Not able to enable Script Authenticator with Keycloak 8.0.1.
Tried usinng below option on standalone windows version -
standalone -Dkeycloak.profile.feature.scripts=enabled
It does not work. Had used similar option on Keyclaok 7.0, it was working
From version 8.x, in order to make your scripts available to Keycloak you need to deploy them to the server in the form of jar.
Refer documentation for details -
https://www.keycloak.org/docs/latest/server_development/#_script_providers
Related
What is meaning of (https://www.keycloak.org/archive/downloads-17.0.1.html)
Keycloak: Distribution powered by Quarkus
Keycloak WildFly (deprecated): Distribution powered by WildFly
When i see documentation it says:
The default distribution of Keycloak is now powered by Quarkus, which brings a number
of breaking changes to you configure Keycloak and deploy custom providers.
For more information check out the Quarkus Migration Guide.
The WildFly distribution of Keycloak is now deprecated, with support ending June 2022.
We recommend migrating to the Quarkus distribution as soon as possible.
However, if you need to remain on the legacy WildFly distribution for some time,
there are some changes to consider
I am using Wildfly as application Server where projects are deployed.
Shall this means i use Wildfly distribution of Keycloak only whose support is ending June 2022.
or
Does this mean that Keycloak use Wildfly underneath and not use that anymore and quarkus is used? (now here can quarkus distribution work fine with wildfly settings we currently have)
Unfortunately, it has nothing to do with WildFly anymore. Until recent versions, the Keycloak was being packaged as a Java EE archive file (or as WildFly module) that you could deploy into WildFly application server.
Quarkus on the other hand is a framework to develop cloud native Java applications. It's runtime relies on many open source projects for underlying services (e.g. Vertx, SmallRye projects, etc.) and has a completely different architecture. As part of such a migration, Keycloak is now being packaged as an standalone java application (that is a typical output for an app developed using Quarkus) and contains all its dependencies. So there is no deployment/installation on WildFly anymore.
Quarkus applications are being designed by default to be run on cloud environments like Kubernetes. So you may also require to consider if you can benefit from this if you have such an infrastructure in your organization (however it's not mandatory and you can just run it as a normal java app on your server). But you can definitely not use your WildFly specific configurations (e.g. the Keycloak subsystem or OpenID subsystem) anymore.
You can find more details here.
Quarkus is a variation of Wildfly that is packaged in such a way as to make containerization (i.e. Docker, Kubernetes, etc.) much easier. Applications written for Wildfly (and JEE in general) can be made to run in Quarkus quickly.
Wildfy 25 and above include OIDC functionality internally. Therefore, you don't need to install the Keycloak extensions like you used to. And Keycloak, as of version 15, is based on Quarkus too. Because of this there is a build phase of the installation that lets you set many of the options before the run phase. For example, I used to setup a data source in the standalone.xml for my database. Now, I use the resources.properties to setup my database for Keycloak. The concepts are similar.
If you're using a version of Wildfly less than 25 then you'll still want the Keycloak adapter.
We are a Java shop and use maven. Our app is on wildfly 18. Does anyone have any experiences on migrating a wildfly app to OIDC? We were given a security library that we can use to make OIDC calls to, but it requires a config file co-located with this library. Do we need to use a module for this? If so, do we need a particular section filled out in our standalone.xml?
You asked about Wildfly 18. This one for sure needs add-on modules, such as those provided by the keycloak project (https://www.keycloak.org/downloads).
Since Wildfly 25 the OpenID Connect functionality was added to the Wildfly releases, and since then the addon modules are no longer required. In fact, they should no longer get installed as they seem to break Wildfly.
See also
Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
https://docs.wildfly.org/25/WildFly_Elytron_Security.html#validating-jwt-tokens
https://www.youtube.com/watch?v=2gQO4_7Z5CI
I have a WildFly 15.0.1 running in domain mode in a Docker container. It has two logging profiles configured - one for each application deployed on it. When I log in to the HAL Management Console via browser I can see all the logs and their file sizes, but I can only view and download the server.log one.
Trying to download one of the others results in:
"WFLYCTL0216: Management resource '[
(\"subsystem\" => \"logging\"),
(\"log-file\" => \"custom-log-file.log\")
]' not found"
which makes sense as in JBoss CLI those log files are not available directly under logging subsystem, but rather in logging profile details. Is there any way to make them available in the HAL Management Console?
AS #James R. Perkins suggested this behavior is a bug that was solved in HAL 3.0.17.Final. Since WildFly 15.0.1.Final contains HAL 3.0.6.Final and WildFly 16.0.0.Final contains HAL 3.1.2.Final, upgrading to WildFly 16 is one possible solution. The other is to upgrade just the HAL module in WildFly as described here.
I am trying to create an openshift3 application in Eclipse IDE after installing JBoss Developer tool plugin in IDE, But getting below error at the time Sign into OpenShift.
Error: The server type, credentials, or auth scheme might be incorrect:
I have also tried other server hostname like https://console.starter-us-east-1.openshift.com/console/ and much more, but still not working.
While, when I tried to log in using OC tool (OpenShift CLI) with the same credential (as seen in picture), I haven't got any error.
I also tried to run RHC (OpenShift Client Tool) but at the time of RHC setup it is saying "You are not authorized to perform this operation."
Please help me to solve it out.
First of all, it looks like you're using an outdated version of the JBoss Tools Openshift plugin, because the "New Openshift Application" wizard looks a little bit different at the moment. So try to update it:
Help -> About Eclipse -> Installation Details -> Update... - and choose at least all the JBoss Tools plugins that it'll report to you (the best will be to choose everything reported) and update them.
Secondly, what is the URL which you use to access the Openshift web console in your browser? It seems to me that it is https://console.starter-us-east-1.openshift.com. Are you able to login there with your credentials? If yes, the same must work in JBoss Tools Openshift plugin. Check this and this articles for more info about using it.
We have a MobileFirst application that worked with Worklight 6.2 server - production also. We are using a http adapter: <connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
Currently we are changing the production server to 7.0.0. On Development Server we could test our application and all the functionalities were OK. We'we created the .war with the production server on build configuration and uploaded together with the android .wlapp . Now we receive 404 when the application tries to call any adapter function on production server. invokeProcedure onFailure returns UNEXPECTED_ERROR. This is with:
Server version: 7.0.0.00.20150312-0731
Project WAR version: 7.0.0.00.20150402-2001
Adapter name: XXXXX. Version: 7.0.0.00.20150402-2001
Application: XXXXX-android-0.9.7, Version: 7.0.0.00.20150402-2001
We have no security enabled in the application.
Is there something that must be enabled on Server in order to allow old type adapters call?
When we've tested with upgraded MobileFirst Development Studio 7.0.0.00.20150430 as development platform - same server version, and we got same 404 (Context not found), but there tries to connect with authorization/v1/clients/instance instead of /apps/services/api/XXXXX/android/query
Should a Server upgrade solve this problem? We've noticed that there are updates available.
The Server is on a https connection, but was same on WL 6.2.
By the description in the comments and the supplied messages.log, it is clear that you are attempting to use Application Authenticity Protection.
This feature worked in a certain way in v6.2 and it works in a different way in v6.3 and above.
From the comments it appears you are only adding the publickSigningKey - this is no longer enough.
See the updated Application Authenticity Protection tutorial for steps to follow: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/authentication-security/application-authenticity-protection/
General steps to follow:
Setup authenticationConfig.xml with the security test
Add the security test to the environment node in application-descriptor.xml
Add the publicSigningKey to the <publicSigningKey> element
Add the application package name <packageName> element
I believe you are missing step 4.
Note that you also able to now enable the Extended Authenticity mode; follow the instructions in the tutorial.
Note about step 3: obviously the same keystore used to generate the publicSigningKey must be used when you export the signed .apk file... otherwise there will be a mismatch and the authenticity challenge will fail.
In your authenticationConfig.xml, make sure you have the securityTest available (= not commented out like in the file you've supplied in the comments below.
In your application-descriptor.xml, you are missing the securityTest attribute in the Android environment element: <android version="0.9.9"> change to <android version="0.9.9" securityTest="customTests">