the disadvantage that it is invoked every time a new
client authenticates or when a token is refreshed. It could have a
performance impact if you call out to an external REST API here.

An alternative would be to use a custom authenticator that would add the
information into the user session, you should then be able to use the
built-in user info mapper to add the claims from the user session into the
token.

On Wed, 22 May 2019 at 10:04, Michael Isvy <michael.isvy at gmail.com> wrote:

> hi,
> thanks a lot for the hard work on Keycloak! I've been using it for a few
> days and have been quite impressed by the UI, features and level of
> documentation.
>
> I have a custom requirement. When users authenticate, in case of successful
> authentication,I need to call a 3rd party API, collect additional
> information and place it into my JWT token.
>
> I am in the process of doing it by coding my own Mapper (extending
> AbstractOIDCProtocolMapper). I was wondering if this is the correct way to
> do it or if there is a simpler way to achieve my goal.
>
> Regards,
> Michael.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From spahr at puzzle.ch  Thu May 23 04:44:31 2019
From: spahr at puzzle.ch (Ramon Spahr)
Date: Thu, 23 May 2019 10:44:31 +0200
Subject: [keycloak-user] Identity Provider using mutual TLS for his
	token-endpoint.
Message-ID: <f4be843b-f34c-c308-1b22-287e9030fcb7@puzzle.ch>

Hi,

we would like to integrate an external IdP that additionally secures his
token-endpoint using mutual tls. Can we achieve this using Keycloak?

Regards
Ramon



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190523/208e2825/attachment.bin 

From Ondrej.Scerba at zoomint.com  Thu May 23 07:53:20 2019
From: Ondrej.Scerba at zoomint.com (Ondrej Scerba)
Date: Thu, 23 May 2019 11:53:20 +0000
Subject: [keycloak-user] Custom Theme error message {{notification.header}}
 {{notification.message}}
Message-ID: <d1fa7cf1ba86412a9a7ecebb287432fc@zoomint.com>

Hi,

I'm trying to implement custom theme for Keycloak and I'm receiving error when accessing admin page "{{notification.header}} {{notification.message}}".

Any clue what could be wrong and I how can I fix it?

Thanks,
Ondrej

From bruno at abstractj.org  Thu May 23 09:11:17 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 23 May 2019 10:11:17 -0300
Subject: [keycloak-user] keycloak-gatekeeper + fine-grained authorization
In-Reply-To: <CAG6KNShpsB1Bxs7JPYENCGZR18HFnBbQ_dx3V_G3tAAdhfgidw@mail.gmail.com>
References: <CAG6KNSimB5iA5VnZ-hA9vMj42T7+6SZQdCJZxgwTs2H02itycQ@mail.gmail.com>
	<20190521131514.GA31816@abstractj.org>
	<CAG6KNShpsB1Bxs7JPYENCGZR18HFnBbQ_dx3V_G3tAAdhfgidw@mail.gmail.com>
Message-ID: <20190523131117.GD5458@abstractj.org>

I created the following Jira
https://issues.jboss.org/browse/KEYCLOAK-10367, so we don't miss it.
Authorization services is something that we would like to include in
Gatekeeper.

Regards if there are any other options. Being very honest, I don't know.

On 2019-05-21, Tyler Johnson wrote:
> Yeah, that's exactly what I was trying to do.
> 
> My goal is to stand up something that sits in front of services and
> enforces the authorization I defined in Keycloak so I don't have to include
> any authorization logic or use any keycloak adapters in the services
> themselves. It sounds like gatekeeper doesn't have that functionality
> though. Are there any other options around that?
> 
> On Tue, May 21, 2019 at 8:15 AM Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> > It seems to me that you're trying to use authorization services with
> > Gatekeeper (I can be wrong). If that's the case, unfortunatelly that's
> > not supported yet. But certainly something that we might consider in the
> > future.
> >
> > If I guessed it all wrong, please share how you're configuring
> > Gatekeeper.
> >
> > On 2019-05-21, Tyler Johnson wrote:
> > > I'm trying to figure out how to use keycloak-gatekeeper with the
> > > fine-grained authorization option in Keycloak.
> > >
> > > I set up the authorization and ran an evaluation within the Keycloak UI
> > > that correctly gave DENY for user 'test', but when I use that same user
> > to
> > > log in through gatekeeper, it says it's permitted and directs me to
> > > upstream.
> > >
> > > Is there anything I need to enable on gatekeeper side to have it enforce,
> > > or any pointers here?
> > >
> > > Thanks,
> > > Tyler
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> >

-- 

abstractj

From frank.herrmann at modernizingmedicine.com  Thu May 23 09:46:50 2019
From: frank.herrmann at modernizingmedicine.com (Frank Herrmann)
Date: Thu, 23 May 2019 09:46:50 -0400
Subject: [keycloak-user] Keycloak Docker Domain Cluster
In-Reply-To: <CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>
References: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
	<CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>
Message-ID: <CAF1JiVS-NVqV4yO6h7MfM3EnrJA1yw_YYHKssYM-9_+LzJAUFQ@mail.gmail.com>

Thanks. That's what I figured. I always figured in a multi-server
production environment, the domain model is better than standalone-ha.
Since we have a lot of customization to Keycloak, with our themes and
custom authenticators, I'll use the official Keycloak docker project as a
guide and create one myself for our purposes. The domain configuration is a
bit more complicated than standalone, so I can understand why it was left
out.

Thanks again,

-Frank

On Thu, May 23, 2019 at 2:52 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> That is correct. The standalone (with or without HA) configuration is by
> far the most popular.
>
> However, all the configuration files and scripts are there. I guess you'd
> need to modify the bootstrap script to bootstrap domain (or host)
> controllers.
>
> On Wed, May 22, 2019 at 9:22 PM Frank Herrmann <
> frank.herrmann at modernizingmedicine.com> wrote:
>
>> Hello,
>>
>> As part of our upgrade to 6.0.1 we are looking to use the Keycloak docker
>> images. Our currently installation (3.4.3) uses a domain cluster. While
>> reviewing the Keycloak docker image, it appears that it only supports
>> standalone or standalone-ha (for clustering). Am I missing something, or
>> will I need to customize the Keycloak docker image for domain clustering?
>> Or was it specifically left out of the official docker image for a good
>> reason?
>>
>> Thanks,
>> -Frank
>>
>> --
>> FRANK HERRMANN
>> ASSOCIATE SOFTWARE ARCHITECT
>>
>> T: 561-880-2998 x1563
>>
>> E: frank.herrmann at modmed.com
>>
>>
>>
>> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>> [image:
>> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>> [image:
>> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
>> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>> <http://instagram.com/modernizing_medicine>
>>
>> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>>
>> --
>> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>> protected by the Health Insurance Portability and Accountability Act of
>> 1996 and its implementing regulations and other state and federal laws
>> and
>> legal privileges. This message is only for the personal and confidential
>> use of the individuals or organization to whom the message is addressed.
>> If
>> you are an unintended recipient, you have received this message in error,
>> and any reading, distributing, copying or disclosure is unauthorized and
>> strictly prohibited.  All recipients are hereby notified that any
>> unauthorized receipt does not waive any confidentiality obligations or
>> privileges. If you have received this message in error, please notify the
>> sender immediately at the above email address and confirm that you have
>> deleted or destroyed the message.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT

T: 561-880-2998 x1563

E: frank.herrmann at modmed.com



[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>

[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>

-- 
*CONFIDENTIALITY NOTICE:*?This e-mail message may contain material 
protected by the Health Insurance Portability and Accountability Act of 
1996 and its implementing regulations and other state and federal laws and 
legal privileges. This message is only for the personal and confidential 
use of the individuals or organization to whom the message is addressed. If 
you are an unintended recipient, you?have received this message in error, 
and any reading, distributing, copying or disclosure is unauthorized and 
strictly prohibited.? All recipients are hereby notified that any 
unauthorized receipt does not waive any confidentiality obligations or 
privileges. If you have received this message in error, please notify the 
sender immediately?at the above?email?address and?confirm that you have 
deleted or destroyed the message.

From Ori.Doolman at cyberark.com  Thu May 23 10:21:45 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Thu, 23 May 2019 14:21:45 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
	authenticated user
Message-ID: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________ 
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.

From martinezmiguel.ar at gmail.com  Thu May 23 10:43:08 2019
From: martinezmiguel.ar at gmail.com (Miguel Martinez)
Date: Thu, 23 May 2019 11:43:08 -0300
Subject: [keycloak-user] Keycloak invalid redirect_uri behind proxy
Message-ID: <CAOOFXeTHYTpMnG4YpOLkBZmJFOUBKFZQEo0OhmR96wq_1P7hHA@mail.gmail.com>

Miguel Martinez <martinezmiguel.ar at gmail.com>
11:05 AM (37 minutes ago)
to keycloak-user
Hi

I am trying to use keycloak to secure an application. I added the keycloak
adapter to the JBoss EAP.

The JBosss EAP is behind a apache balancer, which is behind the another
apache( that exposes the app to Internet).

(Apache Dmz)--->(Apache Balancer)--->(JBoss EAP with keycloak adapter)

I would like to know if it is posible that keyclock adapter build the
redirect_uri from the header  X-Forwarded-Host.

Thank you in advance.

Best regards.

JBboss-EAP-6.4

From psilva at redhat.com  Thu May 23 10:49:11 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 23 May 2019 11:49:11 -0300
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>

There is no way to automatically set the permissions (from a client
authorization settings) when an access token is issued. Like you said, you
need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to
exchange the access token with another one with the permissions you need to
access your backend. Your client should also be able to perform incremental
authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you
are limited to RBAC (thus tied with the roles you are using to protect
resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Hi,
>
> I have a web application (Angular) which calls a REST API in a Java
> microservice.
>
> In my application, which manages books, I have a "regular" and "admin"
> roles.
> "regular" is allowed to execute API readBook.
> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
>
> The mapping between the user roles to the permissions (book:read ,
> book:create, book:delete) is currently in my app DB. I guess I can migrate
> all roles and permissions into Keycloak using the
> resources/permissions/policies entities.
>
> I get an access token in the client (using code flow or implicit flow).
> The token contains the current user roles. But not the permissions.
> When I call my REST API I send the access token to my REST endpoint in the
> http header. The token contains the user roles, but not the user
> permissions. In fact, what I really need is the user permissions for
> checking authorization.
>
>
>
>   1.  What is the best practice of getting the user permissions in my REST
> service? Can I have them become part of the JWT access token when the token
> is created?
> Or is there any other recommended way to "map" the roles into the
> effective permissions at runtime?
> Maybe keep the role->permissions in my current DB and load them to service
> cache ?
>
>   2.  I want to avoid calling Keycloak for every REST API call because
> this will result bad performance. From what I read, if I want to use
> Keycloak authorization services I must call Keycloak for every API request
> and get the permissions (an RPT token). Is that the only way?
>
>
>
>   1.  Another alternative I thought of:
> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
> will add only "book:read" role.
> This way, if a user belongs to the admins group, he will have all the
> permissions (roles) in the JWT access token.
>
>
> Thanks,
> Ori.
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ryans at jlab.org  Thu May 23 10:58:14 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Thu, 23 May 2019 14:58:14 +0000
Subject: [keycloak-user] Wildfly Client Adapter breaks session persistence
Message-ID: <BL0PR0901MB3059CFC6F72194E9E92592E7DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>

It seems session persistence is broken with the Wildfly Client Adapter.   I have:

<persistent-sessions/>

in the standalone.xml file under:

 <servlet-container name="default">

This was set using the command:


.jboss-cli.sh --connect --command="/subsystem=undertow/servlet-container=default/setting=persistent-sessions:add()"

However, if I run the command:

.jboss-cli.sh --connect --command="/deployment=myapp.war:redeploy()"

My authenticated session is lost and I must re-login.  Am I missing something or is this a bug?

Ryan

From Ori.Doolman at cyberark.com  Thu May 23 11:21:07 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Thu, 23 May 2019 15:21:07 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>,
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
Message-ID: <AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?
I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.


Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Ori.

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>

From psilva at redhat.com  Thu May 23 11:58:41 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 23 May 2019 12:58:41 -0300
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>

On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Hi Pedro,
> Thanks for the prompt response :)
>
> Yes, I need RBAC only at the moment.
>
> When you said my web application should make the token exchange, do you
> mean client side (javascript ) or server side?
>

Client-side


> I can also make it from API-GW which is even better I think. what is the
> common practice to send it to the server? I cannot use the Authorization
> header since it alteady contains the access token.
>
>
Not sure if API-GW is better but you can replace the access token with
permissions (sent by the client) in the authorization header. It is just an
access token + permissions. Pretty much the original + permissions.


>
> Also, it means that I will have to make this call once per session (after
> login) rather than once in a process lifetime, since the roles->permissions
> mapping is pretty much static information.
> It doesn't sounds like the optimal approach.
>

Yes, you would need a per session exchange.


>
> Ori.
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Thursday, May 23, 2019 5:49:11 PM
> *To:* Ori Doolman
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> There is no way to automatically set the permissions (from a client
> authorization settings) when an access token is issued. Like you said, you
> need another call to the token endpoint using the uma-grant-type.
>
> However, your web application will make that call only once in order to
> exchange the access token with another one with the permissions you need to
> access your backend. Your client should also be able to perform incremental
> authorization and limit the numbers of permissions within the token.
>
> Using a pure RBAC approach also works for your case, I think. Although you
> are limited to RBAC (thus tied with the roles you are using to protect
> resources) and not able to use resource-based authorization.
>
> On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
>> Hi,
>>
>> I have a web application (Angular) which calls a REST API in a Java
>> microservice.
>>
>> In my application, which manages books, I have a "regular" and "admin"
>> roles.
>> "regular" is allowed to execute API readBook.
>> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
>>
>> The mapping between the user roles to the permissions (book:read ,
>> book:create, book:delete) is currently in my app DB. I guess I can migrate
>> all roles and permissions into Keycloak using the
>> resources/permissions/policies entities.
>>
>> I get an access token in the client (using code flow or implicit flow).
>> The token contains the current user roles. But not the permissions.
>> When I call my REST API I send the access token to my REST endpoint in
>> the http header. The token contains the user roles, but not the user
>> permissions. In fact, what I really need is the user permissions for
>> checking authorization.
>>
>>
>>
>>   1.  What is the best practice of getting the user permissions in my
>> REST service? Can I have them become part of the JWT access token when the
>> token is created?
>> Or is there any other recommended way to "map" the roles into the
>> effective permissions at runtime?
>> Maybe keep the role->permissions in my current DB and load them to
>> service cache ?
>>
>>   2.  I want to avoid calling Keycloak for every REST API call because
>> this will result bad performance. From what I read, if I want to use
>> Keycloak authorization services I must call Keycloak for every API request
>> and get the permissions (an RPT token). Is that the only way?
>>
>>
>>
>>   1.  Another alternative I thought of:
>> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
>> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
>> will add only "book:read" role.
>> This way, if a user belongs to the admins group, he will have all the
>> permissions (roles) in the JWT access token.
>>
>>
>> Thanks,
>> Ori.
>>
>> ----------------------------------------------------------------------
>> _______________________________________________
>> This e-mail may contain information that is confidential, privileged or
>> otherwise protected from disclosure.
>> If you are not an intended recipient of this e-mail, do not duplicate or
>> redistribute it by any means. Please delete it and any attachments and
>> notify the sender that you have received it in error.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
>>
>

From aechols at bfcsaz.com  Thu May 23 12:42:55 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 23 May 2019 09:42:55 -0700
Subject: [keycloak-user] Custom Theme error message
 {{notification.header}} {{notification.message}}
In-Reply-To: <d1fa7cf1ba86412a9a7ecebb287432fc@zoomint.com>
References: <d1fa7cf1ba86412a9a7ecebb287432fc@zoomint.com>
Message-ID: <CAHj77GUGHUW4LeGHom_hKhGAOPBWi=L1O4ZSi3HX_Dhp90VvFg@mail.gmail.com>

It sounds like you accidentally applied the 'base' theme. The 'base' theme
shouldn't be a selectable theme in the properties, it's required for other
themes, but should be hidden in the UI. I had this issue as well in the
master realm and locked myself out. To resolve it, do the following:

* kcadm.sh config credentials --server http(s)://server/auth --realm
<realm-name> --user <user>
* kcadm.sh get realms/<realm-name> > <realm-name>.json
* vi <realm-name>.json

Look for the following in the json, and modify the line that has the base
theme in it:

"loginTheme" : "keycloak",
"accountTheme" : "keycloak",
"adminTheme" : "base",
"emailTheme" : "keycloak",

* kcadm.sh update realms/<realm-name> -f <realm-name>.json

https://www.keycloak.org/docs/latest/server_admin/index.html#realm-operations

--
Aaron Echols

On Thu, May 23, 2019 at 4:54 AM Ondrej Scerba <Ondrej.Scerba at zoomint.com>
wrote:

> Hi,
>
> I'm trying to implement custom theme for Keycloak and I'm receiving error
> when accessing admin page "{{notification.header}}
> {{notification.message}}".
>
> Any clue what could be wrong and I how can I fix it?
>
> Thanks,
> Ondrej
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dpaul at cognera.com  Thu May 23 12:44:29 2019
From: dpaul at cognera.com (David Paul)
Date: Thu, 23 May 2019 16:44:29 +0000
Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load
In-Reply-To: <YTBPR01MB26699FD5BBB48D3211EE1673AA000@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>
References: <YTBPR01MB26699FD5BBB48D3211EE1673AA000@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>
Message-ID: <YTBPR01MB2669C2C8FBA80CFBD9EBEE1AAA010@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>

Any ideas on this?

One suggestion was to use the CLI to add the driver.  Tried that and no change.

Is there a way to increase logging beyond DEBUG?  Or is there somewhere it logs more information other than the server.log file?   It says failed to load but doesn't give details as to why.

Thanks,
Dave





Harriscomputer

David Paul
Manager, Application Development
P: 403-218-2010 x79107
F: 403-218-2012
E: dpaul at cognera.com


[cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png]


530 - 8 Avenue SW Suite 920
Calgary, Alberta
T2P 3S8
www.cognera.com<http://www.cognera.com>


This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.




From: David Paul
Sent: Wednesday, May 22, 2019 11:34 AM
To: keycloak-user at lists.jboss.org
Subject: Upgrade to 6.0.1 - Oracle driver failing to load

Hi,

I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1.  I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here:
https://www.keycloak.org/docs/latest/upgrading/index.html

I have:
unpacked 6.0.1
mv standalone directory to standalone.old
cp -R 3.2.1/standalone to 6.0.1/
cp -R 3.2.1/modules/system/layers/keycloak/org/oracle  6.0.1/modules/system/layers/keycloak/org/
cp -R 3.2.1/themes/<our-themes> 6.0.1/themes/
6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli          (feedback indicates success on all actions)
Made sure migrationStrategy value="update"

When I run 6.0.1/bin/standalone.sh I get:
...
09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "oracle")
]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver"

Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar.  I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle.  I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations.

Is there another step or declaration of the driver or something that I must do?

Thank you for your time,
Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 23932 bytes
Desc: cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190523/e6fc13b2/attachment-0001.png 

From aechols at bfcsaz.com  Thu May 23 12:53:27 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 23 May 2019 09:53:27 -0700
Subject: [keycloak-user] LDAP user federation with AD range retrieval
In-Reply-To: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl>
References: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl>
Message-ID: <CAHj77GWkk6C0nSpGzf7pBcpzQa-=myuP9nja2akQ-Q_hObOdZA@mail.gmail.com>

This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols

On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
wrote:

> Hello,
>
> We have a keycloak setup (3.4.3.Final) with active directory as a user
> federation provider. We ran into an issue with adding a certain role to
> users. We got an error message like this:
>
> Uncaught server error: org.keycloak.models.ModelException: Could not
> modify attribute for DN
> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>  at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>  at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>  at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>  at
> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>  at
> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
> ?
> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
> Error in attribute conversion operation, data 0, v1db1]; remaining name
> ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>  at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>  at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>  at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>  at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>  at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>
> After some investigation the issue is that active directory uses range
> retrieval when there are more than 1500 entries in the member (list)
> property of a group. See eg
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
> .
> When i look at the keycloak source code it looks like keycloak does not
> handle/support the range retrieval, so an error happens when trying to add
> a user to that role.
>
> For now we work around the issue by setting the MaxValRange to a higher
> value. See
> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
> for more info about this.
>
> The real solution would probably be to add support for range retrieval in
> the keycloak ldap user federation provider, so i will create a jira ticket
> for that.
>
> Did anyone else maybe run into this issue, and if so had another solution
> for it?
>
> Kind regards,
> Sidney Beekhoven
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ryans at jlab.org  Thu May 23 14:33:35 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Thu, 23 May 2019 18:33:35 +0000
Subject: [keycloak-user] Can a confidential Access Type client also accept
	bearer tokens?
Message-ID: <BL0PR0901MB305963D5CC89AF5D847AEB78DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm using the Wildfly client adapter to secure access for a web application and it works fine.   However, I was wondering if I could have a script to programmatically post some data to one of the web application's end points via a cron job.  The examples I have found of doing this assume you have a dedicated "bearer-only" access type client.    Do I have to create a separate client for this or can I re-use the existing web application end point, which has access type Confidential?

I'm looking at the example here:
http://planet.jboss.org/post/getting_started_with_keycloak_securing_a_rest_service

Thanks,

Ryan

From Ori.Doolman at cyberark.com  Thu May 23 14:35:08 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Thu, 23 May 2019 18:35:08 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>,
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
Message-ID: <AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:

1) No change in client application and no need to involve client with server side authorization.

2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.

I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.

Ori.

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user



On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?

Client-side

I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.


Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.


Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Yes, you would need a per session exchange.


Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>

From psilva at redhat.com  Thu May 23 15:20:07 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 23 May 2019 16:20:07 -0300
Subject: [keycloak-user] Can a confidential Access Type client also
 accept bearer tokens?
In-Reply-To: <BL0PR0901MB305963D5CC89AF5D847AEB78DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB305963D5CC89AF5D847AEB78DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBc+xqRwbkPUOL9GQKYjrM_mJuuQ6D7yJS7YgXUQeQAotQ@mail.gmail.com>

It should be fine to use the same client. However, you may want to set
autodetect-bearer-only in keycloak.json. See
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config
.

On Thu, May 23, 2019 at 3:35 PM Ryan Slominski <ryans at jlab.org> wrote:

> I'm using the Wildfly client adapter to secure access for a web
> application and it works fine.   However, I was wondering if I could have a
> script to programmatically post some data to one of the web application's
> end points via a cron job.  The examples I have found of doing this assume
> you have a dedicated "bearer-only" access type client.    Do I have to
> create a separate client for this or can I re-use the existing web
> application end point, which has access type Confidential?
>
> I'm looking at the example here:
>
> http://planet.jboss.org/post/getting_started_with_keycloak_securing_a_rest_service
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ryans at jlab.org  Thu May 23 15:43:10 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Thu, 23 May 2019 19:43:10 +0000
Subject: [keycloak-user] Can a confidential Access Type client also
 accept bearer tokens?
In-Reply-To: <CAJrcDBc+xqRwbkPUOL9GQKYjrM_mJuuQ6D7yJS7YgXUQeQAotQ@mail.gmail.com>
References: <BL0PR0901MB305963D5CC89AF5D847AEB78DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBc+xqRwbkPUOL9GQKYjrM_mJuuQ6D7yJS7YgXUQeQAotQ@mail.gmail.com>
Message-ID: <BL0PR0901MB3059ED209705B682B6627572DC010@BL0PR0901MB3059.namprd09.prod.outlook.com>

Hi Pedro,
    Thanks, I got it working.   I was initially seeing the error:

"Didn't find publicKey for specified kid"

But, I finally found I was trying to use the bearer token on an application secured by a different Keycloak instance,
which didn't issue the access token!  Looks like CURL must already set appropriate headers or something because I
didn't even need to enable autodetect-bearer-only.

Ryan
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Thursday, May 23, 2019 3:20 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Can a confidential Access Type client also accept bearer tokens?

It should be fine to use the same client. However, you may want to set autodetect-bearer-only in keycloak.json. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23-5Fjava-5Fadapter-5Fconfig&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Jebp9KlW4II3Vpn8JL3ekQ&m=gJRMTBuTVjXDjIz7skpb9umK3ZlMfQ69jBjpLhYF7Ac&s=GJWpNRJhwZyz0y77EANTPaAvH9sjQPxw_k9iu7K3TuY&e=>.

On Thu, May 23, 2019 at 3:35 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm using the Wildfly client adapter to secure access for a web application and it works fine.   However, I was wondering if I could have a script to programmatically post some data to one of the web application's end points via a cron job.  The examples I have found of doing this assume you have a dedicated "bearer-only" access type client.    Do I have to create a separate client for this or can I re-use the existing web application end point, which has access type Confidential?

I'm looking at the example here:
http://planet.jboss.org/post/getting_started_with_keycloak_securing_a_rest_service<https://urldefense.proofpoint.com/v2/url?u=http-3A__planet.jboss.org_post_getting-5Fstarted-5Fwith-5Fkeycloak-5Fsecuring-5Fa-5Frest-5Fservice&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Jebp9KlW4II3Vpn8JL3ekQ&m=gJRMTBuTVjXDjIz7skpb9umK3ZlMfQ69jBjpLhYF7Ac&s=4-jBlpmUCValuuMRlhLMZqc8grf_HXbbTvJtL1Qt3ok&e=>

Thanks,

Ryan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Jebp9KlW4II3Vpn8JL3ekQ&m=gJRMTBuTVjXDjIz7skpb9umK3ZlMfQ69jBjpLhYF7Ac&s=9isa8PvF4AmGwH1zXcGQIiVmxYi4v9HX4t3zBxJ5ipM&e=>

From aechols at bfcsaz.com  Thu May 23 19:43:31 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 23 May 2019 16:43:31 -0700
Subject: [keycloak-user] LDAP user federation with AD range retrieval
In-Reply-To: <CAHj77GWkk6C0nSpGzf7pBcpzQa-=myuP9nja2akQ-Q_hObOdZA@mail.gmail.com>
References: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl>
	<CAHj77GWkk6C0nSpGzf7pBcpzQa-=myuP9nja2akQ-Q_hObOdZA@mail.gmail.com>
Message-ID: <CAHj77GWmc7t8Z1aDd7qBMTOou_y1tgGX+bw4TfG_1p0T25KzRw@mail.gmail.com>

BTW, I have 3500 users in my group, it's still not syncing entirely. Since
I can't seem to actually figure out a way (even using kcadm.sh) to list out
the number of users in the Keycloak group, it's making it harder to see if
it another value that needs to be adjusted in Active Directory or something
on Keycloak's side. It's such a pain.
--
Aaron Echols

On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> This looks to be an issue still in in 5.0.0. Did you end up creating
> ticket for this? I had to do the same workaround for a similar issue I'm
> having with larger groups not syncing from AD > Keycloak. Raising
> the MaxValRange allowed that group to sync as well.
> --
> Aaron Echols
>
> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
> wrote:
>
>> Hello,
>>
>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>> federation provider. We ran into an issue with adding a certain role to
>> users. We got an error message like this:
>>
>> Uncaught server error: org.keycloak.models.ModelException: Could not
>> modify attribute for DN
>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>  at
>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>  at
>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>  at
>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>  at
>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>  at
>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>> ?
>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
>> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
>> Error in attribute conversion operation, data 0, v1db1]; remaining name
>> ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>  at
>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>  at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>  at
>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>  at
>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>  at
>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>
>> After some investigation the issue is that active directory uses range
>> retrieval when there are more than 1500 entries in the member (list)
>> property of a group. See eg
>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>> .
>> When i look at the keycloak source code it looks like keycloak does not
>> handle/support the range retrieval, so an error happens when trying to add
>> a user to that role.
>>
>> For now we work around the issue by setting the MaxValRange to a higher
>> value. See
>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>> for more info about this.
>>
>> The real solution would probably be to add support for range retrieval in
>> the keycloak ldap user federation provider, so i will create a jira ticket
>> for that.
>>
>> Did anyone else maybe run into this issue, and if so had another solution
>> for it?
>>
>> Kind regards,
>> Sidney Beekhoven
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From aechols at bfcsaz.com  Thu May 23 19:57:21 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 23 May 2019 16:57:21 -0700
Subject: [keycloak-user] LDAP user federation with AD range retrieval
In-Reply-To: <CAHj77GWmc7t8Z1aDd7qBMTOou_y1tgGX+bw4TfG_1p0T25KzRw@mail.gmail.com>
References: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl>
	<CAHj77GWkk6C0nSpGzf7pBcpzQa-=myuP9nja2akQ-Q_hObOdZA@mail.gmail.com>
	<CAHj77GWmc7t8Z1aDd7qBMTOou_y1tgGX+bw4TfG_1p0T25KzRw@mail.gmail.com>
Message-ID: <CAHj77GWAHAnvq6_=1kiDin3uzRUJEtS_k2vtBnKkyCS+fkmKmA@mail.gmail.com>

So does anyone have any ideas on this? It shows users in the groups, if I
check the user it doesn't show they are members...

kcadm.sh get users/uid/groups -r realm
[ ]

The WebUi shows them in this group, but none of the users show associated
with the group when I view them or use kcadm.sh to check their group
membership.

Starting to pull my hair out haha!
--
Aaron Echols

On Thu, May 23, 2019 at 4:43 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> BTW, I have 3500 users in my group, it's still not syncing entirely. Since
> I can't seem to actually figure out a way (even using kcadm.sh) to list out
> the number of users in the Keycloak group, it's making it harder to see if
> it another value that needs to be adjusted in Active Directory or something
> on Keycloak's side. It's such a pain.
> --
> Aaron Echols
>
> On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> This looks to be an issue still in in 5.0.0. Did you end up creating
>> ticket for this? I had to do the same workaround for a similar issue I'm
>> having with larger groups not syncing from AD > Keycloak. Raising
>> the MaxValRange allowed that group to sync as well.
>> --
>> Aaron Echols
>>
>> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl>
>> wrote:
>>
>>> Hello,
>>>
>>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>>> federation provider. We ran into an issue with adding a certain role to
>>> users. We got an error message like this:
>>>
>>> Uncaught server error: org.keycloak.models.ModelException: Could not
>>> modify attribute for DN
>>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>>  at
>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>>  at
>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>>  at
>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>>  at
>>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>>  at
>>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>>> ?
>>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
>>> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
>>> Error in attribute conversion operation, data 0, v1db1]; remaining name
>>> ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>>  at
>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>>  at
>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>>  at
>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>>  at
>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>  at
>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>
>>> After some investigation the issue is that active directory uses range
>>> retrieval when there are more than 1500 entries in the member (list)
>>> property of a group. See eg
>>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>>> .
>>> When i look at the keycloak source code it looks like keycloak does not
>>> handle/support the range retrieval, so an error happens when trying to add
>>> a user to that role.
>>>
>>> For now we work around the issue by setting the MaxValRange to a higher
>>> value. See
>>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>>> for more info about this.
>>>
>>> The real solution would probably be to add support for range retrieval
>>> in the keycloak ldap user federation provider, so i will create a jira
>>> ticket for that.
>>>
>>> Did anyone else maybe run into this issue, and if so had another
>>> solution for it?
>>>
>>> Kind regards,
>>> Sidney Beekhoven
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>

From sthorger at redhat.com  Thu May 23 23:34:47 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 24 May 2019 05:34:47 +0200
Subject: [keycloak-user] Keycloak Docker Domain Cluster
In-Reply-To: <CAF1JiVS-NVqV4yO6h7MfM3EnrJA1yw_YYHKssYM-9_+LzJAUFQ@mail.gmail.com>
References: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
	<CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>
	<CAF1JiVS-NVqV4yO6h7MfM3EnrJA1yw_YYHKssYM-9_+LzJAUFQ@mail.gmail.com>
Message-ID: <CAJgngAc=0QRgavdFOE1nH_0p=GWz0raKLo76z+AUSYT=EhsmKQ@mail.gmail.com>

Domain mode doesn't really make all that much sense with things like
Kubernetes and OpenShift as the platform adds the mechanisms itself so
there's no need for domain mode.

On Thu, 23 May 2019, 15:56 Frank Herrmann, <
frank.herrmann at modernizingmedicine.com> wrote:

> Thanks. That's what I figured. I always figured in a multi-server
> production environment, the domain model is better than standalone-ha.
> Since we have a lot of customization to Keycloak, with our themes and
> custom authenticators, I'll use the official Keycloak docker project as a
> guide and create one myself for our purposes. The domain configuration is a
> bit more complicated than standalone, so I can understand why it was left
> out.
>
> Thanks again,
>
> -Frank
>
> On Thu, May 23, 2019 at 2:52 AM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
> > That is correct. The standalone (with or without HA) configuration is by
> > far the most popular.
> >
> > However, all the configuration files and scripts are there. I guess you'd
> > need to modify the bootstrap script to bootstrap domain (or host)
> > controllers.
> >
> > On Wed, May 22, 2019 at 9:22 PM Frank Herrmann <
> > frank.herrmann at modernizingmedicine.com> wrote:
> >
> >> Hello,
> >>
> >> As part of our upgrade to 6.0.1 we are looking to use the Keycloak
> docker
> >> images. Our currently installation (3.4.3) uses a domain cluster. While
> >> reviewing the Keycloak docker image, it appears that it only supports
> >> standalone or standalone-ha (for clustering). Am I missing something, or
> >> will I need to customize the Keycloak docker image for domain
> clustering?
> >> Or was it specifically left out of the official docker image for a good
> >> reason?
> >>
> >> Thanks,
> >> -Frank
> >>
> >> --
> >> FRANK HERRMANN
> >> ASSOCIATE SOFTWARE ARCHITECT
> >>
> >> T: 561-880-2998 x1563
> >>
> >> E: frank.herrmann at modmed.com
> >>
> >>
> >>
> >> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
> >> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
> >> [image:
> >> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
> >> [image:
> >> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image:
> [
> >> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
> >> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
> >> <http://instagram.com/modernizing_medicine>
> >>
> >> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
> >>
> >> --
> >> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
> >> protected by the Health Insurance Portability and Accountability Act of
> >> 1996 and its implementing regulations and other state and federal laws
> >> and
> >> legal privileges. This message is only for the personal and confidential
> >> use of the individuals or organization to whom the message is addressed.
> >> If
> >> you are an unintended recipient, you have received this message in
> error,
> >> and any reading, distributing, copying or disclosure is unauthorized and
> >> strictly prohibited.  All recipients are hereby notified that any
> >> unauthorized receipt does not waive any confidentiality obligations or
> >> privileges. If you have received this message in error, please notify
> the
> >> sender immediately at the above email address and confirm that you have
> >> deleted or destroyed the message.
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
> --
> FRANK HERRMANN
> ASSOCIATE SOFTWARE ARCHITECT
>
> T: 561-880-2998 x1563
>
> E: frank.herrmann at modmed.com
>
>
>
> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
> [image:
> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
> [image:
> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
> <http://instagram.com/modernizing_medicine>
>
> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>
> --
> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
> protected by the Health Insurance Portability and Accountability Act of
> 1996 and its implementing regulations and other state and federal laws and
> legal privileges. This message is only for the personal and confidential
> use of the individuals or organization to whom the message is addressed.
> If
> you are an unintended recipient, you have received this message in error,
> and any reading, distributing, copying or disclosure is unauthorized and
> strictly prohibited.  All recipients are hereby notified that any
> unauthorized receipt does not waive any confidentiality obligations or
> privileges. If you have received this message in error, please notify the
> sender immediately at the above email address and confirm that you have
> deleted or destroyed the message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From adam.scislowicz at gmail.com  Fri May 24 00:39:57 2019
From: adam.scislowicz at gmail.com (adam scislowicz)
Date: Thu, 23 May 2019 21:39:57 -0700
Subject: [keycloak-user] Keycloak IDP and python3-saml interoperation
Message-ID: <CAKqZVcGw9a63KZNreORnEPeNck+V0uSJ6fJ+xM3ZU4My194FZA@mail.gmail.com>

Summary: I am building a SAML authentication system using Keyloack as the
IDP, and the python3-saml module to implement the SP. See configuration
outline below.

I can successfully initiate via IDP or SP. If SP I will be redirected to
the IDP. The IDP will then redirect me to the SP's ACS binding and I
observe the following logs from the IDP and SP respectively. The following
log from python3-saml sticks out

'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response'

IDP LOGS

[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the requests header
[org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
in the cookies field
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Found AUTH_SESSION_ID cookie with value
65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-3)
getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote
cache not available
[org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent
request to authz endpoint. We don't have root authentication session with
ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have
userSession.Re-created root authentication session with same ID. Client is:
nac-lander . New authentication session tab ID: cfS0YI4bjUk
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE
[org.keycloak.authentication.AuthenticationProcessor] (default task-3)
AUTHENTICATE ONLY
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
processFlow
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-cookie requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
invoke authenticator.authenticate: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
authenticator SUCCESS: auth-cookie
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: auth-spnego requirement: DISABLED
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
execution is processed
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: identity-provider-redirector requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
check execution: null requirement: ALTERNATIVE
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
Skip alternative execution
[org.keycloak.services.managers.AuthenticationSessionManager] (default
task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire
restart cookie: true
[org.keycloak.events] (default task-3) type=LOGIN, realmId=master,
clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b,
ipAddress=10.255.0.2, auth_method=saml, redirect_uri=
http://10.0.0.3:9082/?acs, consent=no_consent_required,
code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/,
max-age: -1
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring remember me cookie
[org.keycloak.services.managers.AuthenticationManager] (default task-3)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/

SP LOGS
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | acs
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | http://10.0.0.3:9082/metadata/ is
not a valid audience for this Response
...
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | {'https': 'off', 'http_host': '
10.0.0.3:9082', 'server_port': 9082, 'script_name': '/', 'get_data':
MultiDict([('sso', '')]), 'post_data': MultiDict([])}
nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv |
<onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0>

CONFIGURATION OUTLINE

IDP: Keycloak

Client: nac-lander
Master SML Processing URL: http://10.0.0.3:9082/
IDP Initiated URL Name: 'nac-lander' :
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander
Assertion Consumer Service URL: http://10.0.0.3:9082/?acs

SP: python3-saml
{
"strict": true,
"debug": true,
"sp": {
"entityId": "http://10.0.0.3:9082/metadata/",
"assertionConsumerService": {
"url": "http://10.0.0.3:9082/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"singleLogoutService": {
"url": "http://10.0.0.3:9082/?sls",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"x509cert": "",
"privateKey": ""

},
"idp": {
"entityId": "http://10.0.0.3:8080/auth/realms/master/protocol/saml/",
"singleSignOnService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},

"singleLogoutService": {
"url": "
http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},

"x509cert": "<onelogin_connector_cert>"
}}

From zitrone at gmx-topmail.de  Fri May 24 04:00:45 2019
From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de)
Date: Fri, 24 May 2019 10:00:45 +0200
Subject: [keycloak-user] Spring Boot Adapter and Post Requests
Message-ID: <trinity-a88a8170-7209-4943-a695-bd36d16ffe3a-1558684845015@3c-app-gmx-bs64>


?
?Hi,

i'm currently developing my first spring boot website with keycloak authentication. 
Everything works nicely except one problem. I have some <form>s on my site that 
send post-requests. These work usualy fine but when the accesstoken is expired
something strange happens. The request gets redirectet to /sso/login, gets redirected
to the keycloak (/auth...), gets redirected back to /sso/loin (so far so good) but
then it redirects to GET localhost:8080 (where my app is running, but it uses GET 
and drops the path)
So far i tried to permit access to the sso login entrypoint like sugested here:
https://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one
without sucess.
I tried to use put request, just to learn that html form does not support anything
else than get and post.
Now i switched to get for all my forms which works but does not feel right.

Any pointers on how to solve this?

Regards

PS: Currently working on Keycloak 3.4.3 but not in the position to change this
any time soon :(


From shiva.prasad.thagadur.prakash at ericsson.com  Fri May 24 06:54:18 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Fri, 24 May 2019 10:54:18 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <AM4PR1001MB1364355660D0C396545E17E0EF010@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
	<1558445890.12963.11.camel@ericsson.com>
	<1558534286.12963.21.camel@ericsson.com>
	<AM4PR1001MB1364355660D0C396545E17E0EF010@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
Message-ID: <1558695257.12963.52.camel@ericsson.com>

Hi Tom,
Thank you very much for the reply. A small follow-up question.

"Every databse schema is packaged" - do you mean the required scripts
are pacakged in the released version of keyclok and when a user starts
keycloak it will automatically do the needful? Eagerly waiting to hear
from you.

Thanks,
Shiva?
On to, 2019-05-23 at 07:22 +0000, Tom Billiet wrote:
> I'm not a developer of keycloak itself, but I'd say yes.
> It uses liquibase internally, and every database schema change is
> packaged. It will figure out whatever (liquibase) changes are not
> applied yet and apply them one by one.
> 
> Best regards,
> Tom
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at li
> sts.jboss.org> On Behalf Of Shiva Prasad Thagadur Prakash
> Sent: Wednesday, 22 May 2019 16:11
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Does keycloak support multi-hop database
> schema upgrades
> 
> Hi Guys,
> 
> Does keycloak support migrating database schema from any keycloak
> version to any keycloak version with no requirement to incrementally
> go through each intermediate version. Eagerly waiting to hear from
> you.
> 
> Thanks,
> Shiva
> On ti, 2019-05-21 at 13:38 +0000, Shiva Prasad Thagadur Prakash
> wrote:
> > 
> > Hi Guys,
> > Eagerly waiting for your responses!
> > 
> > Thanks,
> > Shiva
> > On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash
> > wrote:
> > > 
> > > 
> > > Hi Guys,
> > > 
> > > Does keycloak/Liquibase support multi-hop schema migration?
> > > 
> > > Thanks & regards,
> > > Shiva
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> This message has been scanned for malware by Websense. https://protec
> t2.fireeye.com/url?k=6bee191c-373a12a2-6bee5987-86742d02e7e2-
> 175350837bf3359f&q=1&u=http%3A%2F%2Fwww.websense.com%2F


From demetrio at carretti.pro  Fri May 24 08:41:09 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 24 May 2019 15:41:09 +0300
Subject: [keycloak-user] Keycloak IDP and python3-saml interoperation
In-Reply-To: <CAKqZVcGw9a63KZNreORnEPeNck+V0uSJ6fJ+xM3ZU4My194FZA@mail.gmail.com>
References: <CAKqZVcGw9a63KZNreORnEPeNck+V0uSJ6fJ+xM3ZU4My194FZA@mail.gmail.com>
Message-ID: <ffbc3e43151828a04041dc47b46f333a8c67947c.camel@carretti.pro>

Hello Adam,

With "strict" set to true on the python3-saml side, it will try to validate SAMLResponse's AudienceRestriction (if present) against SP's entityId value [1]. 

In its turn, Keycloak always sets AudienceRestriction to client ID, which is "nac-lander" in your case [2] [3].

Hence, I'd suggest that you try setting SP's entityId to "nac-lander" or turn off strict audience checking.

[1] https://github.com/onelogin/python3-saml/blob/master/src/onelogin/saml2/response.py#L208
[2] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java#L394
[3] https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/SAML2LoginResponseBuilder.java#L195

Cheers,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Thu, 2019-05-23 at 21:39 -0700, adam scislowicz wrote:
> Summary: I am building a SAML authentication system using Keyloack as the
> IDP, and the python3-saml module to implement the SP. See configuration
> outline below.
> 
> I can successfully initiate via IDP or SP. If SP I will be redirected to
> the IDP. The IDP will then redirect me to the SP's ACS binding and I
> observe the following logs from the IDP and SP respectively. The following
> log from python3-saml sticks out
> 
> 'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response'
> 
> IDP LOGS
> 
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Found AUTH_SESSION_ID cookie with value
> 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
> [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
> in the requests header
> [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found
> in the cookies field
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Found AUTH_SESSION_ID cookie with value
> 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-3)
> getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote
> cache not available
> [org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent
> request to authz endpoint. We don't have root authentication session with
> ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have
> userSession.Re-created root authentication session with same ID. Client is:
> nac-lander . New authentication session tab ID: cfS0YI4bjUk
> [org.keycloak.authentication.AuthenticationProcessor] (default task-3)
> AUTHENTICATE
> [org.keycloak.authentication.AuthenticationProcessor] (default task-3)
> AUTHENTICATE ONLY
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> processFlow
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: auth-cookie requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> authenticator: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> invoke authenticator.authenticate: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> authenticator SUCCESS: auth-cookie
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: auth-spnego requirement: DISABLED
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> execution is processed
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: identity-provider-redirector requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> Skip alternative execution
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> check execution: null requirement: ALTERNATIVE
> [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3)
> Skip alternative execution
> [org.keycloak.services.managers.AuthenticationSessionManager] (default
> task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire
> restart cookie: true
> [org.keycloak.events] (default task-3) type=LOGIN, realmId=master,
> clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b,
> ipAddress=10.255.0.2, auth_method=saml, redirect_uri=
> http://10.0.0.3:9082/?acs, consent=no_consent_required,
> code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/,
> max-age: -1
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Expiring remember me cookie
> [org.keycloak.services.managers.AuthenticationManager] (default task-3)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/
> 
> SP LOGS
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | acs
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | http://10.0.0.3:9082/metadata/ is
> not a valid audience for this Response
> ...
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv | {'https': 'off', 'http_host': '
> 10.0.0.3:9082', 'server_port': 9082, 'script_name': '/', 'get_data':
> MultiDict([('sso', '')]), 'post_data': MultiDict([])}
> nacdev_nac-lander.1.qb2jndj0smik at ubuntusrv |
> <onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0>
> 
> CONFIGURATION OUTLINE
> 
> IDP: Keycloak
> 
> Client: nac-lander
> Master SML Processing URL: http://10.0.0.3:9082/
> IDP Initiated URL Name: 'nac-lander' :
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander
> Assertion Consumer Service URL: http://10.0.0.3:9082/?acs
> 
> SP: python3-saml
> {
> "strict": true,
> "debug": true,
> "sp": {
> "entityId": "http://10.0.0.3:9082/metadata/",
> "assertionConsumerService": {
> "url": "http://10.0.0.3:9082/?acs",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> },
> "singleLogoutService": {
> "url": "http://10.0.0.3:9082/?sls",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
> "x509cert": "",
> "privateKey": ""
> 
> },
> "idp": {
> "entityId": "http://10.0.0.3:8080/auth/realms/master/protocol/saml/",
> "singleSignOnService": {
> "url": "
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> 
> "singleLogoutService": {
> "url": "
> http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander",
> "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> },
> 
> "x509cert": "<onelogin_connector_cert>"
> }}
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From frank.herrmann at modernizingmedicine.com  Fri May 24 10:35:14 2019
From: frank.herrmann at modernizingmedicine.com (Frank Herrmann)
Date: Fri, 24 May 2019 10:35:14 -0400
Subject: [keycloak-user] Keycloak Docker Domain Cluster
In-Reply-To: <CAJgngAc=0QRgavdFOE1nH_0p=GWz0raKLo76z+AUSYT=EhsmKQ@mail.gmail.com>
References: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
	<CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>
	<CAF1JiVS-NVqV4yO6h7MfM3EnrJA1yw_YYHKssYM-9_+LzJAUFQ@mail.gmail.com>
	<CAJgngAc=0QRgavdFOE1nH_0p=GWz0raKLo76z+AUSYT=EhsmKQ@mail.gmail.com>
Message-ID: <CAF1JiVR3o3QnyDxZYwisqQ1oihRZoWVM=BHXDjp-z-=5vkz6Xg@mail.gmail.com>

The Keycloak documentation seems to imply that domain mode is preferable to
standalone-ha in clustered environments.

>From the server installation docs:
"Running a cluster in standard mode can quickly become aggravating as the
cluster grows in size. Every time you need to make a configuration change,
you have perform it on each node in the cluster. Domain mode solves this
problem by providing a central place to store and publish configuration. It
can be quite complex to set up, but it is worth it in the end."

We have domain working without issue. We are just looking into moving out
deployment of Keycloak servers to docker. I'm working now on extending the
official Docker image to customize it for our environment and configuration.

Thanks again,

-Frank

On Thu, May 23, 2019 at 11:35 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Domain mode doesn't really make all that much sense with things like
> Kubernetes and OpenShift as the platform adds the mechanisms itself so
> there's no need for domain mode.
>
> On Thu, 23 May 2019, 15:56 Frank Herrmann, <
> frank.herrmann at modernizingmedicine.com> wrote:
>
>> Thanks. That's what I figured. I always figured in a multi-server
>> production environment, the domain model is better than standalone-ha.
>> Since we have a lot of customization to Keycloak, with our themes and
>> custom authenticators, I'll use the official Keycloak docker project as a
>> guide and create one myself for our purposes. The domain configuration is
>> a
>> bit more complicated than standalone, so I can understand why it was left
>> out.
>>
>> Thanks again,
>>
>> -Frank
>>
>> On Thu, May 23, 2019 at 2:52 AM Sebastian Laskawiec <slaskawi at redhat.com>
>> wrote:
>>
>> > That is correct. The standalone (with or without HA) configuration is by
>> > far the most popular.
>> >
>> > However, all the configuration files and scripts are there. I guess
>> you'd
>> > need to modify the bootstrap script to bootstrap domain (or host)
>> > controllers.
>> >
>> > On Wed, May 22, 2019 at 9:22 PM Frank Herrmann <
>> > frank.herrmann at modernizingmedicine.com> wrote:
>> >
>> >> Hello,
>> >>
>> >> As part of our upgrade to 6.0.1 we are looking to use the Keycloak
>> docker
>> >> images. Our currently installation (3.4.3) uses a domain cluster. While
>> >> reviewing the Keycloak docker image, it appears that it only supports
>> >> standalone or standalone-ha (for clustering). Am I missing something,
>> or
>> >> will I need to customize the Keycloak docker image for domain
>> clustering?
>> >> Or was it specifically left out of the official docker image for a good
>> >> reason?
>> >>
>> >> Thanks,
>> >> -Frank
>> >>
>> >> --
>> >> FRANK HERRMANN
>> >> ASSOCIATE SOFTWARE ARCHITECT
>> >>
>> >> T: 561-880-2998 x1563
>> >>
>> >> E: frank.herrmann at modmed.com
>> >>
>> >>
>> >>
>> >> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>> >> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>> >> [image:
>> >> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>> >> [image:
>> >> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine>
>> [image: [
>> >> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>> >> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>> >> <http://instagram.com/modernizing_medicine>
>> >>
>> >> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>> >>
>> >> --
>> >> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>> >> protected by the Health Insurance Portability and Accountability Act of
>> >> 1996 and its implementing regulations and other state and federal laws
>> >> and
>> >> legal privileges. This message is only for the personal and
>> confidential
>> >> use of the individuals or organization to whom the message is
>> addressed.
>> >> If
>> >> you are an unintended recipient, you have received this message in
>> error,
>> >> and any reading, distributing, copying or disclosure is unauthorized
>> and
>> >> strictly prohibited.  All recipients are hereby notified that any
>> >> unauthorized receipt does not waive any confidentiality obligations or
>> >> privileges. If you have received this message in error, please notify
>> the
>> >> sender immediately at the above email address and confirm that you have
>> >> deleted or destroyed the message.
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>>
>> --
>> FRANK HERRMANN
>> ASSOCIATE SOFTWARE ARCHITECT
>>
>> T: 561-880-2998 x1563
>>
>> E: frank.herrmann at modmed.com
>>
>>
>>
>> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>> [image:
>> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>> [image:
>> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
>> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>> <http://instagram.com/modernizing_medicine>
>>
>> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>>
>> --
>> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>> protected by the Health Insurance Portability and Accountability Act of
>> 1996 and its implementing regulations and other state and federal laws
>> and
>> legal privileges. This message is only for the personal and confidential
>> use of the individuals or organization to whom the message is addressed.
>> If
>> you are an unintended recipient, you have received this message in error,
>> and any reading, distributing, copying or disclosure is unauthorized and
>> strictly prohibited.  All recipients are hereby notified that any
>> unauthorized receipt does not waive any confidentiality obligations or
>> privileges. If you have received this message in error, please notify the
>> sender immediately at the above email address and confirm that you have
>> deleted or destroyed the message.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT

T: 561-880-2998 x1563

E: frank.herrmann at modmed.com



[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>

[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>

-- 
*CONFIDENTIALITY NOTICE:*?This e-mail message may contain material 
protected by the Health Insurance Portability and Accountability Act of 
1996 and its implementing regulations and other state and federal laws and 
legal privileges. This message is only for the personal and confidential 
use of the individuals or organization to whom the message is addressed. If 
you are an unintended recipient, you?have received this message in error, 
and any reading, distributing, copying or disclosure is unauthorized and 
strictly prohibited.? All recipients are hereby notified that any 
unauthorized receipt does not waive any confidentiality obligations or 
privileges. If you have received this message in error, please notify the 
sender immediately?at the above?email?address and?confirm that you have 
deleted or destroyed the message.

From demetrio at carretti.pro  Fri May 24 10:39:32 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 24 May 2019 17:39:32 +0300
Subject: [keycloak-user] Configure Keycloak to be able to delegate
 authentication to other application
In-Reply-To: <CAC+2_LoAi83S-kytH_p3bOg5JWd7vqp2V=+v0-CE_j78=gheuA@mail.gmail.com>
References: <CAC+2_LoAi83S-kytH_p3bOg5JWd7vqp2V=+v0-CE_j78=gheuA@mail.gmail.com>
Message-ID: <86ce31059fc87320cec564f6d45eb5ca70cef2bf.camel@carretti.pro>

Hello C?cile, answers inline,

On Thu, 2019-05-09 at 16:11 +0200, C?cile Radix Saint-Martin wrote:
> Hi,
> 
> We wish to use Keycloak as our IDP for our application (frontend + REST
> micro services).
> We want to give users the possibility to authenticate using their
> credentials of another application (login + password).
> In the same time, our application needs to call this other application APIs
> and for this, needs the custom token returned by the application during
> authentication (this application is not OIDC compliant).
> 
> First I wanted to implement a custom identity provider for Keycloak, as it
> enables to store token of external IDP. But there is very few documentation
> about that and only examples I found are for OIDC providers.

The overall approach should depend on the semantics of the protocol used by your external IdP ("another application").

If the protocol is redirect-based, like OIDC and SAML, then yes, custom identity provider is definitely the way to go. This is also beneficial because IdP infrastructure in Keycloak already provides facilities for token storage, user creation upon first login etc.

As for documentation - I personally don't like the mantra "code is the best documentation", but seems like this is just the case here. Here is the hierarchy of IdPs currently implemented in Keycloak:

AbstractIdentityProvider
  AbstractOAuth2IdentityProvider
    BitbucketIdentityProvider
    FacebookIdentityProvider
    GitHubIdentityProvider
    InstagramIdentityProvider
    LinkedInIdentityProvider
    MicrosoftIdentityProvider
    OIDCIdentityProvider
        GitLabIdentityProvider
        GoogleIdentityProvider
        KeycloakOIDCIdentityProvider
    OpenshiftV3IdentityProvider
    PayPalIdentityProvider
    StackoverflowIdentityProvider
  SAMLIdentityProvider
  TwitterIdentityProvider

When solving a similar problem, I used SAMLIdentityProvider as a reference, since I found it to be more understandable (but that's personal of course).

But if your IdP's protocol is not redirect based (like e.g. it uses REST or even TCP socket API that consumes login/password and returns a token), then the only option would be custom authenticator.

> 
> So finally I decided to implement a custom authenticator
> (org.keycloak.authentication.Authenticator).
> 
> I want to be sure that with a custom authenticator, I will be able to :
> - Store custom tokens of the other application

IdPs (including custom) have that out ouf the box, via FederatedIdentityModel::token.

OTOH, custom authenticator will need to take care of it itself.
If you're ok with transient tokens, then you can simply attach them to user sessions (using so called "user session notes").
If you need persistent tokens, you'll also need to implement a custom JPA entity for that.

> provide it to a client API

In both cases (custom IdP and custom auth), you'll need a client mapper to push external token from the user session to the target OIDC token, as a custom claim.

> and refresh it if expired

Is it correct that your client side will always need a valid external token, and you want to delegate the refresh process to Keycloak?

If so, you will need another client mapper to handle this. Each time the client asks Keycloak to refresh main (OIDC) token, the mapper will kick in and perform external refresh too, if needed, thus ensuring that both tokens (OIDC and external) are valid.

> - Create user in Keycloak if it does not exist (if authentication with the
> other application succeed)

Again, if using custom IdP, this will be out of the box via First Broker Login flow.

In the case of custom authenticator, you should be also able to invoke the same flow when needed. But you will also need to implement internal-to-external user mapping; that should be easy if the username could be unambiguously derived from the external token. Otherwise, you will have to implement something similar to FederatedIdentity mechanism used by IdPs.

Feel free to ask any further questions,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

> 
> Anyone can confirm ?
> 
> *C?cile RADIX SAINT-MARTIN*
> *mailto:cecile.saintmartin at gmail.com <cecile.saintmartin at gmail.com>*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From demetrio at carretti.pro  Fri May 24 12:01:24 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 24 May 2019 19:01:24 +0300
Subject: [keycloak-user] direct access grant + kerberos
In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C331E1C@EX10MBOX03.pnnl.gov>
References: <1A3C52DFCD06494D8528644858247BF01C331E1C@EX10MBOX03.pnnl.gov>
Message-ID: <093196fe8b87776a9b4b15e05e98518b20fd9135.camel@carretti.pro>

Hello Kevin,

You could try cloning the default direct grant flow, adding Kerberos authenticator to it and removing everything else. This authenticator was initially developed for browser-based flows, so it might or might not work with direct grants. You'll need to figure that out - it could be that the authenticator might need to be adapted.

If you need to keep username+password authentication too, you should put the relevant authenticators into a subflow and make it alternative, the same way it is done in the default browser flow.

Good luck,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Tue, 2019-05-21 at 17:48 +0000, Fox, Kevin M wrote:
> Is there a way to get back an id token by doing a direct access grant with kerberos negotiate instead of a password?
> 
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From huwmcnamara at msn.com  Fri May 24 12:32:30 2019
From: huwmcnamara at msn.com (Huw McNamara)
Date: Fri, 24 May 2019 16:32:30 +0000
Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load
In-Reply-To: <YTBPR01MB2669C2C8FBA80CFBD9EBEE1AAA010@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>
References: <YTBPR01MB26699FD5BBB48D3211EE1673AA000@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>,
	<YTBPR01MB2669C2C8FBA80CFBD9EBEE1AAA010@YTBPR01MB2669.CANPRD01.PROD.OUTLOOK.COM>
Message-ID: <DB6P192MB0231A3E3D6AA5C30029C70B0B1020@DB6P192MB0231.EURP192.PROD.OUTLOOK.COM>

Hi David,

We had a similar problem that was caused by the enhanced validation added in later EAPs, mentioned here https://access.redhat.com/solutions/4010511

I can't remember the exact solution but I think we had a class wrongly specified in our xml and we had to correct it per the documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/datasource_management#example_oracle_xa_datasource.


Regards,
Huw
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of David Paul <dpaul at cognera.com>
Sent: 23 May 2019 17:44
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load

Any ideas on this?

One suggestion was to use the CLI to add the driver.  Tried that and no change.

Is there a way to increase logging beyond DEBUG?  Or is there somewhere it logs more information other than the server.log file?   It says failed to load but doesn't give details as to why.

Thanks,
Dave





Harriscomputer

David Paul
Manager, Application Development
P: 403-218-2010 x79107
F: 403-218-2012
E: dpaul at cognera.com


[cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png]


530 - 8 Avenue SW Suite 920
Calgary, Alberta
T2P 3S8
www.cognera.com<http://www.cognera.com>


This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.




From: David Paul
Sent: Wednesday, May 22, 2019 11:34 AM
To: keycloak-user at lists.jboss.org
Subject: Upgrade to 6.0.1 - Oracle driver failing to load

Hi,

I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1.  I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here:
https://www.keycloak.org/docs/latest/upgrading/index.html

I have:
unpacked 6.0.1
mv standalone directory to standalone.old
cp -R 3.2.1/standalone to 6.0.1/
cp -R 3.2.1/modules/system/layers/keycloak/org/oracle  6.0.1/modules/system/layers/keycloak/org/
cp -R 3.2.1/themes/<our-themes> 6.0.1/themes/
6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli          (feedback indicates success on all actions)
Made sure migrationStrategy value="update"

When I run 6.0.1/bin/standalone.sh I get:
...
09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "oracle")
]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver"

Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar.  I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle.  I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations.

Is there another step or declaration of the driver or something that I must do?

Thank you for your time,
Dave

From aechols at bfcsaz.com  Fri May 24 13:52:17 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Fri, 24 May 2019 10:52:17 -0700
Subject: [keycloak-user] LDAP user federation with AD range retrieval
In-Reply-To: <CAHj77GWAHAnvq6_=1kiDin3uzRUJEtS_k2vtBnKkyCS+fkmKmA@mail.gmail.com>
References: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl>
	<CAHj77GWkk6C0nSpGzf7pBcpzQa-=myuP9nja2akQ-Q_hObOdZA@mail.gmail.com>
	<CAHj77GWmc7t8Z1aDd7qBMTOou_y1tgGX+bw4TfG_1p0T25KzRw@mail.gmail.com>
	<CAHj77GWAHAnvq6_=1kiDin3uzRUJEtS_k2vtBnKkyCS+fkmKmA@mail.gmail.com>
Message-ID: <CAHj77GXdPKaznuX4LmtxNu-TjmMYqOcHY404o3-DX53HMo7FTQ@mail.gmail.com>

So I have a partial workaround, I have different OU's for my groups for IT
and for Users. I added multiple group mappers to handle the different OU's,
so I didn't suck all groups in Keycloak. The one that was pulling in the
large group wasn't working right. It would pull in the groups, but it
wouldn't populate the users correctly, while the group mapper for the IT OU
was populating correctly.

TLDR; it seems you can't have more than one group mapper per user
federation for Active Directory.

Not sure if it's a bug or not...
--
Aaron Echols

On Thu, May 23, 2019 at 4:57 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> So does anyone have any ideas on this? It shows users in the groups, if I
> check the user it doesn't show they are members...
>
> kcadm.sh get users/uid/groups -r realm
> [ ]
>
> The WebUi shows them in this group, but none of the users show associated
> with the group when I view them or use kcadm.sh to check their group
> membership.
>
> Starting to pull my hair out haha!
> --
> Aaron Echols
>
> On Thu, May 23, 2019 at 4:43 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> BTW, I have 3500 users in my group, it's still not syncing entirely.
>> Since I can't seem to actually figure out a way (even using kcadm.sh) to
>> list out the number of users in the Keycloak group, it's making it harder
>> to see if it another value that needs to be adjusted in Active Directory or
>> something on Keycloak's side. It's such a pain.
>> --
>> Aaron Echols
>>
>> On Thu, May 23, 2019 at 9:53 AM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>>> This looks to be an issue still in in 5.0.0. Did you end up creating
>>> ticket for this? I had to do the same workaround for a similar issue I'm
>>> having with larger groups not syncing from AD > Keycloak. Raising
>>> the MaxValRange allowed that group to sync as well.
>>> --
>>> Aaron Echols
>>>
>>> On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <
>>> sidney.beekhoven at info.nl> wrote:
>>>
>>>> Hello,
>>>>
>>>> We have a keycloak setup (3.4.3.Final) with active directory as a user
>>>> federation provider. We ran into an issue with adding a certain role to
>>>> users. We got an error message like this:
>>>>
>>>> Uncaught server error: org.keycloak.models.ModelException: Could not
>>>> modify attribute for DN
>>>> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
>>>>  at
>>>> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
>>>>  at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
>>>>  at
>>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
>>>>  at
>>>> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
>>>>  at
>>>> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
>>>>  at
>>>> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
>>>> ?
>>>> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP:
>>>> error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03,
>>>> comment: Error in attribute conversion operation, data 0, v1db1]; remaining
>>>> name ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
>>>>  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
>>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>>>  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>>>  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
>>>>  at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
>>>>  at
>>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>>  at
>>>> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>>>>
>>>> After some investigation the issue is that active directory uses range
>>>> retrieval when there are more than 1500 entries in the member (list)
>>>> property of a group. See eg
>>>> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval
>>>> .
>>>> When i look at the keycloak source code it looks like keycloak does not
>>>> handle/support the range retrieval, so an error happens when trying to add
>>>> a user to that role.
>>>>
>>>> For now we work around the issue by setting the MaxValRange to a higher
>>>> value. See
>>>> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
>>>> for more info about this.
>>>>
>>>> The real solution would probably be to add support for range retrieval
>>>> in the keycloak ldap user federation provider, so i will create a jira
>>>> ticket for that.
>>>>
>>>> Did anyone else maybe run into this issue, and if so had another
>>>> solution for it?
>>>>
>>>> Kind regards,
>>>> Sidney Beekhoven
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>

From corentin.dupont at gmail.com  Sat May 25 11:56:57 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sat, 25 May 2019 17:56:57 +0200
Subject: [keycloak-user] Permissions performance problem
Message-ID: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>

Hi guys,
I noticed that if I request permissions with one client, it is faster than
with another one.
For instance:

TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
-d 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m0,196s*
user 0m0,000s
sys 0m0,006s

TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
-d 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m2,142s*
user 0m0,006s
sys 0m0,006s

The only difference between the two commands is the client (highlighted in
red). With the second client, it takes 2 seconds more consistently.
Any idea? I might be a cache problem...
Cheers
Corentin

From ah.ping.luk at gmail.com  Sun May 26 22:48:24 2019
From: ah.ping.luk at gmail.com (Paul Luk)
Date: Mon, 27 May 2019 10:48:24 +0800
Subject: [keycloak-user] Question about how to extend or know more about
	keycloak
Message-ID: <CAGP=A8TPqQezObj+P5-Hrc3XX8ETTAqdSJnUxpfRr-wuqvSx3g@mail.gmail.com>

Hi all,

   i am now checking keycloak to see whether i can adopt it and extend it
to fulfill my project's requirement.

   However, when i try to check the source code in github, i found there is
almost no comment on the source code of keycloak!!!

   The javadocs are empty:
https://www.keycloak.org/docs-api/6.0/javadocs/index.html

    i am quite surprise that how  you guys can develop and maintenance
keycloak!

    Without the code comment or javadocs, it will difficult for me to study
and extend keycloak (not even enough for creating SPI)

    Thanks.

From vinogradov.a.i.93 at gmail.com  Mon May 27 03:51:10 2019
From: vinogradov.a.i.93 at gmail.com (=?UTF-8?B?0JDQu9C10LrRgdC10Lkg0JLQuNC90L7Qs9GA0LDQtNC+0LI=?=)
Date: Mon, 27 May 2019 14:51:10 +0700
Subject: [keycloak-user] [Keycloak-admin-client] An error message when
	changing password.
Message-ID: <CAOTo98FWNUPKNZ6Z=G+k_phG6Va+sH5SzOhC8hR7_HASfoy6fQ@mail.gmail.com>

Hello everyone.

I have a question about REST API of the Keycloak. When I attempt to change
password via REST API of user to that password that not meets security
constraints of Keycloak, I recieve BadRequestError without additional
information of what goes wrong. But when I change password in
Administration console I see an exact error.

So, how can I get a exact problem what wrong with my password?

My usecase is that:
I have a frontend (html/css) that communicates with a backend that
communicates with the Keycloak. An user wants to change password of his/her
account so he/she click on button on some form, and makes a request to
backend to change password. A backend processes that request and ask
Keycloak to change user password. In case that password doesn't meet
security constraint I want to provide to user exact error.

Thanks to all.
-- 
-- 
Best regards,
Vinogradov Alexey
vinogradov.a.i.93 at gmail.com
+7 983 311 38 40

From keycloak-user at imber.wien  Mon May 27 04:13:36 2019
From: keycloak-user at imber.wien (Mario Imber)
Date: Mon, 27 May 2019 10:13:36 +0200
Subject: [keycloak-user] User Export with Storage Providers inefficient
In-Reply-To: <481d533b9e476b18a7b0f70dbcdc0a59@imber.wien>
References: <22966735ec75fef9f5f73b827865e82d@imber.wien>
	<481d533b9e476b18a7b0f70dbcdc0a59@imber.wien>
Message-ID: <6155175b-7b2a-f66e-0de6-b771645f2d4c@imber.wien>

Hi,

are there any news on this one?

Should I rather create a Jira task for this user export issue?

Thanks,
regards,
Mario.


Am 27.05.2019 um 10:04 schrieb mario at imber.wien:
> Hi,
> 
> I was doing some research on an issue we encountered with user export
> (at boot-time). The export task was running for hours with ~50.000
> LDAP-backed Users and eventually crashed. It obviously got slower and
> slower with each user bulk.
> 
> I observerd that this also happens with local-only users, as soon as an
> LDAP provider is configured and enabled.
> 
> SQL log output showed, that for each user-select for a given "page"
> (limit and offset), all preceding pages are queried first, which
> explains the deterioration over time (quadratic complexity).
> 
> The responsible Code (KC 4.8.3) is UserStorageManager#query(...). If any
> enabled storage providers exist, this method queries all pages up the
> requested one.
> 
> I then found this explanation of Summer 2016:
> http://lists.jboss.org/pipermail/keycloak-dev/2016-June/007448.html
> 
>> Right now I've implemented something that is pretty inefficient to 
>> keep it backward compatible right now. Basically I iterate all 
>> providers from the beginning until the page desired is identified and 
>> filled up. Minimally it is a stop gap until I get everything working.
> 
> ... so it seems to be a concession to backwards compatibility, back when
> storage federation got refactored.
> 
> Can you think of workaround to make user export usable for us?
> 
> Do you plan to drop or improve the current pagination behavior at some
> point?
> 
> Thanks,
> best regards,
> Mario.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From tom.billiet at airties.com  Mon May 27 04:37:11 2019
From: tom.billiet at airties.com (Tom Billiet)
Date: Mon, 27 May 2019 08:37:11 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <1558695257.12963.52.camel@ericsson.com>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
	<1558445890.12963.11.camel@ericsson.com>
	<1558534286.12963.21.camel@ericsson.com>
	<AM4PR1001MB1364355660D0C396545E17E0EF010@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
	<1558695257.12963.52.camel@ericsson.com>
Message-ID: <AM4PR1001MB136486848F8F4A6D4E00A206EF1D0@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>

Correct.
Have a look at modules/system/layers/keycloak/org/keycloak/keycloak-model-jpa/main/keycloak-model-jpa-4.8.2.Final.jar in your keycloak installation. Unzip it and you can find "META-INF/jpa-changelog-*" files with the database migrations.

Best regards,
Tom

-----Original Message-----
From: Shiva Prasad Thagadur Prakash <shiva.prasad.thagadur.prakash at ericsson.com> 
Sent: Friday, 24 May 2019 12:54
To: Tom Billiet <tom.billiet at airties.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Does keycloak support multi-hop database schema upgrades

Hi Tom,
Thank you very much for the reply. A small follow-up question.

"Every databse schema is packaged" - do you mean the required scripts are pacakged in the released version of keyclok and when a user starts keycloak it will automatically do the needful? Eagerly waiting to hear from you.

Thanks,
Shiva
On to, 2019-05-23 at 07:22 +0000, Tom Billiet wrote:
> I'm not a developer of keycloak itself, but I'd say yes.
> It uses liquibase internally, and every database schema change is 
> packaged. It will figure out whatever (liquibase) changes are not 
> applied yet and apply them one by one.
> 
> Best regards,
> Tom
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at li 
> sts.jboss.org> On Behalf Of Shiva Prasad Thagadur Prakash
> Sent: Wednesday, 22 May 2019 16:11
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Does keycloak support multi-hop database 
> schema upgrades
> 
> Hi Guys,
> 
> Does keycloak support migrating database schema from any keycloak 
> version to any keycloak version with no requirement to incrementally 
> go through each intermediate version. Eagerly waiting to hear from 
> you.
> 
> Thanks,
> Shiva
> On ti, 2019-05-21 at 13:38 +0000, Shiva Prasad Thagadur Prakash
> wrote:
> > 
> > Hi Guys,
> > Eagerly waiting for your responses!
> > 
> > Thanks,
> > Shiva
> > On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash
> > wrote:
> > > 
> > > 
> > > Hi Guys,
> > > 
> > > Does keycloak/Liquibase support multi-hop schema migration?
> > > 
> > > Thanks & regards,
> > > Shiva
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> This message has been scanned for malware by Websense. https://protec
> t2.fireeye.com/url?k=6bee191c-373a12a2-6bee5987-86742d02e7e2-
> 175350837bf3359f&q=1&u=http%3A%2F%2Fwww.websense.com%2F


From shiva.prasad.thagadur.prakash at ericsson.com  Mon May 27 04:54:54 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Mon, 27 May 2019 08:54:54 +0000
Subject: [keycloak-user] Does keycloak support multi-hop database schema
 upgrades
In-Reply-To: <AM4PR1001MB136486848F8F4A6D4E00A206EF1D0@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
References: <CAJsjk3bazeos-G=h7+UHzFMptT6zXRcO_502ihDZsYdNtj-MaA@mail.gmail.com>
	<1558445890.12963.11.camel@ericsson.com>
	<1558534286.12963.21.camel@ericsson.com>
	<AM4PR1001MB1364355660D0C396545E17E0EF010@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
	<1558695257.12963.52.camel@ericsson.com>
	<AM4PR1001MB136486848F8F4A6D4E00A206EF1D0@AM4PR1001MB1364.EURPRD10.PROD.OUTLOOK.COM>
Message-ID: <1558947293.12963.61.camel@ericsson.com>

Thank you very much Tom. I will look into it.

Best regards,
Shiva
On ma, 2019-05-27 at 08:37 +0000, Tom Billiet wrote:
> Correct.
> Have a look at modules/system/layers/keycloak/org/keycloak/keycloak-
> model-jpa/main/keycloak-model-jpa-4.8.2.Final.jar in your keycloak
> installation. Unzip it and you can find "META-INF/jpa-changelog-*"
> files with the database migrations.
> 
> Best regards,
> Tom
> 
> -----Original Message-----
> From: Shiva Prasad Thagadur Prakash <shiva.prasad.thagadur.prakash at er
> icsson.com>?
> Sent: Friday, 24 May 2019 12:54
> To: Tom Billiet <tom.billiet at airties.com>; keycloak-user at lists.jboss.
> org
> Subject: Re: [keycloak-user] Does keycloak support multi-hop database
> schema upgrades
> 
> Hi Tom,
> Thank you very much for the reply. A small follow-up question.
> 
> "Every databse schema is packaged" - do you mean the required scripts
> are pacakged in the released version of keyclok and when a user
> starts keycloak it will automatically do the needful? Eagerly waiting
> to hear from you.
> 
> Thanks,
> Shiva
> On to, 2019-05-23 at 07:22 +0000, Tom Billiet wrote:
> > 
> > I'm not a developer of keycloak itself, but I'd say yes.
> > It uses liquibase internally, and every database schema change is?
> > packaged. It will figure out whatever (liquibase) changes are not?
> > applied yet and apply them one by one.
> > 
> > Best regards,
> > Tom
> > 
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces@
> > li?
> > sts.jboss.org> On Behalf Of Shiva Prasad Thagadur Prakash
> > Sent: Wednesday, 22 May 2019 16:11
> > To: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Does keycloak support multi-hop
> > database?
> > schema upgrades
> > 
> > Hi Guys,
> > 
> > Does keycloak support migrating database schema from any keycloak?
> > version to any keycloak version with no requirement to
> > incrementally?
> > go through each intermediate version. Eagerly waiting to hear from?
> > you.
> > 
> > Thanks,
> > Shiva
> > On ti, 2019-05-21 at 13:38 +0000, Shiva Prasad Thagadur Prakash
> > wrote:
> > > 
> > > 
> > > Hi Guys,
> > > Eagerly waiting for your responses!
> > > 
> > > Thanks,
> > > Shiva
> > > On ti, 2019-05-21 at 09:20 +0300, Shiva Prasad Thagadur Prakash
> > > wrote:
> > > > 
> > > > 
> > > > 
> > > > Hi Guys,
> > > > 
> > > > Does keycloak/Liquibase support multi-hop schema migration?
> > > > 
> > > > Thanks & regards,
> > > > Shiva
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > 
> > This message has been scanned for malware by Websense. https://prot
> > ec
> > t2.fireeye.com/url?k=6bee191c-373a12a2-6bee5987-86742d02e7e2-
> > 175350837bf3359f&q=1&u=http%3A%2F%2Fwww.websense.com%2F


From Per.Erik.Gransoe at Systematic.com  Mon May 27 07:11:06 2019
From: Per.Erik.Gransoe at Systematic.com (=?iso-8859-1?Q?Per_Erik_Grans=F8e?=)
Date: Mon, 27 May 2019 11:11:06 +0000
Subject: [keycloak-user] Fine-grained enough for local group admins?
Message-ID: <HE1P191MB0169E2446704073CD1AB91D8BE1D0@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>

Hi

Can I solve the following with KeyCloak, with fine-granted permissions enabled? (also posted here: https://stackoverflow.com/questions/51616770/keycloak-restricting-user-management-to-certain-groups-while-enabling-manage-us):

We have Group X and Group Y.

The role 'Group X Admin' can do the following:


  1.  Can create users without a group.
  2.  Can assign users without a group to group X.
  3.  Can edit and manage users in group X.
  4.  Cannot see/edit/manage users in group Y.

Med venlig hilsen / Kind regards

[Systematic Logo]<http://www.systematic.com/>
Per Erik Grans?e
Senior Systems Engineer

S?ren Frichs Vej 39, 8000 Aarhus C
Denmark

Mobile: +45 3038 6841
Per.Erik.Gransoe at Systematic.com<mailto:Per.Erik.Gransoe at Systematic.com>
www.systematic.com<http://www.systematic.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1239 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190527/5f7d5d79/attachment-0001.png 

From brunojcm at gmail.com  Mon May 27 07:30:50 2019
From: brunojcm at gmail.com (Bruno Medeiros)
Date: Mon, 27 May 2019 19:30:50 +0800
Subject: [keycloak-user] Is it possible to disable not-before-policy token?
 Oidc client is crashing because it's there
Message-ID: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>

Hi, everyone.

First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!

I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:

Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()

After a few emails with their support team, they said:

"*... The error is related to the ?not-before-policy? parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [?not-before-policy?] => 0. So we couldn?t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"


Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.

Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?

If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.

Cheers,

-- 
BrunoJCM

From psilva at redhat.com  Mon May 27 08:49:58 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 27 May 2019 09:49:58 -0300
Subject: [keycloak-user] Fine-grained enough for local group admins?
In-Reply-To: <HE1P191MB0169E2446704073CD1AB91D8BE1D0@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>
References: <HE1P191MB0169E2446704073CD1AB91D8BE1D0@HE1P191MB0169.EURP191.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBdjvk_uq5_Dk=8b1fBejq08W-+8ENOq7X07zB+3g7Oyzg@mail.gmail.com>

You should be able to do #3 and #4.

For #1 and #2, we would need to allow you to obtain the user being
created/changed as a resource. Today we always pass a "Users" resource
representing all users.

Please, open a JIRA with more details about your scenario so that we can
consider the requirements in future versions and improvements to the
functionality.

On Mon, May 27, 2019 at 8:15 AM Per Erik Grans?e <
Per.Erik.Gransoe at systematic.com> wrote:

> Hi
>
> Can I solve the following with KeyCloak, with fine-granted permissions
> enabled? (also posted here:
> https://stackoverflow.com/questions/51616770/keycloak-restricting-user-management-to-certain-groups-while-enabling-manage-us
> ):
>
> We have Group X and Group Y.
>
> The role 'Group X Admin' can do the following:
>
>
>   1.  Can create users without a group.
>   2.  Can assign users without a group to group X.
>   3.  Can edit and manage users in group X.
>   4.  Cannot see/edit/manage users in group Y.
>
> Med venlig hilsen / Kind regards
>
> [Systematic Logo]<http://www.systematic.com/>
> Per Erik Grans?e
> Senior Systems Engineer
>
> S?ren Frichs Vej 39, 8000 Aarhus C
> Denmark
>
> Mobile: +45 3038 6841
> Per.Erik.Gransoe at Systematic.com<mailto:Per.Erik.Gransoe at Systematic.com>
> www.systematic.com<http://www.systematic.com>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From p.ahlers at nedasco.nl  Mon May 27 08:59:58 2019
From: p.ahlers at nedasco.nl (Ahlers P. (Peter))
Date: Mon, 27 May 2019 12:59:58 +0000
Subject: [keycloak-user] keycloak+angular+serviceworker
Message-ID: <E9358A06870FF54685F07D3A54E6CE5C9E06CF@NED-EX04.nedasconet.nl>

Hello,

It's my first time here on this mailing list. So please be gentle when I'm break a netiquette.

I'm working on a project with Keycloak, keycloak.js, keycloak-angular, Angular and serviceworkers. We have multiple Angular applications with each there own client. All the applications using the same realm. Every application is using the default serviceworker of Angular.

We see strange behavior when navigating between applications.

1)      Urls which contains a part of the first url and a part of the second url.

2)      Navigating between applications and the client-id is from the current application and the redirect-url is from the second application.

I know it's a specific setup, but is anyone recognize his behavior?

Kind regard,
Peter

From psilva at redhat.com  Mon May 27 09:54:20 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 27 May 2019 10:54:20 -0300
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
Message-ID: <CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>

Hi,

The resource set is the same in both scenarios as they are related to
api-server. The same goes for permissions and policies.

I don't know what may be causing this difference, but maybe you can find a
clue when running the evaluation tool to compare how evaluation is
performed in both situations.

On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I noticed that if I request permissions with one client, it is faster than
> with another one.
> For instance:
>
> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
> -d
> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m0,196s*
> user 0m0,000s
> sys 0m0,006s
>
> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
> -d
> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m2,142s*
> user 0m0,006s
> sys 0m0,006s
>
> The only difference between the two commands is the client (highlighted in
> red). With the second client, it takes 2 seconds more consistently.
> Any idea? I might be a cache problem...
> Cheers
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From luke at code-house.org  Mon May 27 10:00:22 2019
From: luke at code-house.org (luke at code-house.org)
Date: Mon, 27 May 2019 16:00:22 +0200
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
Message-ID: <8F0DD0F1-23BF-41F3-8CC4-6708D130AE38@code-house.org>

Each grant type is processed in different branches of Token Endpoint thus they might (and very likely will) have different performance.
Its well known that enabling fine grained access control generates extra load as these permissions needs to be read somehow.

Kind regards,
?ukasz
--
Code-House
http://code-house.org <http://code-house.org/>

> On 27 May 2019, at 15:54, Pedro Igor Silva <psilva at redhat.com> wrote:
> 
> Hi,
> 
> The resource set is the same in both scenarios as they are related to
> api-server. The same goes for permissions and policies.
> 
> I don't know what may be causing this difference, but maybe you can find a
> clue when running the evaluation tool to compare how evaluation is
> performed in both situations.
> 
> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
> 
>> Hi guys,
>> I noticed that if I request permissions with one client, it is faster than
>> with another one.
>> For instance:
>> 
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>> 
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m0,196s*
>> user 0m0,000s
>> sys 0m0,006s
>> 
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>> 
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m2,142s*
>> user 0m0,006s
>> sys 0m0,006s
>> 
>> The only difference between the two commands is the client (highlighted in
>> red). With the second client, it takes 2 seconds more consistently.
>> Any idea? I might be a cache problem...
>> Cheers
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From corentin.dupont at gmail.com  Mon May 27 10:26:10 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 27 May 2019 16:26:10 +0200
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
Message-ID: <CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>

Hi Pedro and Luke,
I tried with the "evaluate" tab in the UI.
Just by changing the client in the evaluate tab (first dropbox), I obtain
significant performance changes:
- with "api-server" client: 2.5 seconds.
- with "dashboard" client: 5 seconds.
With the API, the difference is even more significant (200ms vs 2s)

Note that the resources belong to "api-server". So it might be some
communication delay between the clients as suggested by Luke (if I
understood correctly)?


On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> The resource set is the same in both scenarios as they are related to
> api-server. The same goes for permissions and policies.
>
> I don't know what may be causing this difference, but maybe you can find a
> clue when running the evaluation tool to compare how evaluation is
> performed in both situations.
>
> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont at gmail.com>
> wrote:
>
>> Hi guys,
>> I noticed that if I request permissions with one client, it is faster than
>> with another one.
>> For instance:
>>
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>>
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m0,196s*
>> user 0m0,000s
>> sys 0m0,006s
>>
>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>> -d
>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $TOKEN" -d
>>
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m2,142s*
>> user 0m0,006s
>> sys 0m0,006s
>>
>> The only difference between the two commands is the client (highlighted in
>> red). With the second client, it takes 2 seconds more consistently.
>> Any idea? I might be a cache problem...
>> Cheers
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From psilva at redhat.com  Mon May 27 10:48:25 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 27 May 2019 11:48:25 -0300
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
	<CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>
Message-ID: <CAJrcDBdc7kzhf9i7vmFkdQ0L4Od5BqqWatq2qb727HU1itc6ag@mail.gmail.com>

Is there a difference in the number of permissions/resources granted on
each run?

Maybe, permissions are being run twice when using dashboard. Still not
clear to me why. I would need to reproduce this behavior somehow.

Is there any client mapper associated with dashboard that is not set to
api-server ?

On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi Pedro and Luke,
> I tried with the "evaluate" tab in the UI.
> Just by changing the client in the evaluate tab (first dropbox), I obtain
> significant performance changes:
> - with "api-server" client: 2.5 seconds.
> - with "dashboard" client: 5 seconds.
> With the API, the difference is even more significant (200ms vs 2s)
>
> Note that the resources belong to "api-server". So it might be some
> communication delay between the clients as suggested by Luke (if I
> understood correctly)?
>
>
> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> The resource set is the same in both scenarios as they are related to
>> api-server. The same goes for permissions and policies.
>>
>> I don't know what may be causing this difference, but maybe you can find
>> a clue when running the evaluation tool to compare how evaluation is
>> performed in both situations.
>>
>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> I noticed that if I request permissions with one client, it is faster
>>> than
>>> with another one.
>>> For instance:
>>>
>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>> -d
>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> |
>>> jq .access_token -r`
>>> time curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $TOKEN" -d
>>>
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>> *real 0m0,196s*
>>> user 0m0,000s
>>> sys 0m0,006s
>>>
>>> TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
>>> -d
>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> |
>>> jq .access_token -r`
>>> time curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $TOKEN" -d
>>>
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>> *real 0m2,142s*
>>> user 0m0,006s
>>> sys 0m0,006s
>>>
>>> The only difference between the two commands is the client (highlighted
>>> in
>>> red). With the second client, it takes 2 seconds more consistently.
>>> Any idea? I might be a cache problem...
>>> Cheers
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From psilva at redhat.com  Mon May 27 10:52:29 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 27 May 2019 11:52:29 -0300
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAJrcDBdc7kzhf9i7vmFkdQ0L4Od5BqqWatq2qb727HU1itc6ag@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
	<CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>
	<CAJrcDBdc7kzhf9i7vmFkdQ0L4Od5BqqWatq2qb727HU1itc6ag@mail.gmail.com>
Message-ID: <CAJrcDBcNFXxdHHAzdPwgkEsQjXvckj-Vm4VWYQRcP3Spci-hjA@mail.gmail.com>

If you try to evaluate for a single resource/permissions, do you also see
the difference ?

On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Is there a difference in the number of permissions/resources granted on
> each run?
>
> Maybe, permissions are being run twice when using dashboard. Still not
> clear to me why. I would need to reproduce this behavior somehow.
>
> Is there any client mapper associated with dashboard that is not set to
> api-server ?
>
> On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi Pedro and Luke,
>> I tried with the "evaluate" tab in the UI.
>> Just by changing the client in the evaluate tab (first dropbox), I obtain
>> significant performance changes:
>> - with "api-server" client: 2.5 seconds.
>> - with "dashboard" client: 5 seconds.
>> With the API, the difference is even more significant (200ms vs 2s)
>>
>> Note that the resources belong to "api-server". So it might be some
>> communication delay between the clients as suggested by Luke (if I
>> understood correctly)?
>>
>>
>> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> The resource set is the same in both scenarios as they are related to
>>> api-server. The same goes for permissions and policies.
>>>
>>> I don't know what may be causing this difference, but maybe you can find
>>> a clue when running the evaluation tool to compare how evaluation is
>>> performed in both situations.
>>>
>>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I noticed that if I request permissions with one client, it is faster
>>>> than
>>>> with another one.
>>>> For instance:
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m0,196s*
>>>> user 0m0,000s
>>>> sys 0m0,006s
>>>>
>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m2,142s*
>>>> user 0m0,006s
>>>> sys 0m0,006s
>>>>
>>>> The only difference between the two commands is the client (highlighted
>>>> in
>>>> red). With the second client, it takes 2 seconds more consistently.
>>>> Any idea? I might be a cache problem...
>>>> Cheers
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From corentin.dupont at gmail.com  Mon May 27 11:07:58 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 27 May 2019 17:07:58 +0200
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAJrcDBcNFXxdHHAzdPwgkEsQjXvckj-Vm4VWYQRcP3Spci-hjA@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
	<CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>
	<CAJrcDBdc7kzhf9i7vmFkdQ0L4Od5BqqWatq2qb727HU1itc6ag@mail.gmail.com>
	<CAJrcDBcNFXxdHHAzdPwgkEsQjXvckj-Vm4VWYQRcP3Spci-hjA@mail.gmail.com>
Message-ID: <CAEyhvmqP8tT5T_g07Q4r8m3enEggB3OP_OPd+KE8HwDHj6fHOw@mail.gmail.com>

There seem to be a difference when evaluating only one permission. But it's
difficult to see as times are very short.
- with "api-server" client: around 0,035s
- with "dashboard" client: around 0,050s
But the response times are quite variables.

On Mon, May 27, 2019 at 4:52 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> If you try to evaluate for a single resource/permissions, do you also see
> the difference ?
>
> On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Is there a difference in the number of permissions/resources granted on
>> each run?
>>
>> Maybe, permissions are being run twice when using dashboard. Still not
>> clear to me why. I would need to reproduce this behavior somehow.
>>
>> Is there any client mapper associated with dashboard that is not set to
>> api-server ?
>>
>> On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi Pedro and Luke,
>>> I tried with the "evaluate" tab in the UI.
>>> Just by changing the client in the evaluate tab (first dropbox), I
>>> obtain significant performance changes:
>>> - with "api-server" client: 2.5 seconds.
>>> - with "dashboard" client: 5 seconds.
>>> With the API, the difference is even more significant (200ms vs 2s)
>>>
>>> Note that the resources belong to "api-server". So it might be some
>>> communication delay between the clients as suggested by Luke (if I
>>> understood correctly)?
>>>
>>>
>>> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> The resource set is the same in both scenarios as they are related to
>>>> api-server. The same goes for permissions and policies.
>>>>
>>>> I don't know what may be causing this difference, but maybe you can
>>>> find a clue when running the evaluation tool to compare how evaluation is
>>>> performed in both situations.
>>>>
>>>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> I noticed that if I request permissions with one client, it is faster
>>>>> than
>>>>> with another one.
>>>>> For instance:
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>> application/x-www-form-urlencoded"
>>>>> -d
>>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>>> "
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>>> |
>>>>> jq .access_token -r`
>>>>> time curl -X POST
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>>> -H
>>>>> "Authorization: Bearer $TOKEN" -d
>>>>>
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>>> *real 0m0,196s*
>>>>> user 0m0,000s
>>>>> sys 0m0,006s
>>>>>
>>>>> TOKEN=`curl -X POST  -H "Content-Type:
>>>>> application/x-www-form-urlencoded"
>>>>> -d
>>>>> 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>>> "
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>>> |
>>>>> jq .access_token -r`
>>>>> time curl -X POST
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>>> -H
>>>>> "Authorization: Bearer $TOKEN" -d
>>>>>
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>>> *real 0m2,142s*
>>>>> user 0m0,006s
>>>>> sys 0m0,006s
>>>>>
>>>>> The only difference between the two commands is the client
>>>>> (highlighted in
>>>>> red). With the second client, it takes 2 seconds more consistently.
>>>>> Any idea? I might be a cache problem...
>>>>> Cheers
>>>>> Corentin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

From corentin.dupont at gmail.com  Mon May 27 12:35:11 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 27 May 2019 18:35:11 +0200
Subject: [keycloak-user] Permissions performance problem
In-Reply-To: <CAEyhvmrhWYw94D9qKSjaOUg1j+t8njHQu2-sgEci5kEwbfFM6A@mail.gmail.com>
References: <CAEyhvmoLiec0Pk6xxrPSJk-xZ-8E4SX7Dj_h6insc=36mwqtTQ@mail.gmail.com>
	<CAJrcDBcMSaGr+dRDV5=kvP0Y0sXvZOz-DY9sGahiA_Ye887upA@mail.gmail.com>
	<CAEyhvmpzxsORxAtRFMRjVHAaPiVmOcTCpyxArt1R+4YQN0nJdw@mail.gmail.com>
	<CAJrcDBdc7kzhf9i7vmFkdQ0L4Od5BqqWatq2qb727HU1itc6ag@mail.gmail.com>
	<CAEyhvmp0Pqof=2mYJHBpLvt6g1YqDMvBkPdZLL2k3BQZi3HaKw@mail.gmail.com>
	<CAJrcDBeU77WJFUM3dgxTWyKXcWfzpk4SVVNodqYEerO=y6mX7w@mail.gmail.com>
	<CAEyhvmrhWYw94D9qKSjaOUg1j+t8njHQu2-sgEci5kEwbfFM6A@mail.gmail.com>
Message-ID: <CAEyhvmo0dAo8U-Zsp9wE9mh-8yrMrCv6mQkMDQg7-UBfDAMotg@mail.gmail.com>

Voila: https://issues.jboss.org/browse/KEYCLOAK-10407

From sthorger at redhat.com  Mon May 27 13:00:29 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 27 May 2019 19:00:29 +0200
Subject: [keycloak-user] Is it possible to disable not-before-policy
 token? Oidc client is crashing because it's there
In-Reply-To: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
References: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
Message-ID: <CAJgngAezZZT+o-fjrA87qBJhDcDezpQOAdCTcZf9ROJhjdX0gw@mail.gmail.com>

Can't remember if this was converted to a protocol mapper or not, if it is
then you should be able to just remove the protocol mapper. If it's not
open a feature request and better yet a pr.

On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm at gmail.com> wrote:

> Hi, everyone.
>
> First off, I've been using Keycloak in production for quite a while now, it
> is working great, thanks everyone involved!
>
> I'm trying to add a new Oidc client now which is a third-party cloud
> service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> The error that shows up to the user is:
>
> Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
>
> After a few emails with their support team, they said:
>
> "*... The error is related to the ?not-before-policy? parameter that is
> included in the response which is not part of the OIDC protocol but a
> Keycloak specific extension. This parameter gets its value from: Clients ->
> {client name} -> Revocation*
> *We set this option to none hoping that it will not be included in the
> response, however what I got was [?not-before-policy?] => 0. So we couldn?t
> find a way to remove this parameter from the response. You need to contact
> Keycloak and ask them if there is any way to remove this parameter from the
> response, since it is not part of the OIDC protocol.*"
>
>
> Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> crashing because it's there, AFAIK they should be just ignoring this in the
> token and proceeding with the login process.
>
> Based on our experience so far, we are going to have a hard time
> "convincing" them about that, though, so I was wondering if Keycloak allows
> us to disable the not-before-policy to a specific client, or even in the
> realm at all?
>
> If not, any pieces of advice on how to support the fact that they should
> not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> specs broadly enough so far to be sure about that and sustain my opinion.
>
> Cheers,
>
> --
> BrunoJCM
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon May 27 13:02:36 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 27 May 2019 19:02:36 +0200
Subject: [keycloak-user] Keycloak Docker Domain Cluster
In-Reply-To: <CAF1JiVR3o3QnyDxZYwisqQ1oihRZoWVM=BHXDjp-z-=5vkz6Xg@mail.gmail.com>
References: <CAF1JiVTJY7e1-161OZH_0NeXvDZqjQjJFPx9xoycbGJd6-GRsw@mail.gmail.com>
	<CAA9R9O51Dfk=iy0Er3yX7h0KHLFodERd3js6NvMaB1tv3P38sQ@mail.gmail.com>
	<CAF1JiVS-NVqV4yO6h7MfM3EnrJA1yw_YYHKssYM-9_+LzJAUFQ@mail.gmail.com>
	<CAJgngAc=0QRgavdFOE1nH_0p=GWz0raKLo76z+AUSYT=EhsmKQ@mail.gmail.com>
	<CAF1JiVR3o3QnyDxZYwisqQ1oihRZoWVM=BHXDjp-z-=5vkz6Xg@mail.gmail.com>
Message-ID: <CAJgngAd+aMfOsC3Y0GWe8sSN79zAd8+sfu06_0rp5P+PHpvQgQ@mail.gmail.com>

That's assuming a old school cluster.

On Fri, 24 May 2019, 16:35 Frank Herrmann, <
frank.herrmann at modernizingmedicine.com> wrote:

> The Keycloak documentation seems to imply that domain mode is preferable
> to standalone-ha in clustered environments.
>
> From the server installation docs:
> "Running a cluster in standard mode can quickly become aggravating as the
> cluster grows in size. Every time you need to make a configuration change,
> you have perform it on each node in the cluster. Domain mode solves this
> problem by providing a central place to store and publish configuration. It
> can be quite complex to set up, but it is worth it in the end."
>
> We have domain working without issue. We are just looking into moving out
> deployment of Keycloak servers to docker. I'm working now on extending the
> official Docker image to customize it for our environment and configuration.
>
> Thanks again,
>
> -Frank
>
> On Thu, May 23, 2019 at 11:35 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Domain mode doesn't really make all that much sense with things like
>> Kubernetes and OpenShift as the platform adds the mechanisms itself so
>> there's no need for domain mode.
>>
>> On Thu, 23 May 2019, 15:56 Frank Herrmann, <
>> frank.herrmann at modernizingmedicine.com> wrote:
>>
>>> Thanks. That's what I figured. I always figured in a multi-server
>>> production environment, the domain model is better than standalone-ha.
>>> Since we have a lot of customization to Keycloak, with our themes and
>>> custom authenticators, I'll use the official Keycloak docker project as a
>>> guide and create one myself for our purposes. The domain configuration
>>> is a
>>> bit more complicated than standalone, so I can understand why it was left
>>> out.
>>>
>>> Thanks again,
>>>
>>> -Frank
>>>
>>> On Thu, May 23, 2019 at 2:52 AM Sebastian Laskawiec <slaskawi at redhat.com
>>> >
>>> wrote:
>>>
>>> > That is correct. The standalone (with or without HA) configuration is
>>> by
>>> > far the most popular.
>>> >
>>> > However, all the configuration files and scripts are there. I guess
>>> you'd
>>> > need to modify the bootstrap script to bootstrap domain (or host)
>>> > controllers.
>>> >
>>> > On Wed, May 22, 2019 at 9:22 PM Frank Herrmann <
>>> > frank.herrmann at modernizingmedicine.com> wrote:
>>> >
>>> >> Hello,
>>> >>
>>> >> As part of our upgrade to 6.0.1 we are looking to use the Keycloak
>>> docker
>>> >> images. Our currently installation (3.4.3) uses a domain cluster.
>>> While
>>> >> reviewing the Keycloak docker image, it appears that it only supports
>>> >> standalone or standalone-ha (for clustering). Am I missing something,
>>> or
>>> >> will I need to customize the Keycloak docker image for domain
>>> clustering?
>>> >> Or was it specifically left out of the official docker image for a
>>> good
>>> >> reason?
>>> >>
>>> >> Thanks,
>>> >> -Frank
>>> >>
>>> >> --
>>> >> FRANK HERRMANN
>>> >> ASSOCIATE SOFTWARE ARCHITECT
>>> >>
>>> >> T: 561-880-2998 x1563
>>> >>
>>> >> E: frank.herrmann at modmed.com
>>> >>
>>> >>
>>> >>
>>> >> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>>> >> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>>> >> [image:
>>> >> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>>> >> [image:
>>> >> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine>
>>> [image: [
>>> >> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>>> >> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>>> >> <http://instagram.com/modernizing_medicine>
>>> >>
>>> >> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>>> >>
>>> >> --
>>> >> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>>> >> protected by the Health Insurance Portability and Accountability Act
>>> of
>>> >> 1996 and its implementing regulations and other state and federal laws
>>> >> and
>>> >> legal privileges. This message is only for the personal and
>>> confidential
>>> >> use of the individuals or organization to whom the message is
>>> addressed.
>>> >> If
>>> >> you are an unintended recipient, you have received this message in
>>> error,
>>> >> and any reading, distributing, copying or disclosure is unauthorized
>>> and
>>> >> strictly prohibited.  All recipients are hereby notified that any
>>> >> unauthorized receipt does not waive any confidentiality obligations or
>>> >> privileges. If you have received this message in error, please notify
>>> the
>>> >> sender immediately at the above email address and confirm that you
>>> have
>>> >> deleted or destroyed the message.
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>>
>>> --
>>> FRANK HERRMANN
>>> ASSOCIATE SOFTWARE ARCHITECT
>>>
>>> T: 561-880-2998 x1563
>>>
>>> E: frank.herrmann at modmed.com
>>>
>>>
>>>
>>> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
>>> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine>
>>> [image:
>>> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/>
>>> [image:
>>> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
>>> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
>>> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
>>> <http://instagram.com/modernizing_medicine>
>>>
>>> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>>>
>>> --
>>> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
>>> protected by the Health Insurance Portability and Accountability Act of
>>> 1996 and its implementing regulations and other state and federal laws
>>> and
>>> legal privileges. This message is only for the personal and confidential
>>> use of the individuals or organization to whom the message is addressed.
>>> If
>>> you are an unintended recipient, you have received this message in
>>> error,
>>> and any reading, distributing, copying or disclosure is unauthorized and
>>> strictly prohibited.  All recipients are hereby notified that any
>>> unauthorized receipt does not waive any confidentiality obligations or
>>> privileges. If you have received this message in error, please notify
>>> the
>>> sender immediately at the above email address and confirm that you have
>>> deleted or destroyed the message.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> FRANK HERRMANN
> ASSOCIATE SOFTWARE ARCHITECT
>
> T: 561-880-2998 x1563
>
> E: frank.herrmann at modmed.com
>
>
>
> [image: [ Modernizing Medicine ]] <http://www.modmed.com/>
> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
> [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
> [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
> Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
> <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
> <http://instagram.com/modernizing_medicine>
>
> [image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
>
>
> *CONFIDENTIALITY NOTICE:* This e-mail message may contain material
> protected by the Health Insurance Portability and Accountability Act of
> 1996 and its implementing regulations and other state and federal laws and
> legal privileges. This message is only for the personal and confidential
> use of the individuals or organization to whom the message is addressed. If
> you are an unintended recipient, you have received this message in error,
> and any reading, distributing, copying or disclosure is unauthorized and
> strictly prohibited.  All recipients are hereby notified that any
> unauthorized receipt does not waive any confidentiality obligations or
> privileges. If you have received this message in error, please notify the
> sender immediately at the above email address and confirm that you have
> deleted or destroyed the message.

From demetrio at carretti.pro  Mon May 27 18:07:19 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Tue, 28 May 2019 01:07:19 +0300
Subject: [keycloak-user] Is it possible to disable not-before-policy
 token? Oidc client is crashing because it's there
In-Reply-To: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
References: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
Message-ID: <959d58ab4d180ea22689ca48870ad6350b7bd610.camel@carretti.pro>

Hi Bruno,

The "not-before-policy" property cannot be disabled in Keycloak since it is hardcoded. And it is not the only problematic field, it's just alphabetically first, there are also non-standard "refresh_expires_in" and "session_state" that will also break  your client.

The bug is recognized by the author of the client library [2]. This is indeed a bug since the spec clearly says:

> The client MUST ignore unrecognized value names in the response. [3]

Hope that helps you to defend your position. Meanwhile, there are at least two workarounds (however hackish):
- remove the problematic fields from org.keycloak.representations.AccessTokenResponse and dependent classes and recompile Keycloak - this will solve the problem, but will obviously lead to maintenance hell;
- set up content filter in your reverse proxy to remove the fields from the token response. This will work since token response is not signed (opposite to tokens themselves).

[1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java#L52
[2] https://github.com/ivan-novakov/php-openid-connect-client/issues/14
[3] https://tools.ietf.org/html/rfc6749#section-5.1

Good luck,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Mon, 2019-05-27 at 19:30 +0800, Bruno Medeiros wrote:
> Hi, everyone.
> 
> First off, I've been using Keycloak in production for quite a while now, it
> is working great, thanks everyone involved!
> 
> I'm trying to add a new Oidc client now which is a third-party cloud
> service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> The error that shows up to the user is:
> 
> Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
> 
> After a few emails with their support team, they said:
> 
> "*... The error is related to the ?not-before-policy? parameter that is
> included in the response which is not part of the OIDC protocol but a
> Keycloak specific extension. This parameter gets its value from: Clients ->
> {client name} -> Revocation*
> *We set this option to none hoping that it will not be included in the
> response, however what I got was [?not-before-policy?] => 0. So we couldn?t
> find a way to remove this parameter from the response. You need to contact
> Keycloak and ask them if there is any way to remove this parameter from the
> response, since it is not part of the OIDC protocol.*"
> 
> 
> Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> crashing because it's there, AFAIK they should be just ignoring this in the
> token and proceeding with the login process.
> 
> Based on our experience so far, we are going to have a hard time
> "convincing" them about that, though, so I was wondering if Keycloak allows
> us to disable the not-before-policy to a specific client, or even in the
> realm at all?
> 
> If not, any pieces of advice on how to support the fact that they should
> not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> specs broadly enough so far to be sure about that and sustain my opinion.
> 
> Cheers,
> 


From demetrio at carretti.pro  Mon May 27 18:09:03 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Tue, 28 May 2019 01:09:03 +0300
Subject: [keycloak-user] Is it possible to disable not-before-policy
 token? Oidc client is crashing because it's there
In-Reply-To: <CAJgngAezZZT+o-fjrA87qBJhDcDezpQOAdCTcZf9ROJhjdX0gw@mail.gmail.com>
References: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
	<CAJgngAezZZT+o-fjrA87qBJhDcDezpQOAdCTcZf9ROJhjdX0gw@mail.gmail.com>
Message-ID: <dc259e7b240fd23b3bacfc5606e6ec696c6ceac1.camel@carretti.pro>

On Mon, 2019-05-27 at 19:00 +0200, Stian Thorgersen wrote:
> Can't remember if this was converted to a protocol mapper or not, if it is
> then you should be able to just remove the protocol mapper. If it's not
> open a feature request and better yet a pr.

The problematic "not-before-policy" is not a claim, it's a part of token response, and it is hardcoded as a @JsonProperty. But the client library is indeed buggy (and unmaintained for 5 years), see my reply to OP for details.

Dmitry

> 
> On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm at gmail.com> wrote:
> 
> > Hi, everyone.
> > 
> > First off, I've been using Keycloak in production for quite a while now, it
> > is working great, thanks everyone involved!
> > 
> > I'm trying to add a new Oidc client now which is a third-party cloud
> > service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> > The error that shows up to the user is:
> > 
> > Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> > Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
> > 
> > After a few emails with their support team, they said:
> > 
> > "*... The error is related to the ?not-before-policy? parameter that is
> > included in the response which is not part of the OIDC protocol but a
> > Keycloak specific extension. This parameter gets its value from: Clients ->
> > {client name} -> Revocation*
> > *We set this option to none hoping that it will not be included in the
> > response, however what I got was [?not-before-policy?] => 0. So we couldn?t
> > find a way to remove this parameter from the response. You need to contact
> > Keycloak and ask them if there is any way to remove this parameter from the
> > response, since it is not part of the OIDC protocol.*"
> > 
> > 
> > Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> > crashing because it's there, AFAIK they should be just ignoring this in the
> > token and proceeding with the login process.
> > 
> > Based on our experience so far, we are going to have a hard time
> > "convincing" them about that, though, so I was wondering if Keycloak allows
> > us to disable the not-before-policy to a specific client, or even in the
> > realm at all?
> > 
> > If not, any pieces of advice on how to support the fact that they should
> > not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> > specs broadly enough so far to be sure about that and sustain my opinion.
> > 
> > Cheers,
> > 
> > --
> > BrunoJCM
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From demetrio at carretti.pro  Mon May 27 18:35:03 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Tue, 28 May 2019 01:35:03 +0300
Subject: [keycloak-user] [Keycloak-admin-client] An error message when
 changing password.
In-Reply-To: <CAOTo98FWNUPKNZ6Z=G+k_phG6Va+sH5SzOhC8hR7_HASfoy6fQ@mail.gmail.com>
References: <CAOTo98FWNUPKNZ6Z=G+k_phG6Va+sH5SzOhC8hR7_HASfoy6fQ@mail.gmail.com>
Message-ID: <230b278f749a2d80326396715c0d94e2309f9d5d.camel@carretti.pro>

Privet, Alexey :)

Here's how password reset is done with Keycloak Admin REST API, assuming password policy violation:

> PUT http://localhost:8080/auth/admin/realms/master/users/{user-id}/reset-password
> {"type":"password","value":"foo","temporary":false}

< 400 Bad Request
< {"error":"invalidPasswordMinLengthMessage","error_description":"Invalid password: minimum length 8."}

If I understand correctly, you get a javax.ws.rs.BadRequestException from the Java admin client. You could try calling getResponse().getEntity() on the exception object to obtain JSON response.

Cheers,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Mon, 2019-05-27 at 14:51 +0700, ??????? ?????????? wrote:
> Hello everyone.
> 
> I have a question about REST API of the Keycloak. When I attempt to change
> password via REST API of user to that password that not meets security
> constraints of Keycloak, I recieve BadRequestError without additional
> information of what goes wrong. But when I change password in
> Administration console I see an exact error.
> 
> So, how can I get a exact problem what wrong with my password?
> 
> My usecase is that:
> I have a frontend (html/css) that communicates with a backend that
> communicates with the Keycloak. An user wants to change password of his/her
> account so he/she click on button on some form, and makes a request to
> backend to change password. A backend processes that request and ask
> Keycloak to change user password. In case that password doesn't meet
> security constraint I want to provide to user exact error.
> 
> Thanks to all.
> -- 


From farzad.panahi at gmail.com  Tue May 28 02:27:58 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Mon, 27 May 2019 23:27:58 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
	<CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
Message-ID: <CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>

Thanks Pedro.

I am thinking to fetch all the permissions granted for the user and from
there I can get all the resource names (books) and scopes user has access
for.

I have done this by getting the RPT from the Protection API in the backend
and iteration over the "permissions". But I am thinking to cut a round-trip
request and do this in the policy and push the resource names (with granted
permission) as an arbitrary claim. But as far as I understand I only have
access to Evaluation instance in the policy.  Is there a way to get all the
"permissions granted" for a user, in the policy?


Cheers

Farzad



On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Sure. I'm not telling you that you should not use us to address your
> requirements, but that you should take into account whether or not you are
> using our authorization capabilities to process business rules, which is
> not our focus. I wanted to let you know about other projects that are
> targeted for this type of work. Sometimes, the borderline between security
> constraints and business rules are very clear when you are externalizing
> authorization from your application.
>
> But yeah, I think both approaches can work for you. The data filter
> approach is could be very handy in order to filter resources that users can
> access. So if you are able to group your users into groups and then write
> policies that push back a claim based on the user membership, then you
> should be able to keep your policies simple. This is probably the optimal
> solution because it avoids additional requests from the server for checking
> whether or not the user has access to a resource.
>
> On the other hand, you can use resource types. Or even have resources in
> Keycloak that represent your different resource sets. Based on the
> permissions within the token you should also be able to build the query
> accordingly in your application.
>
> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Thanks Pedro. I really appreciate your reply.
>>
>> I think arbitrary claims are what I need to pass the filtering required
>> to the backend (if I can generate those claims). Also resource types look
>> interesting. I think as you said I can use that to group my resources.
>> These two should solve my problems at hand.
>>
>> That would be also great if you could elaborate on what you meant by
>> "security constraints" vs "business rules". I just want to have a better
>> understanding of Keycloak.
>> My understanding is that Keycloak is an identity and "access management"
>> system. And when it comes to "access management" my understanding is that
>> it means "who" has "what" access to "which" resource under "what
>> conditions".
>> If this definition is true, wouldn't "who has access to which resources"
>> be a security constraint under Keycloak's authorization model?
>>
>> As you said I might need to look into other solutions but I before I do
>> that I want to make sure I really cannot do what I want to do with Keycloak
>> and I really cannot implement my requirements under Keycloal's
>> authorization model, since I have already happily invested lots of time on
>> Keycloak :)
>>
>>
>>
>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> Sorry for the late reply.
>>>
>>> Our authorization model is targeted for enforcing security-related
>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>
>>> Some time ago we had a discussion about data filtering and how to fetch
>>> resources based on policy decisions. If you look at our documentation [1]
>>> you'll see that policies can push arbitrary claims back to your application
>>> when granting access to a permission. This capability allows you to send a
>>> specific claim along with the permission that represents some filter that
>>> you can use to query your database.
>>>
>>> As a result, you'll have within your token something like:
>>>
>>> "permissions": [
>>>     {
>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>       "resource_name": "Book Resource",
>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>> 'bar'"]]
>>>     }
>>>   ]
>>>
>>> We do have a "resource group" concept. Resources can have a type and you
>>> can also have a single resource representing a set of one or more "real"
>>> resources.
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>
>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Any hint or example project to look at would really help to put me in
>>>> the
>>>> right direction.
>>>>
>>>> Should I post this question with a better and more specific title with
>>>> more
>>>> elaborate body to present the question better?
>>>>
>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>> farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>> > This is exactly where I want to use Keycloak to set this business
>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>> of B
>>>> > (books) to which the user has access to. This association is not
>>>> based on
>>>> > roles or groups. It is based on individual users.
>>>> > That's why I was thinking that the only way I can think of doing this
>>>> to
>>>> > add every individual book as a resource in Keycloak and then I have to
>>>> > create a permission for each of them to grant access to any
>>>> individual user.
>>>> > It would help if Keycloak had a concept like a resource group I guess.
>>>> > Then I could put all those resources in a resource group and grant
>>>> access
>>>> > to that resource group for an individual user.
>>>> > Then in order to see which resources each user has access to, I need
>>>> to
>>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>>> > resources that user has access to, and return only those resources
>>>> for that
>>>> > user.
>>>> >
>>>> > That's what I can think of right now. I am just wondering if there is
>>>> a
>>>> > better way to do this sort of resource oriented access control where
>>>> each
>>>> > user has access to specific set of resources only.
>>>> >
>>>> >
>>>> >
>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
>>>> > wrote:
>>>> >
>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>> subset of
>>>> >> B" is this access based on roles, groups or any other information
>>>> that you
>>>> >> gather from the context ? I'm wondering if this is not a business
>>>> rule
>>>> >> instead ....
>>>> >>
>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>> farzad.panahi at gmail.com>
>>>> >> wrote:
>>>> >>
>>>> >>> Hi Pedro,
>>>> >>>
>>>> >>> The user is not the book owner. You can think about it this way
>>>> that if
>>>> >>> B is the set of all books then each user has access to a subset of
>>>> B such
>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>> >>>
>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>> psilva at redhat.com>
>>>> >>> wrote:
>>>> >>>
>>>> >>>> Hi Farzad,
>>>> >>>>
>>>> >>>> How do you check if a user has access to a book ? Is the user the
>>>> book
>>>> >>>> owner or you have more conditions that should be taken into
>>>> account to
>>>> >>>> grant access to books ?
>>>> >>>>
>>>> >>>> [1]
>>>> >>>>
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>> >>>>
>>>> >>>>
>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>> farzad.panahi at gmail.com>
>>>> >>>> wrote:
>>>> >>>>
>>>> >>>>> Hi,
>>>> >>>>>
>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>> >>>>> json:api
>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>> Keycloak.
>>>> >>>>>
>>>> >>>>> I just want to ask the Keycloak community for best practices when
>>>> it
>>>> >>>>> comes
>>>> >>>>> to securing RESTful APIs.
>>>> >>>>>
>>>> >>>>> My endpoints will be something like:
>>>> >>>>> GET /api/books --> return all books the user has access for
>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>> >>>>>
>>>> >>>>> My challenge now is to figure out how to define resources in
>>>> Keycloak.
>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>> define the
>>>> >>>>> permission between each user and resource?
>>>> >>>>>
>>>> >>>>> What would be the best practice to implement "GET /api/books" to
>>>> return
>>>> >>>>> only the books the logged in user has access to? Should I query
>>>> the
>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>> access
>>>> >>>>> to, in
>>>> >>>>> the backend?
>>>> >>>>>
>>>> >>>>> Thanks
>>>> >>>>>
>>>> >>>>> Farzad
>>>> >>>>> _______________________________________________
>>>> >>>>> keycloak-user mailing list
>>>> >>>>> keycloak-user at lists.jboss.org
>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >>>>>
>>>> >>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From adveaf at gmail.com  Tue May 28 05:10:54 2019
From: adveaf at gmail.com (A.D.V. - F)
Date: Tue, 28 May 2019 11:10:54 +0200
Subject: [keycloak-user] [help] : About the Keycloak Nodejs Connect adapter
	supportable server frameworks
Message-ID: <CAG6i3sPiH4VQF0D8OS8iRqU901wLT0bPgn_ivAg=r8420eOdzw@mail.gmail.com>

Hello,

I'm not sure about which email address is the one for asking question
and feature
requests. So I add the two addresses.

My question is about the Nodejs adapter, does it support others server
frameworks?  it will be very nice if it can work as a Koa's middleware.

Best regards

Alex

From asier.aguado at cern.ch  Tue May 28 05:49:35 2019
From: asier.aguado at cern.ch (Asier Aguado Corman)
Date: Tue, 28 May 2019 09:49:35 +0000
Subject: [keycloak-user] Avoid collisions and links of external accounts
Message-ID: <5C67A8145211F54C9169E58FE753DEF3E223CF1A@CERNXCHG41.cern.ch>

Dear Keycloak users/developers,

We're trying to configure Keycloak to use an LDAP user federation together with identity brokering on social providers (such as GitHub). We want these accounts to be dissociated as different logins, i.e. different usernames or unique IDs without adding them to an existing account. The Keycloak login flow currently allows for duplicate emails, but if a social account logs in with the same username as an internal LDAP account this will result in a username collision. This is not good for our use case, as we don't want to associate these accounts in Keycloak.

In summary,

1) We can't use login with email: we don't want to trust an email from an external provider. We can avoid this by disabling it and allowing duplicate emails. It would be great though to still allow email login for LDAP users.

2) We would need a way to generate usernames from external accounts, something like mapping 'asieraguado' to 'asieraguado at github', so they can be unique. We think that linking accounts will be confusing for our users, and we don't want them to select any username.

Any ideas on how to achieve this configuration?

Best regards,
Asier Aguado

From ece8537 at upnet.gr  Tue May 28 07:07:26 2019
From: ece8537 at upnet.gr (Konstantinos Schoinas)
Date: Tue, 28 May 2019 14:07:26 +0300
Subject: [keycloak-user] Logout-User
Message-ID: <afd6db841537f6790d5ad4f834196ce0@upnet.gr>

Hi all,

I am wondering if there is a way to make the user relogin after a 
certain amount of time of inactivity?
Although i am not refering to the SSO session max value.

For example i wanna have something like this.


Relogin :4 hours (relogin because of inactivity )
SSO Session Max: 8 hours ( relogin because session expired )

Thanks in Advance,

Konstantinos

From stephanwehner12 at gmail.com  Tue May 28 07:55:01 2019
From: stephanwehner12 at gmail.com (Stephan Wehner)
Date: Tue, 28 May 2019 13:55:01 +0200
Subject: [keycloak-user] Missing form parameter: grant_type while using the
	REST API
Message-ID: <CACgV4bYFmU42kDnDrkf67jXXO12pUU2Hu4Ug8JrykAdjbCiX7Q@mail.gmail.com>

Hello,

I'm trying to get an access token from my Keycloak Server. I'm sending a
post request to

http://localhost:12345/auth/realms/testRealm/protocol/openid-connect/token?client_id=testClient&username=testUser&password=abcde&grant_type=password

with additional header "Content-type: application/x-www-form-urlencoded;
charset=UTF-8".

The response I get is:



HTTP/1.1 400 Bad Request
Connection: keep-alive
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json
Content-Length: 84
Date: Tue, 28 May 2019 10:14:08 GMT

{"error":"invalid_request","error_description":"Missing form parameter:
grant_type"}




Do you have any idea what is the cause of the problem? Did I miss something
to configure? The administration console works well. I'm using Keycloak
6.0.1 as standalone.

I had to change the port because the default port is not free on my host.
Could it be, that I missed something there?

Thank you!

From Tony.Harris at oneadvanced.com  Tue May 28 08:01:16 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Tue, 28 May 2019 12:01:16 +0000
Subject: [keycloak-user] Missing form parameter: grant_type while using
 the	REST API
In-Reply-To: <CACgV4bYFmU42kDnDrkf67jXXO12pUU2Hu4Ug8JrykAdjbCiX7Q@mail.gmail.com>
References: <CACgV4bYFmU42kDnDrkf67jXXO12pUU2Hu4Ug8JrykAdjbCiX7Q@mail.gmail.com>
Message-ID: <634b5680947d44d8b46037710728368c@SL1ACSEXCMB01.acsresource.com>

Have you tried sending the data, client_id, username etc in the post body rather than as query parameters in the URL?

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stephan Wehner
Sent: 28 May 2019 12:55
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Missing form parameter: grant_type while using the REST API

Hello,

I'm trying to get an access token from my Keycloak Server. I'm sending a post request to

http://localhost:12345/auth/realms/testRealm/protocol/openid-connect/token?client_id=testClient&username=testUser&password=abcde&grant_type=password

with additional header "Content-type: application/x-www-form-urlencoded;
charset=UTF-8".

The response I get is:



HTTP/1.1 400 Bad Request
Connection: keep-alive
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json
Content-Length: 84
Date: Tue, 28 May 2019 10:14:08 GMT

{"error":"invalid_request","error_description":"Missing form parameter:
grant_type"}




Do you have any idea what is the cause of the problem? Did I miss something to configure? The administration console works well. I'm using Keycloak
6.0.1 as standalone.

I had to change the port because the default port is not free on my host.
Could it be, that I missed something there?

Thank you!
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From psilva at redhat.com  Tue May 28 08:15:54 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 28 May 2019 09:15:54 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
	<CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
	<CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>
Message-ID: <CAJrcDBcfdU6fTNXuhc-BuHOrs0BfroQUvhyDvYSVmqhXAqzTYA@mail.gmail.com>

Not right now because policies are basically processing permissions
(requested resource + scope) on a per-resource basis. In the future, we are
looking forward to making the policy engine more flexible so that you could
perform resource-less evaluation based on any data you include in an
authorization request.

On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Thanks Pedro.
>
> I am thinking to fetch all the permissions granted for the user and from
> there I can get all the resource names (books) and scopes user has access
> for.
>
> I have done this by getting the RPT from the Protection API in the backend
> and iteration over the "permissions". But I am thinking to cut a round-trip
> request and do this in the policy and push the resource names (with granted
> permission) as an arbitrary claim. But as far as I understand I only have
> access to Evaluation instance in the policy.  Is there a way to get all the
> "permissions granted" for a user, in the policy?
>
>
> Cheers
>
> Farzad
>
>
>
> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Sure. I'm not telling you that you should not use us to address your
>> requirements, but that you should take into account whether or not you are
>> using our authorization capabilities to process business rules, which is
>> not our focus. I wanted to let you know about other projects that are
>> targeted for this type of work. Sometimes, the borderline between security
>> constraints and business rules are very clear when you are externalizing
>> authorization from your application.
>>
>> But yeah, I think both approaches can work for you. The data filter
>> approach is could be very handy in order to filter resources that users can
>> access. So if you are able to group your users into groups and then write
>> policies that push back a claim based on the user membership, then you
>> should be able to keep your policies simple. This is probably the optimal
>> solution because it avoids additional requests from the server for checking
>> whether or not the user has access to a resource.
>>
>> On the other hand, you can use resource types. Or even have resources in
>> Keycloak that represent your different resource sets. Based on the
>> permissions within the token you should also be able to build the query
>> accordingly in your application.
>>
>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Thanks Pedro. I really appreciate your reply.
>>>
>>> I think arbitrary claims are what I need to pass the filtering required
>>> to the backend (if I can generate those claims). Also resource types look
>>> interesting. I think as you said I can use that to group my resources.
>>> These two should solve my problems at hand.
>>>
>>> That would be also great if you could elaborate on what you meant by
>>> "security constraints" vs "business rules". I just want to have a better
>>> understanding of Keycloak.
>>> My understanding is that Keycloak is an identity and "access management"
>>> system. And when it comes to "access management" my understanding is that
>>> it means "who" has "what" access to "which" resource under "what
>>> conditions".
>>> If this definition is true, wouldn't "who has access to which resources"
>>> be a security constraint under Keycloak's authorization model?
>>>
>>> As you said I might need to look into other solutions but I before I do
>>> that I want to make sure I really cannot do what I want to do with Keycloak
>>> and I really cannot implement my requirements under Keycloal's
>>> authorization model, since I have already happily invested lots of time on
>>> Keycloak :)
>>>
>>>
>>>
>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> Sorry for the late reply.
>>>>
>>>> Our authorization model is targeted for enforcing security-related
>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>
>>>> Some time ago we had a discussion about data filtering and how to fetch
>>>> resources based on policy decisions. If you look at our documentation [1]
>>>> you'll see that policies can push arbitrary claims back to your application
>>>> when granting access to a permission. This capability allows you to send a
>>>> specific claim along with the permission that represents some filter that
>>>> you can use to query your database.
>>>>
>>>> As a result, you'll have within your token something like:
>>>>
>>>> "permissions": [
>>>>     {
>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>       "resource_name": "Book Resource",
>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>> 'bar'"]]
>>>>     }
>>>>   ]
>>>>
>>>> We do have a "resource group" concept. Resources can have a type and
>>>> you can also have a single resource representing a set of one or more
>>>> "real" resources.
>>>>
>>>> [1]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>
>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Any hint or example project to look at would really help to put me in
>>>>> the
>>>>> right direction.
>>>>>
>>>>> Should I post this question with a better and more specific title with
>>>>> more
>>>>> elaborate body to present the question better?
>>>>>
>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>> farzad.panahi at gmail.com>
>>>>> wrote:
>>>>>
>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>>> of B
>>>>> > (books) to which the user has access to. This association is not
>>>>> based on
>>>>> > roles or groups. It is based on individual users.
>>>>> > That's why I was thinking that the only way I can think of doing
>>>>> this to
>>>>> > add every individual book as a resource in Keycloak and then I have
>>>>> to
>>>>> > create a permission for each of them to grant access to any
>>>>> individual user.
>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>> guess.
>>>>> > Then I could put all those resources in a resource group and grant
>>>>> access
>>>>> > to that resource group for an individual user.
>>>>> > Then in order to see which resources each user has access to, I need
>>>>> to
>>>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>>>> > resources that user has access to, and return only those resources
>>>>> for that
>>>>> > user.
>>>>> >
>>>>> > That's what I can think of right now. I am just wondering if there
>>>>> is a
>>>>> > better way to do this sort of resource oriented access control where
>>>>> each
>>>>> > user has access to specific set of resources only.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com
>>>>> >
>>>>> > wrote:
>>>>> >
>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>> subset of
>>>>> >> B" is this access based on roles, groups or any other information
>>>>> that you
>>>>> >> gather from the context ? I'm wondering if this is not a business
>>>>> rule
>>>>> >> instead ....
>>>>> >>
>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>> farzad.panahi at gmail.com>
>>>>> >> wrote:
>>>>> >>
>>>>> >>> Hi Pedro,
>>>>> >>>
>>>>> >>> The user is not the book owner. You can think about it this way
>>>>> that if
>>>>> >>> B is the set of all books then each user has access to a subset of
>>>>> B such
>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>> >>>
>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>> psilva at redhat.com>
>>>>> >>> wrote:
>>>>> >>>
>>>>> >>>> Hi Farzad,
>>>>> >>>>
>>>>> >>>> How do you check if a user has access to a book ? Is the user the
>>>>> book
>>>>> >>>> owner or you have more conditions that should be taken into
>>>>> account to
>>>>> >>>> grant access to books ?
>>>>> >>>>
>>>>> >>>> [1]
>>>>> >>>>
>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>> farzad.panahi at gmail.com>
>>>>> >>>> wrote:
>>>>> >>>>
>>>>> >>>>> Hi,
>>>>> >>>>>
>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>> >>>>> json:api
>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>> Keycloak.
>>>>> >>>>>
>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>> when it
>>>>> >>>>> comes
>>>>> >>>>> to securing RESTful APIs.
>>>>> >>>>>
>>>>> >>>>> My endpoints will be something like:
>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>> >>>>>
>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>> Keycloak.
>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>> define the
>>>>> >>>>> permission between each user and resource?
>>>>> >>>>>
>>>>> >>>>> What would be the best practice to implement "GET /api/books" to
>>>>> return
>>>>> >>>>> only the books the logged in user has access to? Should I query
>>>>> the
>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>> access
>>>>> >>>>> to, in
>>>>> >>>>> the backend?
>>>>> >>>>>
>>>>> >>>>> Thanks
>>>>> >>>>>
>>>>> >>>>> Farzad
>>>>> >>>>> _______________________________________________
>>>>> >>>>> keycloak-user mailing list
>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >>>>>
>>>>> >>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

From bruno at abstractj.org  Tue May 28 08:58:32 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 28 May 2019 09:58:32 -0300
Subject: [keycloak-user] [help] : About the Keycloak Nodejs Connect
 adapter supportable server frameworks
In-Reply-To: <CAG6i3sPiH4VQF0D8OS8iRqU901wLT0bPgn_ivAg=r8420eOdzw@mail.gmail.com>
References: <CAG6i3sPiH4VQF0D8OS8iRqU901wLT0bPgn_ivAg=r8420eOdzw@mail.gmail.com>
Message-ID: <CAM5SUC4pjHWG9pn5PEodPnK4x=BdtMmhsZ4wW51SVekesziPXA@mail.gmail.com>

Hi Alex, the user mailing list is the right place to ask.
Unfortunately Koa's middleware is not supported. One alternative would
be to try koa-connect https://github.com/vkurchatkin/koa-connect or
protect your app with Gatekeeper.

I hope it helps.

On Tue, May 28, 2019 at 6:12 AM A.D.V. - F <adveaf at gmail.com> wrote:
>
> Hello,
>
> I'm not sure about which email address is the one for asking question
> and feature
> requests. So I add the two addresses.
>
> My question is about the Nodejs adapter, does it support others server
> frameworks?  it will be very nice if it can work as a Koa's middleware.
>
> Best regards
>
> Alex
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From Chirag.Unnadkat at cerillion.com  Tue May 28 11:02:46 2019
From: Chirag.Unnadkat at cerillion.com (Chirag Unnadkat)
Date: Tue, 28 May 2019 15:02:46 +0000
Subject: [keycloak-user] X509 Direct Grant with client certificate
Message-ID: <LNXP265MB10686BB932AC76CC74D9454FF61E0@LNXP265MB1068.GBRP265.PROD.OUTLOOK.COM>

Hi,

Is it possible to pass the same client certificate in a token request with different login credentials?
My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible

I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config)
This is configured to take the Subjects Common Name, with the attribute "NAME"
I have configured a trust store with 1 certificate (want to share this across users)
When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate

I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases


Kind Regards,

Chirag Unnadkat
Business Analyst
Cerillion plc
E.   chirag.unnadkat at cerillion.com<mailto:chirag.unnadkat at cerillion.com>
T.  0207 9276029
W.  www.cerillion.com<http://www.cerillion.com/>
Addr.   25 Bedford Street, London, WC2E 9ES, UK

________________________________

Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website www.cerillion.com<http://www.cerillion.com>

This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt.

________________________________

From namikbarisidil at hotmail.com  Tue May 28 12:06:17 2019
From: namikbarisidil at hotmail.com (=?iso-8859-3?B?TmFtuWsgQmFyubogqUSpTA==?=)
Date: Tue, 28 May 2019 16:06:17 +0000
Subject: [keycloak-user] Parameter Forwarding
Message-ID: <VI1PR06MB580601EB2CAD0C2ADD94295CCC1E0@VI1PR06MB5806.eurprd06.prod.outlook.com>

Hi,

I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?

Thanks in advance!

Bar??


From vaslion13 at yahoo.gr  Tue May 28 15:28:44 2019
From: vaslion13 at yahoo.gr (vasleon)
Date: Tue, 28 May 2019 21:28:44 +0200
Subject: [keycloak-user] CSRF token in user management pages
In-Reply-To: <b84a312d-f956-8e7b-5622-2ec3ede56291.ref@yahoo.gr>
References: <b84a312d-f956-8e7b-5622-2ec3ede56291.ref@yahoo.gr>
Message-ID: <8826f44b-cdc6-2249-1c54-ee6b866d394a@yahoo.gr>

Dear All,

According to the page here 
<https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html> 
the only part of Keycloak that really falls into CSRF is the user 
account management pages. It mentions that in order to protect from 
CSRF, keycloak uses a state cookie.

I imagine that the user account management pages are the ones under the 
url = http://localhost:8180/auth/realms/demo/account/, is this correct?

If yes, the cookies i can see available in this page are an 
AUTH_SESSION_ID cookie and a KC_RESTART. I do not see a "stateChecker" 
value.

I can see these files are related to csrf checking in the code of 
keycloak server

  * services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
  * adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java
  * services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java


Can someone who has knowledge over this verify that the user account 
management pages is referring to the url provided above and if not 
expand on which pages are csrf protected?

Also please verify that indeed the 3 files above are responsible for 
csrf chekcing


Thank you


From farzad.panahi at gmail.com  Tue May 28 13:49:59 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Tue, 28 May 2019 10:49:59 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBcfdU6fTNXuhc-BuHOrs0BfroQUvhyDvYSVmqhXAqzTYA@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
	<CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
	<CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>
	<CAJrcDBcfdU6fTNXuhc-BuHOrs0BfroQUvhyDvYSVmqhXAqzTYA@mail.gmail.com>
Message-ID: <CACueeY08MTUWBVtBPSXwkfeRy4tP3OFGOF6vFhgc=Lxx+vvbDg@mail.gmail.com>

That would be really helpful. Is there an open ticket for it that I can
watch?

So if I can't granted permissions on the policy engine then I don't have
any other option but doing this on the backend bycalling the Protection
API, right?

On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva at redhat.com>
wrote:

> Not right now because policies are basically processing permissions
> (requested resource + scope) on a per-resource basis. In the future, we are
> looking forward to making the policy engine more flexible so that you could
> perform resource-less evaluation based on any data you include in an
> authorization request.
>
> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Thanks Pedro.
>>
>> I am thinking to fetch all the permissions granted for the user and from
>> there I can get all the resource names (books) and scopes user has access
>> for.
>>
>> I have done this by getting the RPT from the Protection API in the
>> backend and iteration over the "permissions". But I am thinking to cut a
>> round-trip request and do this in the policy and push the resource names
>> (with granted permission) as an arbitrary claim. But as far as I understand
>> I only have access to Evaluation instance in the policy.  Is there a way to
>> get all the "permissions granted" for a user, in the policy?
>>
>>
>> Cheers
>>
>> Farzad
>>
>>
>>
>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Sure. I'm not telling you that you should not use us to address your
>>> requirements, but that you should take into account whether or not you are
>>> using our authorization capabilities to process business rules, which is
>>> not our focus. I wanted to let you know about other projects that are
>>> targeted for this type of work. Sometimes, the borderline between security
>>> constraints and business rules are very clear when you are externalizing
>>> authorization from your application.
>>>
>>> But yeah, I think both approaches can work for you. The data filter
>>> approach is could be very handy in order to filter resources that users can
>>> access. So if you are able to group your users into groups and then write
>>> policies that push back a claim based on the user membership, then you
>>> should be able to keep your policies simple. This is probably the optimal
>>> solution because it avoids additional requests from the server for checking
>>> whether or not the user has access to a resource.
>>>
>>> On the other hand, you can use resource types. Or even have resources in
>>> Keycloak that represent your different resource sets. Based on the
>>> permissions within the token you should also be able to build the query
>>> accordingly in your application.
>>>
>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Thanks Pedro. I really appreciate your reply.
>>>>
>>>> I think arbitrary claims are what I need to pass the filtering required
>>>> to the backend (if I can generate those claims). Also resource types look
>>>> interesting. I think as you said I can use that to group my resources.
>>>> These two should solve my problems at hand.
>>>>
>>>> That would be also great if you could elaborate on what you meant by
>>>> "security constraints" vs "business rules". I just want to have a better
>>>> understanding of Keycloak.
>>>> My understanding is that Keycloak is an identity and "access
>>>> management" system. And when it comes to "access management" my
>>>> understanding is that it means "who" has "what" access to "which" resource
>>>> under "what conditions".
>>>> If this definition is true, wouldn't "who has access to which
>>>> resources" be a security constraint under Keycloak's authorization model?
>>>>
>>>> As you said I might need to look into other solutions but I before I do
>>>> that I want to make sure I really cannot do what I want to do with Keycloak
>>>> and I really cannot implement my requirements under Keycloal's
>>>> authorization model, since I have already happily invested lots of time on
>>>> Keycloak :)
>>>>
>>>>
>>>>
>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi Farzad,
>>>>>
>>>>> Sorry for the late reply.
>>>>>
>>>>> Our authorization model is targeted for enforcing security-related
>>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>>
>>>>> Some time ago we had a discussion about data filtering and how to
>>>>> fetch resources based on policy decisions. If you look at our documentation
>>>>> [1] you'll see that policies can push arbitrary claims back to your
>>>>> application when granting access to a permission. This capability allows
>>>>> you to send a specific claim along with the permission that represents some
>>>>> filter that you can use to query your database.
>>>>>
>>>>> As a result, you'll have within your token something like:
>>>>>
>>>>> "permissions": [
>>>>>     {
>>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>>       "resource_name": "Book Resource",
>>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>>> 'bar'"]]
>>>>>     }
>>>>>   ]
>>>>>
>>>>> We do have a "resource group" concept. Resources can have a type and
>>>>> you can also have a single resource representing a set of one or more
>>>>> "real" resources.
>>>>>
>>>>> [1]
>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>>
>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Any hint or example project to look at would really help to put me in
>>>>>> the
>>>>>> right direction.
>>>>>>
>>>>>> Should I post this question with a better and more specific title
>>>>>> with more
>>>>>> elaborate body to present the question better?
>>>>>>
>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>> farzad.panahi at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>>>> of B
>>>>>> > (books) to which the user has access to. This association is not
>>>>>> based on
>>>>>> > roles or groups. It is based on individual users.
>>>>>> > That's why I was thinking that the only way I can think of doing
>>>>>> this to
>>>>>> > add every individual book as a resource in Keycloak and then I have
>>>>>> to
>>>>>> > create a permission for each of them to grant access to any
>>>>>> individual user.
>>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>>> guess.
>>>>>> > Then I could put all those resources in a resource group and grant
>>>>>> access
>>>>>> > to that resource group for an individual user.
>>>>>> > Then in order to see which resources each user has access to, I
>>>>>> need to
>>>>>> > query Keycloak somehow (I need to figure out how exactly) and get
>>>>>> the
>>>>>> > resources that user has access to, and return only those resources
>>>>>> for that
>>>>>> > user.
>>>>>> >
>>>>>> > That's what I can think of right now. I am just wondering if there
>>>>>> is a
>>>>>> > better way to do this sort of resource oriented access control
>>>>>> where each
>>>>>> > user has access to specific set of resources only.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>> psilva at redhat.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>>> subset of
>>>>>> >> B" is this access based on roles, groups or any other information
>>>>>> that you
>>>>>> >> gather from the context ? I'm wondering if this is not a business
>>>>>> rule
>>>>>> >> instead ....
>>>>>> >>
>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>> farzad.panahi at gmail.com>
>>>>>> >> wrote:
>>>>>> >>
>>>>>> >>> Hi Pedro,
>>>>>> >>>
>>>>>> >>> The user is not the book owner. You can think about it this way
>>>>>> that if
>>>>>> >>> B is the set of all books then each user has access to a subset
>>>>>> of B such
>>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>>> >>>
>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>>> psilva at redhat.com>
>>>>>> >>> wrote:
>>>>>> >>>
>>>>>> >>>> Hi Farzad,
>>>>>> >>>>
>>>>>> >>>> How do you check if a user has access to a book ? Is the user
>>>>>> the book
>>>>>> >>>> owner or you have more conditions that should be taken into
>>>>>> account to
>>>>>> >>>> grant access to books ?
>>>>>> >>>>
>>>>>> >>>> [1]
>>>>>> >>>>
>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>>> farzad.panahi at gmail.com>
>>>>>> >>>> wrote:
>>>>>> >>>>
>>>>>> >>>>> Hi,
>>>>>> >>>>>
>>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>>> >>>>> json:api
>>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>>> Keycloak.
>>>>>> >>>>>
>>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>>> when it
>>>>>> >>>>> comes
>>>>>> >>>>> to securing RESTful APIs.
>>>>>> >>>>>
>>>>>> >>>>> My endpoints will be something like:
>>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>>> >>>>>
>>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>>> Keycloak.
>>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>>> define the
>>>>>> >>>>> permission between each user and resource?
>>>>>> >>>>>
>>>>>> >>>>> What would be the best practice to implement "GET /api/books"
>>>>>> to return
>>>>>> >>>>> only the books the logged in user has access to? Should I query
>>>>>> the
>>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>>> access
>>>>>> >>>>> to, in
>>>>>> >>>>> the backend?
>>>>>> >>>>>
>>>>>> >>>>> Thanks
>>>>>> >>>>>
>>>>>> >>>>> Farzad
>>>>>> >>>>> _______________________________________________
>>>>>> >>>>> keycloak-user mailing list
>>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> >>>>>
>>>>>> >>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>

From orivat at janua.fr  Tue May 28 14:01:11 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Tue, 28 May 2019 20:01:11 +0200
Subject: [keycloak-user] SAML not be able to proceed SP assertion
Message-ID: <f0c923d4-2879-4939-ec4b-9c5ce4c5b606@janua.fr>

Hi,

I am using Keycloak 6.0.1 and trying to connect to an external IDP using 
SAML V2.
The steup has been working laster year with leycloak 3.4.3

I am able to authenticate against the IDP, and I can see teh SAM packet 
returned using teh SAML tracer.
I haven't seen any dispcrency.


But on keycloak, I obtain the message

We're sorry,
Login timeout

with the following trace

19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator] 
(default task-3) Assertion id18815101930494101523411623 is not addressed 
to this SP.
19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default 
task-3) Assertion expired.
19:52:23,400 WARN? [org.keycloak.events] (default task-3) 
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null, 
userId=null, ipAddress=127.0.0.1, error=invalid_saml_response

I've just visited the code of ConditionsValidator.java, where the 
warning is issued, but cannot figure out what could be wrong.

Any idea of waht could be causing such an issue ?


Regards,

Olivier Rivat



-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From psilva at redhat.com  Tue May 28 14:31:52 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 28 May 2019 15:31:52 -0300
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CACueeY08MTUWBVtBPSXwkfeRy4tP3OFGOF6vFhgc=Lxx+vvbDg@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
	<CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
	<CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>
	<CAJrcDBcfdU6fTNXuhc-BuHOrs0BfroQUvhyDvYSVmqhXAqzTYA@mail.gmail.com>
	<CACueeY08MTUWBVtBPSXwkfeRy4tP3OFGOF6vFhgc=Lxx+vvbDg@mail.gmail.com>
Message-ID: <CAJrcDBeX9AuvWtuf-2TQjt9Wg6Z-E2r32XV0uRfDA+HtKMaZ9Q@mail.gmail.com>

Yeah, you mean calling the token endpoint ....

On Tue, May 28, 2019 at 2:50 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> That would be really helpful. Is there an open ticket for it that I can
> watch?
>
> So if I can't granted permissions on the policy engine then I don't have
> any other option but doing this on the backend bycalling the Protection
> API, right?
>
> On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva at redhat.com>
> wrote:
>
>> Not right now because policies are basically processing permissions
>> (requested resource + scope) on a per-resource basis. In the future, we are
>> looking forward to making the policy engine more flexible so that you could
>> perform resource-less evaluation based on any data you include in an
>> authorization request.
>>
>> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Thanks Pedro.
>>>
>>> I am thinking to fetch all the permissions granted for the user and from
>>> there I can get all the resource names (books) and scopes user has access
>>> for.
>>>
>>> I have done this by getting the RPT from the Protection API in the
>>> backend and iteration over the "permissions". But I am thinking to cut a
>>> round-trip request and do this in the policy and push the resource names
>>> (with granted permission) as an arbitrary claim. But as far as I understand
>>> I only have access to Evaluation instance in the policy.  Is there a way to
>>> get all the "permissions granted" for a user, in the policy?
>>>
>>>
>>> Cheers
>>>
>>> Farzad
>>>
>>>
>>>
>>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Sure. I'm not telling you that you should not use us to address your
>>>> requirements, but that you should take into account whether or not you are
>>>> using our authorization capabilities to process business rules, which is
>>>> not our focus. I wanted to let you know about other projects that are
>>>> targeted for this type of work. Sometimes, the borderline between security
>>>> constraints and business rules are very clear when you are externalizing
>>>> authorization from your application.
>>>>
>>>> But yeah, I think both approaches can work for you. The data filter
>>>> approach is could be very handy in order to filter resources that users can
>>>> access. So if you are able to group your users into groups and then write
>>>> policies that push back a claim based on the user membership, then you
>>>> should be able to keep your policies simple. This is probably the optimal
>>>> solution because it avoids additional requests from the server for checking
>>>> whether or not the user has access to a resource.
>>>>
>>>> On the other hand, you can use resource types. Or even have resources
>>>> in Keycloak that represent your different resource sets. Based on the
>>>> permissions within the token you should also be able to build the query
>>>> accordingly in your application.
>>>>
>>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks Pedro. I really appreciate your reply.
>>>>>
>>>>> I think arbitrary claims are what I need to pass the filtering
>>>>> required to the backend (if I can generate those claims). Also resource
>>>>> types look interesting. I think as you said I can use that to group my
>>>>> resources. These two should solve my problems at hand.
>>>>>
>>>>> That would be also great if you could elaborate on what you meant by
>>>>> "security constraints" vs "business rules". I just want to have a better
>>>>> understanding of Keycloak.
>>>>> My understanding is that Keycloak is an identity and "access
>>>>> management" system. And when it comes to "access management" my
>>>>> understanding is that it means "who" has "what" access to "which" resource
>>>>> under "what conditions".
>>>>> If this definition is true, wouldn't "who has access to which
>>>>> resources" be a security constraint under Keycloak's authorization model?
>>>>>
>>>>> As you said I might need to look into other solutions but I before I
>>>>> do that I want to make sure I really cannot do what I want to do with
>>>>> Keycloak and I really cannot implement my requirements under Keycloal's
>>>>> authorization model, since I have already happily invested lots of time on
>>>>> Keycloak :)
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Farzad,
>>>>>>
>>>>>> Sorry for the late reply.
>>>>>>
>>>>>> Our authorization model is targeted for enforcing security-related
>>>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>>>
>>>>>> Some time ago we had a discussion about data filtering and how to
>>>>>> fetch resources based on policy decisions. If you look at our documentation
>>>>>> [1] you'll see that policies can push arbitrary claims back to your
>>>>>> application when granting access to a permission. This capability allows
>>>>>> you to send a specific claim along with the permission that represents some
>>>>>> filter that you can use to query your database.
>>>>>>
>>>>>> As a result, you'll have within your token something like:
>>>>>>
>>>>>> "permissions": [
>>>>>>     {
>>>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>>>       "resource_name": "Book Resource",
>>>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>>>> 'bar'"]]
>>>>>>     }
>>>>>>   ]
>>>>>>
>>>>>> We do have a "resource group" concept. Resources can have a type and
>>>>>> you can also have a single resource representing a set of one or more
>>>>>> "real" resources.
>>>>>>
>>>>>> [1]
>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>>>
>>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <
>>>>>> farzad.panahi at gmail.com> wrote:
>>>>>>
>>>>>>> Any hint or example project to look at would really help to put me
>>>>>>> in the
>>>>>>> right direction.
>>>>>>>
>>>>>>> Should I post this question with a better and more specific title
>>>>>>> with more
>>>>>>> elaborate body to present the question better?
>>>>>>>
>>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>>>> > rule/mapping. Basically I need to associate each user with a
>>>>>>> subset of B
>>>>>>> > (books) to which the user has access to. This association is not
>>>>>>> based on
>>>>>>> > roles or groups. It is based on individual users.
>>>>>>> > That's why I was thinking that the only way I can think of doing
>>>>>>> this to
>>>>>>> > add every individual book as a resource in Keycloak and then I
>>>>>>> have to
>>>>>>> > create a permission for each of them to grant access to any
>>>>>>> individual user.
>>>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>>>> guess.
>>>>>>> > Then I could put all those resources in a resource group and grant
>>>>>>> access
>>>>>>> > to that resource group for an individual user.
>>>>>>> > Then in order to see which resources each user has access to, I
>>>>>>> need to
>>>>>>> > query Keycloak somehow (I need to figure out how exactly) and get
>>>>>>> the
>>>>>>> > resources that user has access to, and return only those resources
>>>>>>> for that
>>>>>>> > user.
>>>>>>> >
>>>>>>> > That's what I can think of right now. I am just wondering if there
>>>>>>> is a
>>>>>>> > better way to do this sort of resource oriented access control
>>>>>>> where each
>>>>>>> > user has access to specific set of resources only.
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>>> psilva at redhat.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>>>> subset of
>>>>>>> >> B" is this access based on roles, groups or any other information
>>>>>>> that you
>>>>>>> >> gather from the context ? I'm wondering if this is not a business
>>>>>>> rule
>>>>>>> >> instead ....
>>>>>>> >>
>>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> >> wrote:
>>>>>>> >>
>>>>>>> >>> Hi Pedro,
>>>>>>> >>>
>>>>>>> >>> The user is not the book owner. You can think about it this way
>>>>>>> that if
>>>>>>> >>> B is the set of all books then each user has access to a subset
>>>>>>> of B such
>>>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>>>> >>>
>>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>>>> psilva at redhat.com>
>>>>>>> >>> wrote:
>>>>>>> >>>
>>>>>>> >>>> Hi Farzad,
>>>>>>> >>>>
>>>>>>> >>>> How do you check if a user has access to a book ? Is the user
>>>>>>> the book
>>>>>>> >>>> owner or you have more conditions that should be taken into
>>>>>>> account to
>>>>>>> >>>> grant access to books ?
>>>>>>> >>>>
>>>>>>> >>>> [1]
>>>>>>> >>>>
>>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> >>>> wrote:
>>>>>>> >>>>
>>>>>>> >>>>> Hi,
>>>>>>> >>>>>
>>>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented
>>>>>>> with
>>>>>>> >>>>> json:api
>>>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>>>> Keycloak.
>>>>>>> >>>>>
>>>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>>>> when it
>>>>>>> >>>>> comes
>>>>>>> >>>>> to securing RESTful APIs.
>>>>>>> >>>>>
>>>>>>> >>>>> My endpoints will be something like:
>>>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>>>> >>>>>
>>>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>>>> Keycloak.
>>>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>>>> define the
>>>>>>> >>>>> permission between each user and resource?
>>>>>>> >>>>>
>>>>>>> >>>>> What would be the best practice to implement "GET /api/books"
>>>>>>> to return
>>>>>>> >>>>> only the books the logged in user has access to? Should I
>>>>>>> query the
>>>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>>>> access
>>>>>>> >>>>> to, in
>>>>>>> >>>>> the backend?
>>>>>>> >>>>>
>>>>>>> >>>>> Thanks
>>>>>>> >>>>>
>>>>>>> >>>>> Farzad
>>>>>>> >>>>> _______________________________________________
>>>>>>> >>>>> keycloak-user mailing list
>>>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> >>>>>
>>>>>>> >>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>

From farzad.panahi at gmail.com  Tue May 28 15:05:39 2019
From: farzad.panahi at gmail.com (Farzad Panahi)
Date: Tue, 28 May 2019 12:05:39 -0700
Subject: [keycloak-user] Securing RESTful API Best Practices
In-Reply-To: <CAJrcDBeX9AuvWtuf-2TQjt9Wg6Z-E2r32XV0uRfDA+HtKMaZ9Q@mail.gmail.com>
References: <CACueeY0Ap=SihDrYmKfLNSRcwvaxtUru7qe_uoNheVWqRSt6iA@mail.gmail.com>
	<CAJrcDBcSip6p3aJi7XRyB5KQXGKeaA-+4YiNDi=8b99K7aznDA@mail.gmail.com>
	<CACueeY1sN1=bcOf=oj3PNJgPgz8tbJU9fHoDFUUeXu6EVULutg@mail.gmail.com>
	<CAJrcDBdAGUhUu8nVN64LohVy2v5REisar9P88yiNQMB43b7DTQ@mail.gmail.com>
	<CACueeY2TUjCV06+PASegN4xEOsGhuSN_Cest_y-z354Zmpsz1w@mail.gmail.com>
	<CACueeY2VM9nWDO1aAP1wMpTaoQ+-U1yQf4sMOXW5k=ukowKY6A@mail.gmail.com>
	<CAJrcDBfVTB4dErJEDsfBB+avxqO8MttRQTWJZ-y1Y+Ao-wsc8w@mail.gmail.com>
	<CACueeY2HmDOBDP3YPaKTYym==gj2i=U6Ae-h_hFyJihuvaS+qQ@mail.gmail.com>
	<CAJrcDBf_x9JrO9-pJSV1cWJDe_Pu+Mxy76wtNVrEmG-OVQ3Rkg@mail.gmail.com>
	<CACueeY0AdEw4wG=-z=Th+Jgp1oBkdK5mPTvTtkEvLrjpju8oqw@mail.gmail.com>
	<CAJrcDBcfdU6fTNXuhc-BuHOrs0BfroQUvhyDvYSVmqhXAqzTYA@mail.gmail.com>
	<CACueeY08MTUWBVtBPSXwkfeRy4tP3OFGOF6vFhgc=Lxx+vvbDg@mail.gmail.com>
	<CAJrcDBeX9AuvWtuf-2TQjt9Wg6Z-E2r32XV0uRfDA+HtKMaZ9Q@mail.gmail.com>
Message-ID: <CACueeY1OCNfu0LsSS9pf1+WDN0i9as0DTbRV9gPTL=+nKczsng@mail.gmail.com>

Yes. I basically use the Authorization Client Java API.

On Tue, May 28, 2019 at 11:32 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Yeah, you mean calling the token endpoint ....
>
> On Tue, May 28, 2019 at 2:50 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> That would be really helpful. Is there an open ticket for it that I can
>> watch?
>>
>> So if I can't granted permissions on the policy engine then I don't have
>> any other option but doing this on the backend bycalling the Protection
>> API, right?
>>
>> On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva at redhat.com>
>> wrote:
>>
>>> Not right now because policies are basically processing permissions
>>> (requested resource + scope) on a per-resource basis. In the future, we are
>>> looking forward to making the policy engine more flexible so that you could
>>> perform resource-less evaluation based on any data you include in an
>>> authorization request.
>>>
>>> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Thanks Pedro.
>>>>
>>>> I am thinking to fetch all the permissions granted for the user and
>>>> from there I can get all the resource names (books) and scopes user has
>>>> access for.
>>>>
>>>> I have done this by getting the RPT from the Protection API in the
>>>> backend and iteration over the "permissions". But I am thinking to cut a
>>>> round-trip request and do this in the policy and push the resource names
>>>> (with granted permission) as an arbitrary claim. But as far as I understand
>>>> I only have access to Evaluation instance in the policy.  Is there a way to
>>>> get all the "permissions granted" for a user, in the policy?
>>>>
>>>>
>>>> Cheers
>>>>
>>>> Farzad
>>>>
>>>>
>>>>
>>>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Sure. I'm not telling you that you should not use us to address your
>>>>> requirements, but that you should take into account whether or not you are
>>>>> using our authorization capabilities to process business rules, which is
>>>>> not our focus. I wanted to let you know about other projects that are
>>>>> targeted for this type of work. Sometimes, the borderline between security
>>>>> constraints and business rules are very clear when you are externalizing
>>>>> authorization from your application.
>>>>>
>>>>> But yeah, I think both approaches can work for you. The data filter
>>>>> approach is could be very handy in order to filter resources that users can
>>>>> access. So if you are able to group your users into groups and then write
>>>>> policies that push back a claim based on the user membership, then you
>>>>> should be able to keep your policies simple. This is probably the optimal
>>>>> solution because it avoids additional requests from the server for checking
>>>>> whether or not the user has access to a resource.
>>>>>
>>>>> On the other hand, you can use resource types. Or even have resources
>>>>> in Keycloak that represent your different resource sets. Based on the
>>>>> permissions within the token you should also be able to build the query
>>>>> accordingly in your application.
>>>>>
>>>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks Pedro. I really appreciate your reply.
>>>>>>
>>>>>> I think arbitrary claims are what I need to pass the filtering
>>>>>> required to the backend (if I can generate those claims). Also resource
>>>>>> types look interesting. I think as you said I can use that to group my
>>>>>> resources. These two should solve my problems at hand.
>>>>>>
>>>>>> That would be also great if you could elaborate on what you meant by
>>>>>> "security constraints" vs "business rules". I just want to have a better
>>>>>> understanding of Keycloak.
>>>>>> My understanding is that Keycloak is an identity and "access
>>>>>> management" system. And when it comes to "access management" my
>>>>>> understanding is that it means "who" has "what" access to "which" resource
>>>>>> under "what conditions".
>>>>>> If this definition is true, wouldn't "who has access to which
>>>>>> resources" be a security constraint under Keycloak's authorization model?
>>>>>>
>>>>>> As you said I might need to look into other solutions but I before I
>>>>>> do that I want to make sure I really cannot do what I want to do with
>>>>>> Keycloak and I really cannot implement my requirements under Keycloal's
>>>>>> authorization model, since I have already happily invested lots of time on
>>>>>> Keycloak :)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Farzad,
>>>>>>>
>>>>>>> Sorry for the late reply.
>>>>>>>
>>>>>>> Our authorization model is targeted for enforcing security-related
>>>>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>>>>
>>>>>>> Some time ago we had a discussion about data filtering and how to
>>>>>>> fetch resources based on policy decisions. If you look at our documentation
>>>>>>> [1] you'll see that policies can push arbitrary claims back to your
>>>>>>> application when granting access to a permission. This capability allows
>>>>>>> you to send a specific claim along with the permission that represents some
>>>>>>> filter that you can use to query your database.
>>>>>>>
>>>>>>> As a result, you'll have within your token something like:
>>>>>>>
>>>>>>> "permissions": [
>>>>>>>     {
>>>>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>>>>       "resource_name": "Book Resource",
>>>>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>>>>> 'bar'"]]
>>>>>>>     }
>>>>>>>   ]
>>>>>>>
>>>>>>> We do have a "resource group" concept. Resources can have a type and
>>>>>>> you can also have a single resource representing a set of one or more
>>>>>>> "real" resources.
>>>>>>>
>>>>>>> [1]
>>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>>>>
>>>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <
>>>>>>> farzad.panahi at gmail.com> wrote:
>>>>>>>
>>>>>>>> Any hint or example project to look at would really help to put me
>>>>>>>> in the
>>>>>>>> right direction.
>>>>>>>>
>>>>>>>> Should I post this question with a better and more specific title
>>>>>>>> with more
>>>>>>>> elaborate body to present the question better?
>>>>>>>>
>>>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>>>> farzad.panahi at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>>>>> > rule/mapping. Basically I need to associate each user with a
>>>>>>>> subset of B
>>>>>>>> > (books) to which the user has access to. This association is not
>>>>>>>> based on
>>>>>>>> > roles or groups. It is based on individual users.
>>>>>>>> > That's why I was thinking that the only way I can think of doing
>>>>>>>> this to
>>>>>>>> > add every individual book as a resource in Keycloak and then I
>>>>>>>> have to
>>>>>>>> > create a permission for each of them to grant access to any
>>>>>>>> individual user.
>>>>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>>>>> guess.
>>>>>>>> > Then I could put all those resources in a resource group and
>>>>>>>> grant access
>>>>>>>> > to that resource group for an individual user.
>>>>>>>> > Then in order to see which resources each user has access to, I
>>>>>>>> need to
>>>>>>>> > query Keycloak somehow (I need to figure out how exactly) and get
>>>>>>>> the
>>>>>>>> > resources that user has access to, and return only those
>>>>>>>> resources for that
>>>>>>>> > user.
>>>>>>>> >
>>>>>>>> > That's what I can think of right now. I am just wondering if
>>>>>>>> there is a
>>>>>>>> > better way to do this sort of resource oriented access control
>>>>>>>> where each
>>>>>>>> > user has access to specific set of resources only.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>>>> psilva at redhat.com>
>>>>>>>> > wrote:
>>>>>>>> >
>>>>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>>>>> subset of
>>>>>>>> >> B" is this access based on roles, groups or any other
>>>>>>>> information that you
>>>>>>>> >> gather from the context ? I'm wondering if this is not a
>>>>>>>> business rule
>>>>>>>> >> instead ....
>>>>>>>> >>
>>>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>>>> farzad.panahi at gmail.com>
>>>>>>>> >> wrote:
>>>>>>>> >>
>>>>>>>> >>> Hi Pedro,
>>>>>>>> >>>
>>>>>>>> >>> The user is not the book owner. You can think about it this way
>>>>>>>> that if
>>>>>>>> >>> B is the set of all books then each user has access to a subset
>>>>>>>> of B such
>>>>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>>>>> >>>
>>>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>>>>> psilva at redhat.com>
>>>>>>>> >>> wrote:
>>>>>>>> >>>
>>>>>>>> >>>> Hi Farzad,
>>>>>>>> >>>>
>>>>>>>> >>>> How do you check if a user has access to a book ? Is the user
>>>>>>>> the book
>>>>>>>> >>>> owner or you have more conditions that should be taken into
>>>>>>>> account to
>>>>>>>> >>>> grant access to books ?
>>>>>>>> >>>>
>>>>>>>> >>>> [1]
>>>>>>>> >>>>
>>>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>>>>> farzad.panahi at gmail.com>
>>>>>>>> >>>> wrote:
>>>>>>>> >>>>
>>>>>>>> >>>>> Hi,
>>>>>>>> >>>>>
>>>>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented
>>>>>>>> with
>>>>>>>> >>>>> json:api
>>>>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>>>>> Keycloak.
>>>>>>>> >>>>>
>>>>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>>>>> when it
>>>>>>>> >>>>> comes
>>>>>>>> >>>>> to securing RESTful APIs.
>>>>>>>> >>>>>
>>>>>>>> >>>>> My endpoints will be something like:
>>>>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>>>>> >>>>>
>>>>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>>>>> Keycloak.
>>>>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>>>>> define the
>>>>>>>> >>>>> permission between each user and resource?
>>>>>>>> >>>>>
>>>>>>>> >>>>> What would be the best practice to implement "GET /api/books"
>>>>>>>> to return
>>>>>>>> >>>>> only the books the logged in user has access to? Should I
>>>>>>>> query the
>>>>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>>>>> access
>>>>>>>> >>>>> to, in
>>>>>>>> >>>>> the backend?
>>>>>>>> >>>>>
>>>>>>>> >>>>> Thanks
>>>>>>>> >>>>>
>>>>>>>> >>>>> Farzad
>>>>>>>> >>>>> _______________________________________________
>>>>>>>> >>>>> keycloak-user mailing list
>>>>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>> >>>>>
>>>>>>>> >>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>

From jdennis at redhat.com  Tue May 28 16:17:34 2019
From: jdennis at redhat.com (John Dennis)
Date: Tue, 28 May 2019 16:17:34 -0400
Subject: [keycloak-user] SAML not be able to proceed SP assertion
In-Reply-To: <f0c923d4-2879-4939-ec4b-9c5ce4c5b606@janua.fr>
References: <f0c923d4-2879-4939-ec4b-9c5ce4c5b606@janua.fr>
Message-ID: <8ac71eb4-830b-b2db-f3d8-b022778bd40e@redhat.com>

On 5/28/19 2:01 PM, Olivier Rivat wrote:
> Hi,
> 
> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
> SAML V2.
> The steup has been working laster year with leycloak 3.4.3
> 
> I am able to authenticate against the IDP, and I can see teh SAM packet
> returned using teh SAML tracer.
> I haven't seen any dispcrency.
> 
> 
> But on keycloak, I obtain the message
> 
> We're sorry,
> Login timeout
> 
> with the following trace
> 
> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
> (default task-3) Assertion id18815101930494101523411623 is not addressed
> to this SP.

Have you validated the entityId of your configured realm in Keycloak and 
the entityId configured in the remote IdP are *identical*? That is the 
likely cause of "not addressed to this SP" error message.

> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-3) Assertion expired.

Have you checked the timestamps in the Assertion? Have you checked both 
servers are time synced and agree on the time?

> 19:52:23,400 WARN? [org.keycloak.events] (default task-3)
> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
> 
> I've just visited the code of ConditionsValidator.java, where the
> warning is issued, but cannot figure out what could be wrong.
> 
> Any idea of waht could be causing such an issue ?
> 
> 
> Regards,
> 
> Olivier Rivat
> 
> 
> 


-- 
John Dennis

From orivat at janua.fr  Tue May 28 17:15:38 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Tue, 28 May 2019 23:15:38 +0200
Subject: [keycloak-user] SAML not be able to proceed SP assertion
In-Reply-To: <8ac71eb4-830b-b2db-f3d8-b022778bd40e@redhat.com>
References: <f0c923d4-2879-4939-ec4b-9c5ce4c5b606@janua.fr>
	<8ac71eb4-830b-b2db-f3d8-b022778bd40e@redhat.com>
Message-ID: <4a866d90-42b2-449f-2b9b-70e16dab60eb@janua.fr>


Hi,

This was a mismatch in the enityID.

Tkx a lot.

regards,

Olivier



Le 28/05/2019 ? 22:17, John Dennis a ?crit?:
> On 5/28/19 2:01 PM, Olivier Rivat wrote:
>> Hi,
>>
>> I am using Keycloak 6.0.1 and trying to connect to an external IDP using
>> SAML V2.
>> The steup has been working laster year with leycloak 3.4.3
>>
>> I am able to authenticate against the IDP, and I can see teh SAM packet
>> returned using teh SAML tracer.
>> I haven't seen any dispcrency.
>>
>>
>> But on keycloak, I obtain the message
>>
>> We're sorry,
>> Login timeout
>>
>> with the following trace
>>
>> 19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
>> (default task-3) Assertion id18815101930494101523411623 is not addressed
>> to this SP.
>
> Have you validated the entityId of your configured realm in Keycloak 
> and the entityId configured in the remote IdP are *identical*? That is 
> the likely cause of "not addressed to this SP" error message.
>
>> 19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
>> task-3) Assertion expired.
>
> Have you checked the timestamps in the Assertion? Have you checked 
> both servers are time synced and agree on the time?
>
>> 19:52:23,400 WARN? [org.keycloak.events] (default task-3)
>> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
>> userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
>>
>> I've just visited the code of ConditionsValidator.java, where the
>> warning is issued, but cannot figure out what could be wrong.
>>
>> Any idea of waht could be causing such an issue ?
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>
>
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From Mark.Sargent at gallagher.com  Tue May 28 22:06:08 2019
From: Mark.Sargent at gallagher.com (Mark Sargent)
Date: Wed, 29 May 2019 02:06:08 +0000
Subject: [keycloak-user] TOTP claim in jwt
Message-ID: <SYBPR01MB49249CC4EFD339047D69A928891F0@SYBPR01MB4924.ausprd01.prod.outlook.com>

Hi all,

Some users in our realm must have setup TOTP for to access some services. Is it possible to configure a claim to include if a second factor was used during authentication?
We could check if such a claim existed in our service, before granting access.

Thanks in advance.

Cheers
Mark


________________________________
This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
________________________________

From stephanwehner12 at gmail.com  Wed May 29 03:59:01 2019
From: stephanwehner12 at gmail.com (Stephan Wehner)
Date: Wed, 29 May 2019 09:59:01 +0200
Subject: [keycloak-user] Missing form parameter: grant_type while using
 the REST API
In-Reply-To: <634b5680947d44d8b46037710728368c@SL1ACSEXCMB01.acsresource.com>
References: <CACgV4bYFmU42kDnDrkf67jXXO12pUU2Hu4Ug8JrykAdjbCiX7Q@mail.gmail.com>
	<634b5680947d44d8b46037710728368c@SL1ACSEXCMB01.acsresource.com>
Message-ID: <CACgV4bYra_uhfY56XHQh5Bya1fn61s0Z1K8Cp7Z6o+Prf38WLA@mail.gmail.com>

Yes, I did and got the same error message.

Am Di., 28. Mai 2019 um 21:19 Uhr schrieb Tony Harris <
Tony.Harris at oneadvanced.com>:

> Have you tried sending the data, client_id, username etc in the post body
> rather than as query parameters in the URL?
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] On Behalf Of Stephan Wehner
> Sent: 28 May 2019 12:55
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Missing form parameter: grant_type while using
> the REST API
>
> Hello,
>
> I'm trying to get an access token from my Keycloak Server. I'm sending a
> post request to
>
>
> http://localhost:12345/auth/realms/testRealm/protocol/openid-connect/token?client_id=testClient&username=testUser&password=abcde&grant_type=password
>
> with additional header "Content-type: application/x-www-form-urlencoded;
> charset=UTF-8".
>
> The response I get is:
>
>
>
> HTTP/1.1 400 Bad Request
> Connection: keep-alive
> Cache-Control: no-store
> Pragma: no-cache
> Content-Type: application/json
> Content-Length: 84
> Date: Tue, 28 May 2019 10:14:08 GMT
>
> {"error":"invalid_request","error_description":"Missing form parameter:
> grant_type"}
>
>
>
>
> Do you have any idea what is the cause of the problem? Did I miss
> something to configure? The administration console works well. I'm using
> Keycloak
> 6.0.1 as standalone.
>
> I had to change the port because the default port is not free on my host.
> Could it be, that I missed something there?
>
> Thank you!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>
> Please consider the environment: Think before you print!
>
>
> This message has been scanned for malware by Websense. www.websense.com
>

From brunojcm at gmail.com  Wed May 29 03:48:06 2019
From: brunojcm at gmail.com (Bruno Medeiros)
Date: Wed, 29 May 2019 15:48:06 +0800
Subject: [keycloak-user] Is it possible to disable not-before-policy
 token? Oidc client is crashing because it's there
In-Reply-To: <959d58ab4d180ea22689ca48870ad6350b7bd610.camel@carretti.pro>
References: <CAHxj6T-pymkziXHemcS3pVyXxmj1eywNLdt8oN8DjrzTVFrO=Q@mail.gmail.com>
	<959d58ab4d180ea22689ca48870ad6350b7bd610.camel@carretti.pro>
Message-ID: <CAHxj6T_ounSj4e_wWX-YX9_SrD=wTT+HKjLCtEbmJQp0Z36Wbw@mail.gmail.com>

Thanks for the answer, Dmitry, you nailed it!!

It seems that I managed to make my point and they are going to fix Oidc
support. I also managed to setup SAML integration as a plan B in case they
don't fix it in time.

Cheers,

From vinogradov.a.i.93 at gmail.com  Wed May 29 04:55:28 2019
From: vinogradov.a.i.93 at gmail.com (=?UTF-8?B?0JDQu9C10LrRgdC10Lkg0JLQuNC90L7Qs9GA0LDQtNC+0LI=?=)
Date: Wed, 29 May 2019 15:55:28 +0700
Subject: [keycloak-user] [Keycloak-admin-client] An error message when
 changing password.
In-Reply-To: <230b278f749a2d80326396715c0d94e2309f9d5d.camel@carretti.pro>
References: <CAOTo98FWNUPKNZ6Z=G+k_phG6Va+sH5SzOhC8hR7_HASfoy6fQ@mail.gmail.com>
	<230b278f749a2d80326396715c0d94e2309f9d5d.camel@carretti.pro>
Message-ID: <CAOTo98EJs6tLdGj+bkKp7sWsp_7yGhOdb0jNpbwwbr7814+4NA@mail.gmail.com>

Privet Dmitry :)

Thanks for the response.
I have tried to get getResponse().getEntity() but result is null.

-- 
Best regards,
Vinogradov Alexey
vinogradov.a.i.93 at gmail.com
+7 983 311 38 40

??, 28 ??? 2019 ?., 5:35 Dmitry Telegin <demetrio at carretti.pro>:

> Privet, Alexey :)
>
> Here's how password reset is done with Keycloak Admin REST API, assuming
> password policy violation:
>
> > PUT
> http://localhost:8080/auth/admin/realms/master/users/{user-id}/reset-password
> > {"type":"password","value":"foo","temporary":false}
>
> < 400 Bad Request
> < {"error":"invalidPasswordMinLengthMessage","error_description":"Invalid
> password: minimum length 8."}
>
> If I understand correctly, you get a javax.ws.rs.BadRequestException from
> the Java admin client. You could try calling getResponse().getEntity() on
> the exception object to obtain JSON response.
>
> Cheers,
> Dmitry Telegin
>
> Carretti Consulting O? | Keycloak Consulting and Training
> Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro
>
> On Mon, 2019-05-27 at 14:51 +0700, ??????? ?????????? wrote:
> > Hello everyone.
> >
> > I have a question about REST API of the Keycloak. When I attempt to
> change
> > password via REST API of user to that password that not meets security
> > constraints of Keycloak, I recieve BadRequestError without additional
> > information of what goes wrong. But when I change password in
> > Administration console I see an exact error.
> >
> > So, how can I get a exact problem what wrong with my password?
> >
> > My usecase is that:
> > I have a frontend (html/css) that communicates with a backend that
> > communicates with the Keycloak. An user wants to change password of
> his/her
> > account so he/she click on button on some form, and makes a request to
> > backend to change password. A backend processes that request and ask
> > Keycloak to change user password. In case that password doesn't meet
> > security constraint I want to provide to user exact error.
> >
> > Thanks to all.
> > --
>
>

From msakho at redhat.com  Wed May 29 06:48:48 2019
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Wed, 29 May 2019 12:48:48 +0200
Subject: [keycloak-user] keycloak heathcheck with microprofile
Message-ID: <CAF83W6KJOOc_SV_MfM0nz3Q6d3yTxfkqgOMAk0tUXAg9kdNoNA@mail.gmail.com>

Hello everyone,
Have someone tried to crate health check with SmallRye and the new metrics
extension?
I've tried long ago Thomas darimont's following example [1] to implement
health check, but would like to know is someone has started something.
?1]=https://github.com/thomasdarimont/keycloak-health-checks/tree/master

thanks
-- 

Meissa Sakho, RHCA

Architect

Red Hat EMEA <https://www.redhat.com/>

msakho at redhat.com
M: +33-6-9559-7778
<https://www.redhat.com/>

From demetrio at carretti.pro  Wed May 29 11:41:34 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Wed, 29 May 2019 18:41:34 +0300
Subject: [keycloak-user] Parameter Forwarding
In-Reply-To: <VI1PR06MB580601EB2CAD0C2ADD94295CCC1E0@VI1PR06MB5806.eurprd06.prod.outlook.com>
References: <VI1PR06MB580601EB2CAD0C2ADD94295CCC1E0@VI1PR06MB5806.eurprd06.prod.outlook.com>
Message-ID: <c089a9663f7cd74fe094a835572176c9a5428ecb.camel@carretti.pro>

Hello Bar??,

Unfortunately, you can't do that OOTB (unless you're willing to plug your own customized OIDCLoginProtocol variant).

However, it is possible to return back the parameter as a part of access/ID token (as a custom claim). Does that work for you?

Regards,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Tue, 2019-05-28 at 16:06 +0000, Nam?k Bar?? ?D?L wrote:
> Hi,
> 
> I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?
> 
> Thanks in advance!
> 
> Bar??
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From melissa.palmer at gmail.com  Wed May 29 12:18:39 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Wed, 29 May 2019 18:18:39 +0200
Subject: [keycloak-user] How do you export a REALM from keycloak when
	running within a Docker container?
In-Reply-To: <CAHTQH9J-zbgSxJLpKnMDVuzQizHcZAfj9844EihP3EbgkAYEJA@mail.gmail.com>
References: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
	<20190417041053.GB5749@abstractj.org>
	<CAHTQH9J_xMrMi66ZDzkbJk+QLf6TnO4n6QHE=JomNqHmbO3u9w@mail.gmail.com>
	<CAHTQH9+u+s2G2tAmE7i-HS7Sm2DP-dA+_9jeek3LdSzAqNPH5Q@mail.gmail.com>
	<CAHTQH9J-zbgSxJLpKnMDVuzQizHcZAfj9844EihP3EbgkAYEJA@mail.gmail.com>
Message-ID: <6B7AD0EB-F007-41B3-B70D-BD400E800956@gmail.com>

Hi 

Is there any reason that the PR I submitted for this Cabot be looked at/merged into main stream? I see review has been done and someone else has successfully used on latest version. 

Please do consider looking and the PR and Jira and moving that foward.

Thanks in advance
Melissa 

> On 17 Apr 2019, at 7:28 AM, Melissa Palmer <melissa.palmer at gmail.com> wrote:
> 
> And a PR at:   https://github.com/jboss-dockerfiles/keycloak/pull/189
> 
>> On Wed, 17 Apr 2019 at 07:01, Melissa Palmer <melissa.palmer at gmail.com> wrote:
>> I have raised a Jira at:   https://issues.jboss.org/browse/KEYCLOAK-10082
>> 
>>> On Wed, 17 Apr 2019 at 06:47, Melissa Palmer <melissa.palmer at gmail.com> wrote:
>>> Thanks Bruno, I was specifically looking for ability to EXPORT a realm on a running docker container. What's on the docker hub page and below is all about importing an existing realm. 
>>> 
>>> I did manage to solve this using the following: 
>>> If you start keycloak with:: 
>>> docker run -d -p 8180:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -v $(pwd):/tmp --name kc jboss/keycloak:4.7.0.Final
>>> 
>>> You can then get the export from this instance by running: 
>>> docker exec -it kc keycloak/bin/standalone.sh -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.realmName=my_realm -Dkeycloak.migration.usersExportStrategy=REALM_FILE -Dkeycloak.migration.file=/tmp/my_realm.json
>>> 
>>> Notice I am needing to go onto a currently running container and then 
>>> - run the export on a different port 
>>> - such that there are no port clashes of existing process running on that container already
>>> 
>>> Thanks
>>> Melissa
>>> 
>>> 
>>>> On Wed, 17 Apr 2019 at 06:10, Bruno Oliveira <bruno at abstractj.org> wrote:
>>>> Hi Melissa, try something like this:
>>>> 
>>>> docker run -d --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8080:8080 \
>>>> -v /path/to/yourrealm.json:/somepath/yourrealm.json \
>>>> -it jboss/keycloak:master \
>>>> -Dkeycloak.migration.action=import \
>>>> -Dkeycloak.migration.provider=singleFile \
>>>> -Dkeycloak.migration.file=/somepath/yourrealm.json \
>>>> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>>>> 
>>>> I took all the information from
>>>> https://hub.docker.com/r/jboss/keycloak/. I hope it helps.
>>>> 
>>>> On 2019-04-15, Melissa Palmer wrote:
>>>> > Hi
>>>> > 
>>>> > How do you export a REALM from keycloak when running within a Docker
>>>> > container?
>>>> > 
>>>> > *If running Keycloak via docker, eg: using *
>>>> > docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
>>>> > -e DB_VENDOR=h2 --name kc jboss/keycloak
>>>> > 
>>>> > How can you export a realm that you have added via the UI?
>>>> > 
>>>> > Thanks in Advance
>>>> > Melissa
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> -- 
>>>> 
>>>> abstractj

From demetrio at carretti.pro  Wed May 29 12:36:31 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Wed, 29 May 2019 19:36:31 +0300
Subject: [keycloak-user] TOTP claim in jwt
In-Reply-To: <SYBPR01MB49249CC4EFD339047D69A928891F0@SYBPR01MB4924.ausprd01.prod.outlook.com>
References: <SYBPR01MB49249CC4EFD339047D69A928891F0@SYBPR01MB4924.ausprd01.prod.outlook.com>
Message-ID: <69f0a92224a9e062ce254f252e3d64b87c623c90.camel@carretti.pro>

Hello Mark,

I usually offer this as an assignment for my students at Keycloak hands-ons, hope they don't google this next time :)

Please check out this thread for the solution overview: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016676.html

The actual authenticator code might look like this:

function authenticate(context) {

    var status = authenticationSession.executionStatus;
    var execs = status.keySet();
    
    for each (var e in execs) {
        var auth = realm.getAuthenticationExecutionById(e).authenticator;
        var s = status[e];
        LOG.info(auth + " => " + s); // you will get nulls for subflows, that's normal
        if (auth == "auth-otp-form" && s == "SUCCESS")
            authenticationSession.setUserSessionNote("otp", "true");
    }
    
    context.success();

}

And the mapper:

var otp = userSession.notes["otp"];
token.setotherClaims("otp", otp);

Good luck!
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Wed, 2019-05-29 at 02:06 +0000, Mark Sargent wrote:
> Hi all,
> 
> Some users in our realm must have setup TOTP for to access some services. Is it possible to configure a claim to include if a second factor was used during authentication?
> We could check if such a claim existed in our service, before granting access.
> 
> Thanks in advance.
> 
> Cheers
> Mark
> 
> 
> ________________________________
> This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
> ________________________________
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From demetrio at carretti.pro  Wed May 29 13:06:19 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Wed, 29 May 2019 20:06:19 +0300
Subject: [keycloak-user] Parameter Forwarding
In-Reply-To: <VI1PR06MB5806686A7781B174973026D8CC1F0@VI1PR06MB5806.eurprd06.prod.outlook.com>
References: <VI1PR06MB580601EB2CAD0C2ADD94295CCC1E0@VI1PR06MB5806.eurprd06.prod.outlook.com>
	,<c089a9663f7cd74fe094a835572176c9a5428ecb.camel@carretti.pro>
	<VI1PR06MB5806686A7781B174973026D8CC1F0@VI1PR06MB5806.eurprd06.prod.outlook.com>
Message-ID: <4daaa7607cfe6e6b27e894716a652d3b35bb11d3.camel@carretti.pro>

First, I'd recommend against using arbitrary parameters for that. This is a bit unreliable and harder to deal with. See this thread for the explanation and possible solution (as well as general problem outline): http://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html

I'd rather recommend to (ab)use OpenID Connect "scope" parameter for that. It is automatically exposed to the authenticators, and is guaranteed to survive all redirects.

Let's assume your parameter is named "partner_code". Consider the following format:

scope="openid email partner_code:1234"

Create a custom JavaScript authenticator, propagate the whole scope param to userSession:

function authenticate(context) {
    authenticationSession.setUserSessionNote("scope", authenticationSession.clientNotes.scope);
    context.success();
}

Then, create a custom JS mapper to parse the value and put it inside a token:

var partner_code = userSession.notes.scope.match(/partner_code:(\d+)/);
print(partner_code[0]);
print(partner_code[1]);
token.scope += " " + partner_code[0];
token.setOtherClaims("partner_code", partner_code[1]);

The value will appear both in the "scope" claim and as a "parner_code" custom claim. Alternatively, you can parse the value inside the authenticator.

Good luck!
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Wed, 2019-05-29 at 15:48 +0000, Nam?k Bar?? ?D?L wrote:
> Hey Dimitry!
> 
> Thanks for the response. Yes, the parameter I send via login URL to be returned in the access-token will be ok for me. How can I do that?
> 
> Best,
> 
> Bar??
> 
> ------------------------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------------------??
> 
> 
> From: Dmitry Telegin <demetrio at carretti.pro>
> Sent: Wednesday, May 29, 2019 6:41 PM
> To: Nam?k Bar?? ?D?L; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Parameter Forwarding
>  
> Hello Bar??,
> 
> Unfortunately, you can't do that OOTB (unless you're willing to plug your own customized OIDCLoginProtocol variant).
> 
> However, it is possible to return back the parameter as a part of access/ID token (as a custom claim). Does that work for you?
> 
> Regards,
> Dmitry Telegin
> 
> Carretti Consulting O? | Keycloak Consulting and Training
> Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro
> 
> On Tue, 2019-05-28 at 16:06 +0000, Nam?k Bar?? ?D?L wrote:
> > Hi,
> > 
> > I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?
> > 
> > Thanks in advance!
> > 
> > Bar??
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From Mark.Sargent at gallagher.com  Wed May 29 22:48:59 2019
From: Mark.Sargent at gallagher.com (Mark Sargent)
Date: Thu, 30 May 2019 02:48:59 +0000
Subject: [keycloak-user] TOTP claim in jwt
In-Reply-To: <69f0a92224a9e062ce254f252e3d64b87c623c90.camel@carretti.pro>
References: <SYBPR01MB49249CC4EFD339047D69A928891F0@SYBPR01MB4924.ausprd01.prod.outlook.com>,
	<69f0a92224a9e062ce254f252e3d64b87c623c90.camel@carretti.pro>
Message-ID: <SYBPR01MB4924BB312378061CCDA1765389180@SYBPR01MB4924.ausprd01.prod.outlook.com>

Thanks Dmitry!
________________________________
From: Dmitry Telegin <demetrio at carretti.pro>
Sent: Thursday, May 30, 2019 4:36 AM
To: Mark Sargent; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] TOTP claim in jwt

Hello Mark,

I usually offer this as an assignment for my students at Keycloak hands-ons, hope they don't google this next time :)

Please check out this thread for the solution overview: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016676.html

The actual authenticator code might look like this:

function authenticate(context) {

    var status = authenticationSession.executionStatus;
    var execs = status.keySet();

    for each (var e in execs) {
        var auth = realm.getAuthenticationExecutionById(e).authenticator;
        var s = status[e];
        LOG.info(auth + " => " + s); // you will get nulls for subflows, that's normal
        if (auth == "auth-otp-form" && s == "SUCCESS")
            authenticationSession.setUserSessionNote("otp", "true");
    }

    context.success();

}

And the mapper:

var otp = userSession.notes["otp"];
token.setotherClaims("otp", otp);

Good luck!
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Wed, 2019-05-29 at 02:06 +0000, Mark Sargent wrote:
> Hi all,
>
> Some users in our realm must have setup TOTP for to access some services. Is it possible to configure a claim to include if a second factor was used during authentication?
> We could check if such a claim existed in our service, before granting access.
>
> Thanks in advance.
>
> Cheers
> Mark
>
>
> ________________________________
> This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
> ________________________________
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From lrozenblyum at gmail.com  Thu May 30 02:43:47 2019
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Thu, 30 May 2019 09:43:47 +0300
Subject: [keycloak-user] KeycloakWebSecurityConfigurerAdapter and
	sessionAuthenticationStrategy()
Message-ID: <CANZPfwQ8cExQwqxBww5ztdRDOv5FbWX+E2a9uJsz=wFkj4=AeA@mail.gmail.com>

Hello!
I'm using keycloak-spring-security and I have a question related to
usefulness of sessionAuthenticationStrategy() used twice in
the KeycloakWebSecurityConfigurerAdapter.

1) it's used for
KeycloakAuthenticationProcessingFilter
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
2) it's passed to httpSecurity
  http
                .sessionManagement()

.sessionAuthenticationStrategy(sessionAuthenticationStrategy())

While the first usage looks fine and indeed in-use, the second one
intention is unclear.
It has influence on SessionManagementFilter however in keycloak filter
chain the session management filter is not invoked on successful
authentication
(KeycloakAuthenticationProcessingFilter.continueChainBeforeSuccessfulAuthentication
is false).

Are there any real cases when this http session authentication strategy
initialization is useful?
Thanks for your help!

From kundateeri.babji at gmail.com  Thu May 30 06:52:13 2019
From: kundateeri.babji at gmail.com (Babji Kundateeri)
Date: Thu, 30 May 2019 16:22:13 +0530
Subject: [keycloak-user] MultiTenant system with SSO for selected users
Message-ID: <CA+YA1yJh0MgLCptwFYgD-UV7v4muMX+ORg0YHSbtwQJa1XJzag@mail.gmail.com>

Hi Team,

I have a unique requirement in our project to solve.

Out project is multitenant based, we need to enable SSO only for specific
tenant only.
And for remaining user's wanted to used old form based login it self.

We are planning to use Keycloak for identity brokering to connect with
customers IDP.

Can any one guide, how can i solve this problem ?


-- 
Kind Regards,
Babji Kundateeri.

From priyamalm at mobitel.lk  Thu May 30 07:58:11 2019
From: priyamalm at mobitel.lk (Priyamal Madushan)
Date: Thu, 30 May 2019 11:58:11 +0000
Subject: [keycloak-user] can't setup keycloak into a mysql database.
Message-ID: <c593cb535fed4da08b5c63446940e947@ho-wex-mail1.mobitel.int>

Hi guys.

I am trying to setup keycloak to use a mysql database. I have read the documentation and edited the standalone.xml to use the mysql datasource  and included the driver in the module.xml as well.  Here is the datasource I created

<datasource jndi-name="java:/jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true"  use-java-context="true">
<connection-url>jdbc:mysql://localhost:3306/keycloak?useSSL=false&amp;characterEncoding=UTF-8</connection-url>
<driver>mysql</driver>
<pool>
<min-pool-size>5</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</pool>
<timeout>
<idle-timeout-minutes>0</idle-timeout-minutes>
</timeout>
<security>
<user-name>root</user-name>
<password>password</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<validate-on-match>true</validate-on-match>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>

With the above configuration I always end up in this error


Timeout after [300] seconds waiting for service container stability. Operation will roll back. Step that first updated the service container was 'add' at address '[

    ("core-service" => "management"),

    ("management-interface" => "http-interface")

]'




I tried keycloak version 5,6 and 6.0.1 assuming older version might fix the issue, but it didn't here is a similar discussion
https://developer.jboss.org/thread/272010
after going through that I changed my time out but it didn't solve the issue either.

<timeout>
<blocking-timeout-millis>60000</blocking-timeout-millis>
<allocation-retry>3</allocation-retry>
</timeout>

Here is the question that I posted on stack overflow : https://stackoverflow.com/questions/56357585/how-to-migrate-keycloak-to-mysql-database-and-fix-timeout-after-300-exception
I am trying to fix this for couple of days now and still couldn't get this solved Any help would be appreciated.


Thanks and regards
Priyamal.
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
Mobitel (Pvt) Ltd.

From guto at gym2gym.com.br  Thu May 30 10:19:47 2019
From: guto at gym2gym.com.br (Augusto dos Santos Pereira)
Date: Thu, 30 May 2019 11:19:47 -0300
Subject: [keycloak-user] Keycloak generic adapter on Openshift Online
Message-ID: <16b091c71f8.ac90114d201601.1989581472106099966@gym2gym.com.br>

Hello,



I'm new to Openshift and Keycloak and I am currently trying to protect a PHP REST service using the keycloak generic adapter.




This?repository (https://github.com/stianst/keycloak-demo) was used, and this video (https://www.youtube.com/watch?v=mdZauKsMDiI) was followed.



I was able to secure the NodeJS app(demo-app) as expected using keycloak, so my Keycloak pod is working.




After the NodeJS app, I added an app called "demo-service-php" with the "Import YAML / JSON" option, using the demo-service-php/demo-service-php.json file in the repo. The pod fails to spin up and shows a link to the logs. The following error shows up:



[error] invalid options, flag provided but not defined: -skip-client-id



I tried editing the line - '--skip-client-id' from the YAML and it worked. The pod spined up.



I looked at the json file and the arg "--client-id=demo-service" is in there. I checked in the demo realm and there is no client called "demo-service", so I added it with bearer-only Access Type. Still with the same error.



I edited the SERVICE_URL environment variable of the demo-app to match the demo-service-php url.



Responses:

INVOKE PUBLIC -> Message: public

INVOKE SECURED -> Request failed

INVOKE ADMIN -> Request failed



The service pod says "The logs are no longer available or could not be loaded.".




Looking at the browser console, the logs are:



demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.com/admin:1 GET https://demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.com/admin 401 (Unauthorized)



(index):1 Access to XMLHttpRequest at 'https://demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.com/admin' from origin 'https://demo-app-keycloak.7e14.starter-us-west-2.openshiftapps.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.



I noticed that there is an arg "--client-secret=secret", I figured it should be one of the 2 secrets created early in the process(keycloak-server-tls and keycloak-client-tls) but i didn't know which, so I tried setting it to both while editing the YAML. No luck, still getting the same results.

What would you guys suggest? is there another repository I can try?



thanks in advance!



Guto Pereira.
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Rio de Janeiro, Brazil, www.gym2gym.com.br

From mdailous at forensiclogic.com  Thu May 30 13:45:12 2019
From: mdailous at forensiclogic.com (Michael Dailous)
Date: Thu, 30 May 2019 17:45:12 +0000
Subject: [keycloak-user] Custom REST endpoint not associated with a specific
	REALM
Message-ID: <BYAPR09MB2549F8DA4ED6A39523363562D6180@BYAPR09MB2549.namprd09.prod.outlook.com>

Hi,

We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific REALM?

Thanks,
Michael

From Ori.Doolman at cyberark.com  Thu May 30 17:29:19 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Thu, 30 May 2019 21:29:19 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>,
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Hi Pedro and all,

I managed to use get an RPT given an access token.

My problem is that I cannot find a good way to model my application's permission in Keycloak.
Maybe you or someone else can help with that, since I think it is a pretty standard model:

I have many "accounts" and many users. 
I have several roles in my application, each represents a set of allowed permissions. 
Each user is assigned a role *per account*.
That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z).
So as you see, my user roles (and permissions) is always in the context of an account.
This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context.

What is the best way (if any) to model this kind of permissions in Keycloak?

Thanks,
Ori.
  

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
Sent: Thursday, May 23, 2019 9:35 PM
To: Pedro Igor Silva <psilva at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:

1) No change in client application and no need to involve client with server side authorization.

2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.

I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.

Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= >

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user



On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?

Client-side

I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.


Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.


Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Yes, you would need a per session exchange.


Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= 


From psilva at redhat.com  Thu May 30 17:51:09 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 30 May 2019 18:51:09 -0300
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>

Would be the account a resource and permissions their corresponding
scopes/actions that can be performed on an account ?

If a role implies access to some scopes/actions you can perform on an
account (which is a resource), you could write "scope-based policies" such
as:

* "Manager Permission" is defined for scopes A, B and C with a role-policy
that enforces "manager" role
* "Regular Permission" is defined for scopes X, Y and Z with a role-policy
that enforces "regular" role

With this setup, if the user has both manager and regular roles access
shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the
scopes granted will depend on the role assigned to the user.

On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Hi Pedro and all,
>
> I managed to use get an RPT given an access token.
>
> My problem is that I cannot find a good way to model my application's
> permission in Keycloak.
> Maybe you or someone else can help with that, since I think it is a pretty
> standard model:
>
> I have many "accounts" and many users.
> I have several roles in my application, each represents a set of allowed
> permissions.
> Each user is assigned a role *per account*.
> That means that one user can be a "manager" user for account 1 (with
> effective permissions a,b,c) and a "regular" user for account 2 (with
> effective permissions x, y, z).
> So as you see, my user roles (and permissions) is always in the context of
> an account.
> This is why I cannot just configure static client roles and use them for
> policies. My permissions always depend on the data, the account context.
>
> What is the best way (if any) to model this kind of permissions in
> Keycloak?
>
> Thanks,
> Ori.
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
> Sent: Thursday, May 23, 2019 9:35 PM
> To: Pedro Igor Silva <psilva at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Ok Pedro,
> I think I got it. Thanks a lot for thr clarification.
> My current plan is to make the exchange in API-GW.
> I get 2 advantages:
>
> 1) No change in client application and no need to involve client with
> server side authorization.
>
> 2) I need to make sure access token is still valid and user did not
> performed logout. API-GW seems the correct place to do that. So in a single
> call to KC I get both token validation and token exchange.
>
> I will try that and update the forum if succeeded. I think this is a
> typical classic deployment and such a documented solution can assist a lot
> of people.
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com>
> Sent: Thursday, May 23, 2019 6:58:41 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
>
>
> On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi Pedro,
> Thanks for the prompt response :)
>
> Yes, I need RBAC only at the moment.
>
> When you said my web application should make the token exchange, do you
> mean client side (javascript ) or server side?
>
> Client-side
>
> I can also make it from API-GW which is even better I think. what is the
> common practice to send it to the server? I cannot use the Authorization
> header since it alteady contains the access token.
>
>
> Not sure if API-GW is better but you can replace the access token with
> permissions (sent by the client) in the authorization header. It is just an
> access token + permissions. Pretty much the original + permissions.
>
>
> Also, it means that I will have to make this call once per session (after
> login) rather than once in a process lifetime, since the roles->permissions
> mapping is pretty much static information.
> It doesn't sounds like the optimal approach.
>
> Yes, you would need a per session exchange.
>
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Thursday, May 23, 2019 5:49:11 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> There is no way to automatically set the permissions (from a client
> authorization settings) when an access token is issued. Like you said, you
> need another call to the token endpoint using the uma-grant-type.
>
> However, your web application will make that call only once in order to
> exchange the access token with another one with the permissions you need to
> access your backend. Your client should also be able to perform incremental
> authorization and limit the numbers of permissions within the token.
>
> Using a pure RBAC approach also works for your case, I think. Although you
> are limited to RBAC (thus tied with the roles you are using to protect
> resources) and not able to use resource-based authorization.
>
> On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi,
>
> I have a web application (Angular) which calls a REST API in a Java
> microservice.
>
> In my application, which manages books, I have a "regular" and "admin"
> roles.
> "regular" is allowed to execute API readBook.
> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
>
> The mapping between the user roles to the permissions (book:read ,
> book:create, book:delete) is currently in my app DB. I guess I can migrate
> all roles and permissions into Keycloak using the
> resources/permissions/policies entities.
>
> I get an access token in the client (using code flow or implicit flow).
> The token contains the current user roles. But not the permissions.
> When I call my REST API I send the access token to my REST endpoint in the
> http header. The token contains the user roles, but not the user
> permissions. In fact, what I really need is the user permissions for
> checking authorization.
>
>
>
>   1.  What is the best practice of getting the user permissions in my REST
> service? Can I have them become part of the JWT access token when the token
> is created?
> Or is there any other recommended way to "map" the roles into the
> effective permissions at runtime?
> Maybe keep the role->permissions in my current DB and load them to service
> cache ?
>
>   2.  I want to avoid calling Keycloak for every REST API call because
> this will result bad performance. From what I read, if I want to use
> Keycloak authorization services I must call Keycloak for every API request
> and get the permissions (an RPT token). Is that the only way?
>
>
>
>   1.  Another alternative I thought of:
> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
> will add only "book:read" role.
> This way, if a user belongs to the admins group, he will have all the
> permissions (roles) in the JWT access token.
>
>
> Thanks,
> Ori.
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
>

From Ori.Doolman at cyberark.com  Thu May 30 17:58:37 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Thu, 30 May 2019 21:58:37 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
Message-ID: <AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Thanks Pedro,
But the definition below is exactly what I tried to do and got stuck.
This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*.  For account 2, the same user will have totally different permissions.
I don?t have the accounts configured in Keycloak.
Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.

See my problem?

Ori.


From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, May 31, 2019 12:51 AM
To: Ori Doolman <Ori.Doolman at cyberark.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ?

If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as:

* "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role
* "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role

With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user.

On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro and all,

I managed to use get an RPT given an access token.

My problem is that I cannot find a good way to model my application's permission in Keycloak.
Maybe you or someone else can help with that, since I think it is a pretty standard model:

I have many "accounts" and many users.
I have several roles in my application, each represents a set of allowed permissions.
Each user is assigned a role *per account*.
That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z).
So as you see, my user roles (and permissions) is always in the context of an account.
This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context.

What is the best way (if any) to model this kind of permissions in Keycloak?

Thanks,
Ori.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman
Sent: Thursday, May 23, 2019 9:35 PM
To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:

1) No change in client application and no need to involve client with server side authorization.

2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.

I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.

Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= >

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user



On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?

Client-side

I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.


Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.


Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Yes, you would need a per session exchange.


Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com><mailto:psilva at redhat.com<mailto:psilva at redhat.com>>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=

From fabio.ebner at lumera.com.br  Thu May 30 19:59:36 2019
From: fabio.ebner at lumera.com.br (Fabio Ebner)
Date: Thu, 30 May 2019 20:59:36 -0300
Subject: [keycloak-user] Springboot
Message-ID: <CAFxMZbYekggOhUwqoJJN5JPKx7byszMN6XqiuDfa2Uid8xernA@mail.gmail.com>

Anyone has a sample to how can I secure my springboot rest api?

I wanna to configure a keycloak to work with my Backend (Spring boot rest
api) and a front-end (vuejs)

tks

From Kevin.Fox at pnnl.gov  Thu May 30 20:07:37 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Fri, 31 May 2019 00:07:37 +0000
Subject: [keycloak-user] direct access grant + kerberos
In-Reply-To: <093196fe8b87776a9b4b15e05e98518b20fd9135.camel@carretti.pro>
References: <1A3C52DFCD06494D8528644858247BF01C331E1C@EX10MBOX03.pnnl.gov>,
	<093196fe8b87776a9b4b15e05e98518b20fd9135.camel@carretti.pro>
Message-ID: <1A3C52DFCD06494D8528644858247BF01C3515D8@EX10MBOX03.pnnl.gov>

I tried this. But the plugin does not seem to support it:
        <div id="kc-error-message">
            <p class="instruction">Kerberos is not set up.  You cannot login.</p>
        </div>

I've verified that the endpoint does work with username/password before switching and that kerberos still works with webistes.

Anyone know what it would take to update the plugin to support the direct flow?

Thanks,
Kevin
________________________________________
From: Dmitry Telegin [demetrio at carretti.pro]
Sent: Friday, May 24, 2019 9:01 AM
To: Fox, Kevin M; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] direct access grant + kerberos

Hello Kevin,

You could try cloning the default direct grant flow, adding Kerberos authenticator to it and removing everything else. This authenticator was initially developed for browser-based flows, so it might or might not work with direct grants. You'll need to figure that out - it could be that the authenticator might need to be adapted.

If you need to keep username+password authentication too, you should put the relevant authenticators into a subflow and make it alternative, the same way it is done in the default browser flow.

Good luck,
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Tue, 2019-05-21 at 17:48 +0000, Fox, Kevin M wrote:
> Is there a way to get back an id token by doing a direct access grant with kerberos negotiate instead of a password?
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bruno at abstractj.org  Thu May 30 20:16:34 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 30 May 2019 21:16:34 -0300
Subject: [keycloak-user] Springboot
In-Reply-To: <CAFxMZbYekggOhUwqoJJN5JPKx7byszMN6XqiuDfa2Uid8xernA@mail.gmail.com>
References: <CAFxMZbYekggOhUwqoJJN5JPKx7byszMN6XqiuDfa2Uid8xernA@mail.gmail.com>
Message-ID: <CAM5SUC7d+-hvJ1=NhdMzbxsvonWxWECMr7CZL+QywoPzOqeQVA@mail.gmail.com>

I'd suggest to take a look at
https://github.com/keycloak/keycloak-quickstarts

I hope it helps.

On Thu, May 30, 2019, 9:01 PM Fabio Ebner <fabio.ebner at lumera.com.br> wrote:

> Anyone has a sample to how can I secure my springboot rest api?
>
> I wanna to configure a keycloak to work with my Backend (Spring boot rest
> api) and a front-end (vuejs)
>
> tks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Fri May 31 09:02:05 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 31 May 2019 10:02:05 -0300
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
	<AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>

I see. In this case, you could write a JS policy that checks both the
account and the role. Where the account could be passed to your policy as a
claim. The issue here is that you will end up with a quite huge policy
depending on how many accounts you have.

The second approach would be to manage accounts as resources and have those
permissions for each resource. You would need to provisioning logic in your
application to create the resource + permissions when a new account is
created. Permissions could then be obtained based on a per-account basis.

On Thu, May 30, 2019 at 6:58 PM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> Thanks Pedro,
>
> But the definition below is exactly what I tried to do and got stuck.
>
> This is because the ?manager permissions? (A, B, C) is given only for role
> manager and **for account 1**.  For account 2, the same user will have
> totally different permissions.
>
> I don?t have the accounts configured in Keycloak.
>
> Even if I configure an account as a resource, this account will have
> scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.
>
>
>
> See my problem?
>
>
>
> Ori.
>
>
>
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Friday, May 31, 2019 12:51 AM
> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
>
>
> Would be the account a resource and permissions their corresponding
> scopes/actions that can be performed on an account ?
>
>
>
> If a role implies access to some scopes/actions you can perform on an
> account (which is a resource), you could write "scope-based policies" such
> as:
>
>
>
> * "Manager Permission" is defined for scopes A, B and C with a role-policy
> that enforces "manager" role
>
> * "Regular Permission" is defined for scopes X, Y and Z with a role-policy
> that enforces "regular" role
>
>
>
> With this setup, if the user has both manager and regular roles access
> shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the
> scopes granted will depend on the role assigned to the user.
>
>
>
> On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
> Hi Pedro and all,
>
> I managed to use get an RPT given an access token.
>
> My problem is that I cannot find a good way to model my application's
> permission in Keycloak.
> Maybe you or someone else can help with that, since I think it is a pretty
> standard model:
>
> I have many "accounts" and many users.
> I have several roles in my application, each represents a set of allowed
> permissions.
> Each user is assigned a role *per account*.
> That means that one user can be a "manager" user for account 1 (with
> effective permissions a,b,c) and a "regular" user for account 2 (with
> effective permissions x, y, z).
> So as you see, my user roles (and permissions) is always in the context of
> an account.
> This is why I cannot just configure static client roles and use them for
> policies. My permissions always depend on the data, the account context.
>
> What is the best way (if any) to model this kind of permissions in
> Keycloak?
>
> Thanks,
> Ori.
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
> Sent: Thursday, May 23, 2019 9:35 PM
> To: Pedro Igor Silva <psilva at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Ok Pedro,
> I think I got it. Thanks a lot for thr clarification.
> My current plan is to make the exchange in API-GW.
> I get 2 advantages:
>
> 1) No change in client application and no need to involve client with
> server side authorization.
>
> 2) I need to make sure access token is still valid and user did not
> performed logout. API-GW seems the correct place to do that. So in a single
> call to KC I get both token validation and token exchange.
>
> I will try that and update the forum if succeeded. I think this is a
> typical classic deployment and such a documented solution can assist a lot
> of people.
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com>
> Sent: Thursday, May 23, 2019 6:58:41 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
>
>
> On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi Pedro,
> Thanks for the prompt response :)
>
> Yes, I need RBAC only at the moment.
>
> When you said my web application should make the token exchange, do you
> mean client side (javascript ) or server side?
>
> Client-side
>
> I can also make it from API-GW which is even better I think. what is the
> common practice to send it to the server? I cannot use the Authorization
> header since it alteady contains the access token.
>
>
> Not sure if API-GW is better but you can replace the access token with
> permissions (sent by the client) in the authorization header. It is just an
> access token + permissions. Pretty much the original + permissions.
>
>
> Also, it means that I will have to make this call once per session (after
> login) rather than once in a process lifetime, since the roles->permissions
> mapping is pretty much static information.
> It doesn't sounds like the optimal approach.
>
> Yes, you would need a per session exchange.
>
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Thursday, May 23, 2019 5:49:11 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> There is no way to automatically set the permissions (from a client
> authorization settings) when an access token is issued. Like you said, you
> need another call to the token endpoint using the uma-grant-type.
>
> However, your web application will make that call only once in order to
> exchange the access token with another one with the permissions you need to
> access your backend. Your client should also be able to perform incremental
> authorization and limit the numbers of permissions within the token.
>
> Using a pure RBAC approach also works for your case, I think. Although you
> are limited to RBAC (thus tied with the roles you are using to protect
> resources) and not able to use resource-based authorization.
>
> On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi,
>
> I have a web application (Angular) which calls a REST API in a Java
> microservice.
>
> In my application, which manages books, I have a "regular" and "admin"
> roles.
> "regular" is allowed to execute API readBook.
> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
>
> The mapping between the user roles to the permissions (book:read ,
> book:create, book:delete) is currently in my app DB. I guess I can migrate
> all roles and permissions into Keycloak using the
> resources/permissions/policies entities.
>
> I get an access token in the client (using code flow or implicit flow).
> The token contains the current user roles. But not the permissions.
> When I call my REST API I send the access token to my REST endpoint in the
> http header. The token contains the user roles, but not the user
> permissions. In fact, what I really need is the user permissions for
> checking authorization.
>
>
>
>   1.  What is the best practice of getting the user permissions in my REST
> service? Can I have them become part of the JWT access token when the token
> is created?
> Or is there any other recommended way to "map" the roles into the
> effective permissions at runtime?
> Maybe keep the role->permissions in my current DB and load them to service
> cache ?
>
>   2.  I want to avoid calling Keycloak for every REST API call because
> this will result bad performance. From what I read, if I want to use
> Keycloak authorization services I must call Keycloak for every API request
> and get the permissions (an RPT token). Is that the only way?
>
>
>
>   1.  Another alternative I thought of:
> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
> will add only "book:read" role.
> This way, if a user belongs to the admins group, he will have all the
> permissions (roles) in the JWT access token.
>
>
> Thanks,
> Ori.
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
>
>

From Ori.Doolman at cyberark.com  Fri May 31 10:13:38 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Fri, 31 May 2019 14:13:38 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
	<AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>,
	<CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>
Message-ID: <AM0P193MB0276D05CC09DDCD54549497392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

We have thousands of accounts , therefore option 1 is not feasible.

As for 2nd option, if I configure accounts as resource, and my app's permissions as scopes per account/resource (all 200 app's permissions), I expect to get in RPT different permissions if I am user A role R1 or user B role R2. In the same time, user A has difderent role on other account. This is why I cannot use realm roles.

Is there any way to push claims when I request for an RPT?
The only thing I saw is requesting for specific permission/scope.

What I'm really missing in KC is a way to represent this relatively simple model of different user permissions per account.
(Users and accounts relation is Many to many).




Get Outlook for Android<https://aka.ms/ghei36>

From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, May 31, 2019 1:02:05 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

I see. In this case, you could write a JS policy that checks both the account and the role. Where the account could be passed to your policy as a claim. The issue here is that you will end up with a quite huge policy depending on how many accounts you have.

The second approach would be to manage accounts as resources and have those permissions for each resource. You would need to provisioning logic in your application to create the resource + permissions when a new account is created. Permissions could then be obtained based on a per-account basis.

On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Thanks Pedro,
But the definition below is exactly what I tried to do and got stuck.
This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*.  For account 2, the same user will have totally different permissions.
I don?t have the accounts configured in Keycloak.
Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.

See my problem?

Ori.


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, May 31, 2019 12:51 AM
To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ?

If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as:

* "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role
* "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role

With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user.

On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro and all,

I managed to use get an RPT given an access token.

My problem is that I cannot find a good way to model my application's permission in Keycloak.
Maybe you or someone else can help with that, since I think it is a pretty standard model:

I have many "accounts" and many users.
I have several roles in my application, each represents a set of allowed permissions.
Each user is assigned a role *per account*.
That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z).
So as you see, my user roles (and permissions) is always in the context of an account.
This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context.

What is the best way (if any) to model this kind of permissions in Keycloak?

Thanks,
Ori.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman
Sent: Thursday, May 23, 2019 9:35 PM
To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:

1) No change in client application and no need to involve client with server side authorization.

2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.

I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.

Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= >

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user



On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?

Client-side

I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.


Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.


Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Yes, you would need a per session exchange.


Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com><mailto:psilva at redhat.com<mailto:psilva at redhat.com>>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.



  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?



  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.


Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=

From mdailous at forensiclogic.com  Fri May 31 11:31:35 2019
From: mdailous at forensiclogic.com (Michael Dailous)
Date: Fri, 31 May 2019 15:31:35 +0000
Subject: [keycloak-user] Custom REST endpoint not associated with a REALM
Message-ID: <BYAPR09MB25494B1C53F5F8A81BE8A932D6190@BYAPR09MB2549.namprd09.prod.outlook.com>

Is there anyone that can provide some guidance on this?

Michael

-----Original Message-----
Date: Thu, 30 May 2019 17:45:12 +0000
From: Michael Dailous <mdailous at forensiclogic.com>
Subject: [keycloak-user] Custom REST endpoint not associated with a
	specific	REALM
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
	<BYAPR09MB2549F8DA4ED6A39523363562D6180 at BYAPR09MB2549.namprd09.prod.outlook.com>
	
Content-Type: text/plain; charset="us-ascii"

Hi,

We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific REALM?

Thanks,
Michael


------------------------------


From psilva at redhat.com  Fri May 31 13:32:29 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 31 May 2019 14:32:29 -0300
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB0276D05CC09DDCD54549497392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
	<AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>
	<AM0P193MB0276D05CC09DDCD54549497392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <CAJrcDBdcSS3-T24FGSbu2+L_err5FJn2d-SjicNih8gqDhkq9Q@mail.gmail.com>

Here it is
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims
.

FYI, you can also use client roles in your policies.

On Fri, May 31, 2019 at 11:14 AM Ori Doolman <Ori.Doolman at cyberark.com>
wrote:

> We have thousands of accounts , therefore option 1 is not feasible.
>
> As for 2nd option, if I configure accounts as resource, and my app's
> permissions as scopes per account/resource (all 200 app's permissions), I
> expect to get in RPT different permissions if I am user A role R1 or user B
> role R2. In the same time, user A has difderent role on other account. This
> is why I cannot use realm roles.
>
> Is there any way to push claims when I request for an RPT?
> The only thing I saw is requesting for specific permission/scope.
>
> What I'm really missing in KC is a way to represent this relatively simple
> model of different user permissions per account.
> (Users and accounts relation is Many to many).
>
>
>
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Friday, May 31, 2019 1:02:05 PM
> *To:* Ori Doolman
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> I see. In this case, you could write a JS policy that checks both the
> account and the role. Where the account could be passed to your policy as a
> claim. The issue here is that you will end up with a quite huge policy
> depending on how many accounts you have.
>
> The second approach would be to manage accounts as resources and have
> those permissions for each resource. You would need to provisioning logic
> in your application to create the resource + permissions when a new account
> is created. Permissions could then be obtained based on a per-account
> basis.
>
> On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com>
> wrote:
>
> Thanks Pedro,
> But the definition below is exactly what I tried to do and got stuck.
> This is because the ?manager permissions? (A, B, C) is given only for role
> manager and **for account 1**.  For account 2, the same user will have
> totally different permissions.
> I don?t have the accounts configured in Keycloak.
> Even if I configure an account as a resource, this account will have
> scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.
>
> See my problem?
>
> Ori.
>
>
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Friday, May 31, 2019 12:51 AM
> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Would be the account a resource and permissions their corresponding
> scopes/actions that can be performed on an account ?
>
> If a role implies access to some scopes/actions you can perform on an
> account (which is a resource), you could write "scope-based policies" such
> as:
>
> * "Manager Permission" is defined for scopes A, B and C with a role-policy
> that enforces "manager" role
> * "Regular Permission" is defined for scopes X, Y and Z with a role-policy
> that enforces "regular" role
>
> With this setup, if the user has both manager and regular roles access
> shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the
> scopes granted will depend on the role assigned to the user.
>
> On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
> Hi Pedro and all,
>
> I managed to use get an RPT given an access token.
>
> My problem is that I cannot find a good way to model my application's
> permission in Keycloak.
> Maybe you or someone else can help with that, since I think it is a pretty
> standard model:
>
> I have many "accounts" and many users.
> I have several roles in my application, each represents a set of allowed
> permissions.
> Each user is assigned a role *per account*.
> That means that one user can be a "manager" user for account 1 (with
> effective permissions a,b,c) and a "regular" user for account 2 (with
> effective permissions x, y, z).
> So as you see, my user roles (and permissions) is always in the context of
> an account.
> This is why I cannot just configure static client roles and use them for
> policies. My permissions always depend on the data, the account context.
>
> What is the best way (if any) to model this kind of permissions in
> Keycloak?
>
> Thanks,
> Ori.
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
> Sent: Thursday, May 23, 2019 9:35 PM
> To: Pedro Igor Silva <psilva at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> Ok Pedro,
> I think I got it. Thanks a lot for thr clarification.
> My current plan is to make the exchange in API-GW.
> I get 2 advantages:
>
> 1) No change in client application and no need to involve client with
> server side authorization.
>
> 2) I need to make sure access token is still valid and user did not
> performed logout. API-GW seems the correct place to do that. So in a single
> call to KC I get both token validation and token exchange.
>
> I will try that and update the forum if succeeded. I think this is a
> typical classic deployment and such a documented solution can assist a lot
> of people.
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com>
> Sent: Thursday, May 23, 2019 6:58:41 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
>
>
> On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi Pedro,
> Thanks for the prompt response :)
>
> Yes, I need RBAC only at the moment.
>
> When you said my web application should make the token exchange, do you
> mean client side (javascript ) or server side?
>
> Client-side
>
> I can also make it from API-GW which is even better I think. what is the
> common practice to send it to the server? I cannot use the Authorization
> header since it alteady contains the access token.
>
>
> Not sure if API-GW is better but you can replace the access token with
> permissions (sent by the client) in the authorization header. It is just an
> access token + permissions. Pretty much the original + permissions.
>
>
> Also, it means that I will have to make this call once per session (after
> login) rather than once in a process lifetime, since the roles->permissions
> mapping is pretty much static information.
> It doesn't sounds like the optimal approach.
>
> Yes, you would need a per session exchange.
>
>
> Ori.
>
> Get Outlook for Android<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=
> >
>
> ________________________________
> From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
> Sent: Thursday, May 23, 2019 5:49:11 PM
> To: Ori Doolman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] How to get the role -> permissions for an
> authenticated user
>
> There is no way to automatically set the permissions (from a client
> authorization settings) when an access token is issued. Like you said, you
> need another call to the token endpoint using the uma-grant-type.
>
> However, your web application will make that call only once in order to
> exchange the access token with another one with the permissions you need to
> access your backend. Your client should also be able to perform incremental
> authorization and limit the numbers of permissions within the token.
>
> Using a pure RBAC approach also works for your case, I think. Although you
> are limited to RBAC (thus tied with the roles you are using to protect
> resources) and not able to use resource-based authorization.
>
> On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com
> <mailto:Ori.Doolman at cyberark.com>> wrote:
> Hi,
>
> I have a web application (Angular) which calls a REST API in a Java
> microservice.
>
> In my application, which manages books, I have a "regular" and "admin"
> roles.
> "regular" is allowed to execute API readBook.
> "admin" is allowed to execute APIs readBook, deleteBook, createBook.
>
> The mapping between the user roles to the permissions (book:read ,
> book:create, book:delete) is currently in my app DB. I guess I can migrate
> all roles and permissions into Keycloak using the
> resources/permissions/policies entities.
>
> I get an access token in the client (using code flow or implicit flow).
> The token contains the current user roles. But not the permissions.
> When I call my REST API I send the access token to my REST endpoint in the
> http header. The token contains the user roles, but not the user
> permissions. In fact, what I really need is the user permissions for
> checking authorization.
>
>
>
>   1.  What is the best practice of getting the user permissions in my REST
> service? Can I have them become part of the JWT access token when the token
> is created?
> Or is there any other recommended way to "map" the roles into the
> effective permissions at runtime?
> Maybe keep the role->permissions in my current DB and load them to service
> cache ?
>
>   2.  I want to avoid calling Keycloak for every REST API call because
> this will result bad performance. From what I read, if I want to use
> Keycloak authorization services I must call Keycloak for every API request
> and get the permissions (an RPT token). Is that the only way?
>
>
>
>   1.  Another alternative I thought of:
> have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles
> "book:read" , "book:create", "book:delete" and for the "Regulars" group I
> will add only "book:read" role.
> This way, if a user belongs to the admins group, he will have all the
> permissions (roles) in the JWT access token.
>
>
> Thanks,
> Ori.
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
>
>

From Ori.Doolman at cyberark.com  Fri May 31 13:47:55 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Fri, 31 May 2019 17:47:55 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <CAJrcDBdcSS3-T24FGSbu2+L_err5FJn2d-SjicNih8gqDhkq9Q@mail.gmail.com>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
	<AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>
	<AM0P193MB0276D05CC09DDCD54549497392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdcSS3-T24FGSbu2+L_err5FJn2d-SjicNih8gqDhkq9Q@mail.gmail.com>
Message-ID: <AM0P193MB0276A4E85949531FD0AC839392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Pedro,


  1.  How do I obtain the pushed claims in my JS policy code? Is it by $evaluation.getContext().getAttribes() ?
Do you have an example?
  2.  Is there any way to debug the JS policy? Or at least print to logs from the policy code?

Ori.


From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, May 31, 2019 8:32 PM
To: Ori Doolman <Ori.Doolman at cyberark.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Here it is https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=e7b4-UeT69rQhxr9i27zb8tg7U6glgVtrW-mN4_1-ig&e=>.

FYI, you can also use client roles in your policies.

On Fri, May 31, 2019 at 11:14 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
We have thousands of accounts , therefore option 1 is not feasible.
As for 2nd option, if I configure accounts as resource, and my app's permissions as scopes per account/resource (all 200 app's permissions), I expect to get in RPT different permissions if I am user A role R1 or user B role R2. In the same time, user A has difderent role on other account. This is why I cannot use realm roles.
Is there any way to push claims when I request for an RPT?
The only thing I saw is requesting for specific permission/scope.
What I'm really missing in KC is a way to represent this relatively simple model of different user permissions per account.
(Users and accounts relation is Many to many).



Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=zsNuqb67PJ74IM1TKTvQ6rV-pzSG6efFQiP6W_cMHdo&e=>

From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, May 31, 2019 1:02:05 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

I see. In this case, you could write a JS policy that checks both the account and the role. Where the account could be passed to your policy as a claim. The issue here is that you will end up with a quite huge policy depending on how many accounts you have.
The second approach would be to manage accounts as resources and have those permissions for each resource. You would need to provisioning logic in your application to create the resource + permissions when a new account is created. Permissions could then be obtained based on a per-account basis.
On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Thanks Pedro,
But the definition below is exactly what I tried to do and got stuck.
This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*.  For account 2, the same user will have totally different permissions.
I don?t have the accounts configured in Keycloak.
Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.

See my problem?

Ori.


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, May 31, 2019 12:51 AM
To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ?

If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as:

* "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role
* "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role

With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user.

On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro and all,
I managed to use get an RPT given an access token.
My problem is that I cannot find a good way to model my application's permission in Keycloak.
Maybe you or someone else can help with that, since I think it is a pretty standard model:
I have many "accounts" and many users.
I have several roles in my application, each represents a set of allowed permissions.
Each user is assigned a role *per account*.
That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z).
So as you see, my user roles (and permissions) is always in the context of an account.
This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context.
What is the best way (if any) to model this kind of permissions in Keycloak?
Thanks,
Ori.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman
Sent: Thursday, May 23, 2019 9:35 PM
To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user
Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:
1) No change in client application and no need to involve client with server side authorization.
2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.
I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.
Ori.
Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= >
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user


On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi Pedro,
Thanks for the prompt response :)
Yes, I need RBAC only at the moment.
When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?
Client-side
I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.

Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.

Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.
Yes, you would need a per session exchange.

Ori.
Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com><mailto:psilva at redhat.com<mailto:psilva at redhat.com>>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user
There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.
However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.
Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.
On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi,
I have a web application (Angular) which calls a REST API in a Java microservice.
In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.
The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.
I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.


  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?
  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?


  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.

Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=

From demetrio at carretti.pro  Fri May 31 13:50:05 2019
From: demetrio at carretti.pro (Dmitry Telegin)
Date: Fri, 31 May 2019 20:50:05 +0300
Subject: [keycloak-user] Custom REST endpoint not associated with a REALM
In-Reply-To: <BYAPR09MB25494B1C53F5F8A81BE8A932D6190@BYAPR09MB2549.namprd09.prod.outlook.com>
References: <BYAPR09MB25494B1C53F5F8A81BE8A932D6190@BYAPR09MB2549.namprd09.prod.outlook.com>
Message-ID: <9c0e383ac2997b661430217d4c19098e6676863d.camel@carretti.pro>

Hello Michael,

In Keycloak, custom REST endpoints are realm-bound by design. But you can use master realm to emulate "realm-independent" endpoints, since master is a special realm that is guaranteed to always exist (unless you decide to break Keycloak by manually deleting it :)

In fact, it's not about REST endpoints only. The rule of thumb is, if you need to implement something realm-independent (or "global") in Keycloak, but the API requires a realm, use master realm for that.

Regarding reliability and maintainability of this approach, please check out this thread [1]. When implementing yet another KC extension that needed to be "global", I became a bit concerned with the usage of master realm for that, but Stian actually confirmed that would be pretty safe.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011349.html

Good luck!
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Fri, 2019-05-31 at 15:31 +0000, Michael Dailous wrote:
> Is there anyone that can provide some guidance on this?
> 
> Michael
> 
> -----Original Message-----
> Date: Thu, 30 May 2019 17:45:12 +0000
> From: Michael Dailous <mdailous at forensiclogic.com>
> Subject: [keycloak-user] Custom REST endpoint not associated with a
> 	specific	REALM
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID:
> 	<BYAPR09MB2549F8DA4ED6A39523363562D6180 at BYAPR09MB2549.namprd09.prod.outlook.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi,
> 
> We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
> Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
> 
> Thanks,
> Michael
> 
> 
> ------------------------------
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mdailous at forensiclogic.com  Fri May 31 14:08:27 2019
From: mdailous at forensiclogic.com (Michael Dailous)
Date: Fri, 31 May 2019 18:08:27 +0000
Subject: [keycloak-user] Custom REST endpoint not associated with a REALM
In-Reply-To: <9c0e383ac2997b661430217d4c19098e6676863d.camel@carretti.pro>
References: <BYAPR09MB25494B1C53F5F8A81BE8A932D6190@BYAPR09MB2549.namprd09.prod.outlook.com>
	<9c0e383ac2997b661430217d4c19098e6676863d.camel@carretti.pro>
Message-ID: <BYAPR09MB2549BC759DD8A3AA2090179BD6190@BYAPR09MB2549.namprd09.prod.outlook.com>

Thanks for the response Dmitry. 

After reviewing the link provided, I understand the design and feel more comfortable with using Master as the 'global' interface moving forward. This really simplifies the implementation, too, as I have experience creating custom REST endpoints in Keycloak. Very exciting!!!
 
Thanks again,
Michael

-----Original Message-----
From: Dmitry Telegin <demetrio at carretti.pro> 
Sent: Friday, May 31, 2019 10:50 AM
To: Michael Dailous <mdailous at forensiclogic.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom REST endpoint not associated with a REALM

Hello Michael,

In Keycloak, custom REST endpoints are realm-bound by design. But you can use master realm to emulate "realm-independent" endpoints, since master is a special realm that is guaranteed to always exist (unless you decide to break Keycloak by manually deleting it :)

In fact, it's not about REST endpoints only. The rule of thumb is, if you need to implement something realm-independent (or "global") in Keycloak, but the API requires a realm, use master realm for that.

Regarding reliability and maintainability of this approach, please check out this thread [1]. When implementing yet another KC extension that needed to be "global", I became a bit concerned with the usage of master realm for that, but Stian actually confirmed that would be pretty safe.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011349.html

Good luck!
Dmitry Telegin

Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Fri, 2019-05-31 at 15:31 +0000, Michael Dailous wrote:
> Is there anyone that can provide some guidance on this?
> 
> Michael
> 
> -----Original Message-----
> Date: Thu, 30 May 2019 17:45:12 +0000
> From: Michael Dailous <mdailous at forensiclogic.com>
> Subject: [keycloak-user] Custom REST endpoint not associated with a
> 	specific	REALM
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID:
> 	
> <BYAPR09MB2549F8DA4ED6A39523363562D6180 at BYAPR09MB2549.namprd09.prod.ou
> tlook.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi,
> 
> We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
> Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
> 
> Thanks,
> Michael
> 
> 
> ------------------------------
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bruno at abstractj.org  Fri May 31 16:54:08 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 31 May 2019 17:54:08 -0300
Subject: [keycloak-user] Question about how to extend or know more about
 keycloak
In-Reply-To: <CAGP=A8TPqQezObj+P5-Hrc3XX8ETTAqdSJnUxpfRr-wuqvSx3g@mail.gmail.com>
References: <CAGP=A8TPqQezObj+P5-Hrc3XX8ETTAqdSJnUxpfRr-wuqvSx3g@mail.gmail.com>
Message-ID: <20190531205407.GA1342@abstractj.org>

Hi Paul, I'm not sure what you mean about empty Javadocs, because they
look ok for me. If you would like to use our SPIs, I'd suggest to
read our documentation https://www.keycloak.org/documentation.html.

For improvements at the Javadocs, feel free to suggest what should be
changed or better, submit a pull request.

On 2019-05-27, Paul Luk wrote:
> Hi all,
> 
>    i am now checking keycloak to see whether i can adopt it and extend it
> to fulfill my project's requirement.
> 
>    However, when i try to check the source code in github, i found there is
> almost no comment on the source code of keycloak!!!
> 
>    The javadocs are empty:
> https://www.keycloak.org/docs-api/6.0/javadocs/index.html
> 
>     i am quite surprise that how  you guys can develop and maintenance
> keycloak!
> 
>     Without the code comment or javadocs, it will difficult for me to study
> and extend keycloak (not even enough for creating SPI)
> 
>     Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From Ori.Doolman at cyberark.com  Fri May 31 17:10:20 2019
From: Ori.Doolman at cyberark.com (Ori Doolman)
Date: Fri, 31 May 2019 21:10:20 +0000
Subject: [keycloak-user] How to get the role -> permissions for an
 authenticated user
In-Reply-To: <AM0P193MB0276A4E85949531FD0AC839392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
References: <AM0P193MB027601958E940478567EA3C292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBff=FABTHbvtbau5WnSFVmHmsEH_YoBgSEXJ_6oc4Eovg@mail.gmail.com>
	<AM0P193MB02760036E18C314C46FCD6A592010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdhMWJw44EP_8xobu6FRpMFG8jgP1pVOxKih3ph7FE6Tg@mail.gmail.com>
	<AM0P193MB027626C4BD5728C76E5C1EA292010@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<AM0P193MB02766007AD6D439AF8D3295A92180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBfuw1FyJ4ud8xuGzDhH22Nb=g1W2asZDqFHzedFDzPqDA@mail.gmail.com>
	<AM0P193MB0276D63DF129C8D5BA5648B692180@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBe9k0ijnHM0=c3D86F3vB5iAEvTcbHgx0OAHGeDgWiT1A@mail.gmail.com>
	<AM0P193MB0276D05CC09DDCD54549497392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
	<CAJrcDBdcSS3-T24FGSbu2+L_err5FJn2d-SjicNih8gqDhkq9Q@mail.gmail.com>
	<AM0P193MB0276A4E85949531FD0AC839392190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>
Message-ID: <AM0P193MB0276AA7FB84ECFE3EFFF81B792190@AM0P193MB0276.EURP193.PROD.OUTLOOK.COM>

Hi Pedro,

I almost got it all working, but I think I bumped into bug... :(
Please confirm if this is a bug or an expected behavior.
I'm using latest Keycloak v6.01. I believe you can reproduce it as well.
 
I have created:
1. Resource R with scopes S1, S2.
2. User based policy P1 for user1
3. User based policy P2 for user2
4. scope-based permission SBP1 for R1+S1 mapped to policy P1  (granting user1 access to R1:S1)
5. scope-based permission SBP2 for R1+S2 mapped to policy P2  (granting user2 access to R1:S2)

When I request an RTP, everything is as expected. User1 token returns R1:S1 and user2 token returns R1:S2.

But, if I add to SBP1 also S2, I expect that user1 will have access to both R1:S1 and R1:S2. However, I still get only R1:S1. 
This seems like a bug.

If I revert the change and add to SBP2 also S1, I expect that user2 will have access to both R1:S1 and R1:S2. However, in this case I get access_denied and no scopes at all.
This is really inconsistent and seems like a bug.



Here is how I send the RPT request:

POST /auth/realms/epm-account1/protocol/openid-connect/token HTTP/1.1
Host: localhost:8180
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <myToken>
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
Postman-Token: ca36fc4e-d551-4525-a406-9afe674b1312,3731c4f2-6e71-475d-a6bf-171b6dc6b0cc
Host: localhost:8180
accept-encoding: gzip, deflate
content-length: 99
Connection: keep-alive
cache-control: no-cache

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=epm-web&permission=R1



Please check that.

Thanks,
Ori.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman
Sent: Friday, May 31, 2019 8:48 PM
To: Pedro Igor Silva <psilva at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Pedro,


  1.  How do I obtain the pushed claims in my JS policy code? Is it by $evaluation.getContext().getAttribes() ?
Do you have an example?
  2.  Is there any way to debug the JS policy? Or at least print to logs from the policy code?

Ori.


From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, May 31, 2019 8:32 PM
To: Ori Doolman <Ori.Doolman at cyberark.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Here it is https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=r9TiD3Glkd7ZsS7Ariwvs4caS0Z-Z4M2qWzZ29ymRw4&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=e7b4-UeT69rQhxr9i27zb8tg7U6glgVtrW-mN4_1-ig&e=>.

FYI, you can also use client roles in your policies.

On Fri, May 31, 2019 at 11:14 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
We have thousands of accounts , therefore option 1 is not feasible.
As for 2nd option, if I configure accounts as resource, and my app's permissions as scopes per account/resource (all 200 app's permissions), I expect to get in RPT different permissions if I am user A role R1 or user B role R2. In the same time, user A has difderent role on other account. This is why I cannot use realm roles.
Is there any way to push claims when I request for an RPT?
The only thing I saw is requesting for specific permission/scope.
What I'm really missing in KC is a way to represent this relatively simple model of different user permissions per account.
(Users and accounts relation is Many to many).



Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=zsNuqb67PJ74IM1TKTvQ6rV-pzSG6efFQiP6W_cMHdo&e=>

From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, May 31, 2019 1:02:05 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

I see. In this case, you could write a JS policy that checks both the account and the role. Where the account could be passed to your policy as a claim. The issue here is that you will end up with a quite huge policy depending on how many accounts you have.
The second approach would be to manage accounts as resources and have those permissions for each resource. You would need to provisioning logic in your application to create the resource + permissions when a new account is created. Permissions could then be obtained based on a per-account basis.
On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Thanks Pedro,
But the definition below is exactly what I tried to do and got stuck.
This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*.  For account 2, the same user will have totally different permissions.
I don?t have the accounts configured in Keycloak.
Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C  for user 2.

See my problem?

Ori.


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Friday, May 31, 2019 12:51 AM
To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ?

If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as:

* "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role
* "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role

With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user.

On Thu, May 30, 2019 at 6:29 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro and all,
I managed to use get an RPT given an access token.
My problem is that I cannot find a good way to model my application's permission in Keycloak.
Maybe you or someone else can help with that, since I think it is a pretty standard model:
I have many "accounts" and many users.
I have several roles in my application, each represents a set of allowed permissions.
Each user is assigned a role *per account*.
That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z).
So as you see, my user roles (and permissions) is always in the context of an account.
This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context.
What is the best way (if any) to model this kind of permissions in Keycloak?
Thanks,
Ori.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman
Sent: Thursday, May 23, 2019 9:35 PM
To: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Ok Pedro, I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:
1) No change in client application and no need to involve client with server side authorization.
2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.
I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.
Ori.
Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= > ________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user


On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi Pedro,
Thanks for the prompt response :)
Yes, I need RBAC only at the moment.
When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?
Client-side
I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.

Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.

Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.
Yes, you would need a per session exchange.

Ori.
Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com><mailto:psilva at redhat.com<mailto:psilva at redhat.com>>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.
However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.
Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.
On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com><mailto:Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>> wrote:
Hi,
I have a web application (Angular) which calls a REST API in a Java microservice.
In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.
The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.
I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.


  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?
  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?


  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.

Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e=
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=x__KjPALrAcG7r37jUZN413sy1vZuicMESK4aIunX8Y&e= 


From fabio.ebner at lumera.com.br  Fri May 31 18:01:19 2019
From: fabio.ebner at lumera.com.br (Fabio Ebner)
Date: Fri, 31 May 2019 19:01:19 -0300
Subject: [keycloak-user] Client Admin
Message-ID: <CAFxMZbaSgSj2m2hfCFz8F9YgKfzjr-wiVAMhv98L9U1jy=zR=w@mail.gmail.com>

there is one sample to how create and update users in a java application?
all sample I have found are older and don`t works in java 1.8  and that
dependency

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-admin-client</artifactId>
    <version>6.0.1</version>
</dependency>