From 325633761415ff4b54ec6bf502f306afb9e0586a Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 31 Mar 2015 10:08:40 +0200 Subject: [PATCH 1/3] CookieTokenStore not working correctly on EAP 6.3 --- .../en/en-US/modules/application-clustering.xml | 11 +++++++++-- .../java/org/keycloak/adapters/CookieTokenStore.java | 2 +- .../keycloak/adapters/tomcat/CatalinaHttpFacade.java | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/docbook/reference/en/en-US/modules/application-clustering.xml b/docbook/reference/en/en-US/modules/application-clustering.xml index 0406522318..c4246d2f12 100644 --- a/docbook/reference/en/en-US/modules/application-clustering.xml +++ b/docbook/reference/en/en-US/modules/application-clustering.xml @@ -65,8 +65,15 @@ - Default value of token-store is session, hence saving data in HTTP session. One disadvantage of cookie store is, - that whole info about account is passed in cookie KEYCLOAK_ADAPTER_STATE in each HTTP request. Hence it's not the best for network performance. + Default value of token-store is session, hence saving data in HTTP session. + + + One limitation of cookie store is, that whole info about account is passed in cookie KEYCLOAK_ADAPTER_STATE in each HTTP request. + Hence it's not the best for network performance. + Another small limitation is limited support for Single-Sign out. It works without issues if you init servlet logout (HttpServletRequest.logout) + from this application itself as the adapter will delete the KEYCLOAK_ADAPTER_STATE cookie. But back-channel logout initialized from different application can't be + propagated by Keycloak to this application with cookie store. Hence it's recommended to use very short value of access token + timeout (1 minute for example). diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java index 526756d63d..f5e145f8ca 100755 --- a/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java +++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java @@ -18,7 +18,7 @@ import org.keycloak.util.KeycloakUriBuilder; public class CookieTokenStore { private static final Logger log = Logger.getLogger(CookieTokenStore.class); - private static final String DELIM = "@"; + private static final String DELIM = "___"; public static void setTokenCookie(KeycloakDeployment deployment, HttpFacade facade, RefreshableKeycloakSecurityContext session) { log.debugf("Set new %s cookie now", AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE); diff --git a/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java b/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java index 784a1fa3b1..c30bd3a61c 100755 --- a/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java +++ b/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java @@ -119,7 +119,7 @@ public class CatalinaHttpFacade implements HttpFacade { @Override public void resetCookie(String name, String path) { - setCookie(name, "", null, path, 0, false, false); + setCookie(name, "", path, null, 0, false, false); } @Override From 783f11e6b88017b222327cb252dc9756a542e705 Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 31 Mar 2015 16:50:10 +0200 Subject: [PATCH 2/3] KEYCLOAK-1121 KEYCLOAK-1122 Update migration guide about protocol mappers and identity brokers --- .../modules/MigrationFromOlderVersions.xml | 31 +++++++++++++++++++ .../en/en-US/modules/identity-broker.xml | 2 +- .../models/utils/RepresentationToModel.java | 4 +++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml index 116219817b..f66c09d2ea 100755 --- a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml +++ b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml @@ -124,6 +124,37 @@ to describe the themes included in a JAR. See the themes section in the docs for more information. + + Claims changes + + Previously there was Claims tab in admin console for application and OAuth clients. This + was used to configure which attributes should go into access token for particular application/client. This was removed + and replaced with Protocol mappers, which are more flexible. + + + You don't need to care about migration of database from previous version. + We did migration scripts for both RDBMS and Mongo, which should ensure that claims configured for particular application/client + will be converted into corresponding protocol mappers (Still it's safer to backup DB before migrating to newer version though). + Same applies for exported JSON representation from previous version. + + + + Social migration to identity brokering + + We refactored social providers SPI and replaced it with identity brokering SPI, + which is more flexible. The Social tab in admin console is renamed to Identity Provider tab. + + + Again you don't need to care about migration of database from previous version similarly like for Claims/protocol mappers. + Both configuration of social providers and "social links" to your users will be converted to corresponding Identity providers. + + + Only required action from you would be to change allowed Redirect URI in the admin console of + particular 3rd party social providers. You can first go to the Keycloak admin console and copy Redirect URI from the page where + you configure the identity provider. Then you can simply paste this as allowed Redirect URI to the admin console + of 3rd party provider (IE. Facebook admin console). + +
Migrating from 1.1.0.Beta2 to 1.1.0.Final diff --git a/docbook/reference/en/en-US/modules/identity-broker.xml b/docbook/reference/en/en-US/modules/identity-broker.xml index 5ebbbe239f..74bd40af23 100755 --- a/docbook/reference/en/en-US/modules/identity-broker.xml +++ b/docbook/reference/en/en-US/modules/identity-broker.xml @@ -1,4 +1,4 @@ - + Identity Broker diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index 41e97c8e8d..4ebc2d07cf 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -265,6 +265,7 @@ public class RepresentationToModel { Boolean updateProfileFirstLogin = rep.isUpdateProfileOnInitialSocialLogin() != null && rep.isUpdateProfileOnInitialSocialLogin(); if (rep.getSocialProviders() != null) { + logger.warn("Using deprecated 'social' configuration in JSON representation. It will be removed in future versions"); List identityProviders = new LinkedList<>(); for (String k : rep.getSocialProviders().keySet()) { if (k.endsWith(".key")) { @@ -297,6 +298,8 @@ public class RepresentationToModel { private static void convertDeprecatedSocialProviders(UserRepresentation user) { if (user.getSocialLinks() != null && !user.getSocialLinks().isEmpty() && user.getFederatedIdentities() == null) { + + logger.warnf("Using deprecated 'socialLinks' configuration in JSON representation for user '%s'. It will be removed in future versions", user.getUsername()); List federatedIdentities = new LinkedList<>(); for (SocialLinkRepresentation social : user.getSocialLinks()) { FederatedIdentityRepresentation federatedIdentity = new FederatedIdentityRepresentation(); @@ -316,6 +319,7 @@ public class RepresentationToModel { return null; } + logger.warn("Using deprecated 'claims' configuration in JSON representation. It will be removed in future versions"); long mask = getClaimsMask(claimRep); MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class); return migrationProvider.getMappersForClaimMask(mask); From 4c1f2445e34de3222436da697d81af4493cabd35 Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 31 Mar 2015 17:10:19 +0200 Subject: [PATCH 3/3] Bigger 'redirect URI' field in admin console, so it's not partially hidden --- .../admin/resources/partials/realm-identity-provider-oidc.html | 2 +- .../admin/resources/partials/realm-identity-provider-saml.html | 2 +- .../resources/partials/realm-identity-provider-social.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html index b2a90917d1..382f73714c 100755 --- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html +++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html @@ -13,7 +13,7 @@
-
+
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html index ed67b7c114..50b9e73fdf 100755 --- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html +++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-saml.html @@ -13,7 +13,7 @@
-
+
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-social.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-social.html index 214e6340a7..97d53cbf0e 100755 --- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-social.html +++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-social.html @@ -13,7 +13,7 @@
-
+