Simple project environment for creating custom Keycloak extensions

License: Apache License 2.0

Java 83.54% CSS 0.71% FreeMarker 12.32% JavaScript 0.88% Shell 0.04% HTML 2.49% Batchfile 0.01%

keycloak-extension-playground's People

Stargazers

Watchers

Forkers

imduffy15 junit stousmand sisivy shaozhenbin yuhaibohotmail greenbuttonalliance pjcahill naskavinda dineshkumares dystudio bedrin danifr akoserwal weand buptgodzs uwevil authentication-authorization ldrago63 btcdevops-apps ultinous-dancsa kr-vikash analizabe zaeemkazmi biswarjena arndt-s hendratommy lvlts andriewski civ0 mmehali tsvgos spahrson etsangsplk halmogbl sfeldkord alptekintalan danilosoarescardoso aerobase cvagner srose nikmashei jsalatiel nicholas-fwang shailendra14k suwiringsixbert guymoyo wyj060532 razi-ahmad dotbr eulogetie shajilo leedwing rebornkumar jweiskittel visesh68 dtully ketsakda andy-clymer surazzarus isaahmarcellus 4nass dvgitit saghaulor-coupa naveenamruth royalwang galihlasahido inform-software ramskaruturi devtim123 fontecha danialahmad hlucasfranca mburwit rd-matthias-jambor intrinsec t-ame chetanrun gatschet hmajdouli liyang1518 kinfra-vaultwarden hakimrabet heddn rainsun-sxy bicisteadm finventario modupalliparimala zeo101 sebacla lizhouyang tiago-peres alexrogalskiy kherock dvlpphb giuliakim04 danstancu marten-soderquist iliass-alilou cedosw

keycloak-extension-playground's Issues

How to build jar files

Exciting extensions you have here!
Am trying to get auth-check-authz-policy-extension to work. But I no nothing about how to create a jar file or java.

Here is how I create the jar file

git clone https://github.com/thomasdarimont/keycloak-extension-playground.git
#KC_VERSION=11.0.1
cd keycloak-extension-playground/auth-check-authz-policy-extension/src
jar cvf auth-check-authz-policy-extension/src/auth.jar .
chown keycloak:keycloak auth.jar
mv auth.jar $KEYCLOAK_STANDALONE/deployments/

Server seems OK

root@login:[~]: grep 'auth.jar' $KEYCLOAK_STANDALONE/log/server.log
2020-08-27 12:08:32,157 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-5) WFLYSRV0027: Starting deployment of "auth.jar" (runtime-name: "auth.jar")
2020-08-27 12:08:43,292 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 33) WFLYSRV0010: Deployed "auth.jar" (runtime-name : "auth.jar")

Keycloak started with following extra settings

root@login:[~]: grep 'sun.java.command' $KEYCLOAK_STANDALONE/log/server.log
sun.java.command = /opt/keycloak/jboss-modules.jar -mp /opt/keycloak/modules org.jboss.as.standalone -Djboss.home.dir=/opt/keycloak -Djboss.server.base.dir=/opt/keycloak/standalone -b 127.0.0.1 -Dkeycloak.profile=preview -Dkeycloak.profile.feature.scripts=enabled

Problem

I can not see anything new in the admin console panel. I guess I should see something new when doing Create Authenticator Execution and see the new extension Check Authz Policy.

RememberMe isn't working

Hi, first thank you for this great extensions, you saved time for us

the issue i found in "auth-identity-first-extension" is that remember me isn't working cuz it's in "SelectUserAuthinticatorform" class.

it should be in "PasswordAuthenticationForm" class in validatePasswordForm

String rememberMe = formData.getFirst("rememberMe");
boolean remember = rememberMe != null && rememberMe.equalsIgnoreCase("on");
if (remember) {
context.getAuthenticationSession().setAuthNote(Details.REMEMBER_ME, "true");
context.getEvent().detail(Details.REMEMBER_ME, "true");
} else {
context.getAuthenticationSession().removeAuthNote(Details.REMEMBER_ME);
}

Is this possible to test new endpoints during the test?

I'm just wondering about the possibility to test new endpoints added by custom keycloak extension?

Problem on run project on Intellij

I followed the instruction to import the project into the IDE, but when I want to run it, got a ClassNotFound Exception.
it's from KeycloakServer.java:376 ResteasyDeployment deployment = new ResteasyDeployment();

`Connected to the target VM, address: '127.0.0.1:54521', transport: 'socket'
OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
Starting KeycloakPlaygroundServer
../simple-theme/target/theme/
23:21:11,577 INFO main [org.keycloak.testsuite.KeycloakServer] Using jboss.server.data.dir /tmp/keycloak-server-4631126189321439181/data
Disconnected from the target VM, address: '127.0.0.1:54521', transport: 'socket'
Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/resteasy/spi/ResteasyDeployment
at org.keycloak.testsuite.KeycloakServer.start(KeycloakServer.java:376)
at org.keycloak.testsuite.KeycloakServer.bootstrapKeycloakServer(KeycloakServer.java:228)
at com.github.thomasdarimont.keycloak.server.KeycloakPlaygroundServer.main(KeycloakPlaygroundServer.java:19)
Caused by: java.lang.ClassNotFoundException: org.jboss.resteasy.spi.ResteasyDeployment
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
... 3 more

Process finished with exit code 1
`

Interesting issue regarding group required extension

Hi after I set up my required group it lets me log in without the group anyway. I am getting this warning WARN [org.keycloak.events] (default task-1163) type=LOGIN_ERROR, realmId=realmname, clientId=clientid, userId=null, ipAddress=localipadress, error=rejected_by_user, auth_method=saml, redirect_uri=realm/sso/auth/samlp, code_id=560cd383-5c91-497b-89e1-213516516, username=myusername, authSessionParentId=213213132-5c91-497b-89e1-4dfd11a0c332, authSessionTabId=1321321321

Please help I am using this flow:

Thank you in advance I am using 10.0.1 in standalone mode

auth-require-group-extension is not working for version 16.1.1

When extension is added to the authentication flow and add that to the account client. It shows this,

The attribute terms_accepted is not created under 18.0.2 Quarkus

Using the module under KC 18.0.2 the attribute "terms_accepted" is not being created.
I tried to modify a number of things but without success.

Regards,
Giovanni

Hi I am having trouble installing auth-require-group extension

Hi, thank you for sharing this great collection of extensions, I am having a bit of trouble using the requere group extension the extension gets deployed but it doesn't appear in the keycloak admin panel. Most likely I am missing something. I am using keycloak 10.0.1 in standalone mode I just packaged the files to a jar and uploaded it to /keycloak/standalone/deployments Thank you in advance

Extend login with username cookie

I'd like to customize the login behavior to include a cookie in the response containing the user's name. Standard-ish "Remember me" kind of functionality. What's the most logical place to put this?

dynamic idp redirector with OTP

Hello,

I have added the dynamic idp redirector extension, which is very great, but unfortunately, it seems that when I use a "conditional prompt OTP form" after the dynamic idp redirector, user is never prompt for OTP.
When I place the OTP before the idp, it works perfectly : user is prompt for OTP and then redirected to its IDP.
Am i doing something wrong ?

Auth-trust-device: NullPointerException during first device registration/authentication

After first time log in, authentication fails after submitting the password. This is probably caused by the entity object passed to SimpleTrustedDeviceManager.toModel, which could be null if TrustedDeviceRepository.lookupTrustedDevice can not find any device.

keycloak-extension-playground/auth-trust-device/src/main/java/com/github/thomasdarimont/keycloak/trustdevice/model/jpa/TrustedDeviceRepository.java

Line 150 in aaf1cd0

 public TrustedDeviceEntity lookupTrustedDevice(String realmId, String userId, String deviceId) { 

Stack Trace

Failed authentication: java.lang.NullPointerException
at com.github.thomasdarimont.keycloak.trustdevice.model.SimpleTrustedDeviceManager.toModel(SimpleTrustedDeviceManager.java:60)
at com.github.thomasdarimont.keycloak.trustdevice.model.SimpleTrustedDeviceManager.lookupTrustedDevice(SimpleTrustedDeviceManager.java:22)
at com.github.thomasdarimont.keycloak.trustdevice.auth.TrustedDeviceAuthenticator.lookupTrustedDevice(TrustedDeviceAuthenticator.java:53)
at com.github.thomasdarimont.keycloak.trustdevice.auth.TrustedDeviceCondition.matchCondition(TrustedDeviceCondition.java:24)
at org.keycloak.authentication.DefaultAuthenticationFlow.conditionalNotMatched(DefaultAuthenticationFlow.java:373)
at org.keycloak.authentication.DefaultAuthenticationFlow.lambda$isConditionalSubflowDisabled$5(DefaultAuthenticationFlow.java:349)
at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1632)
at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:528)
at org.keycloak.authentication.DefaultAuthenticationFlow.isConditionalSubflowDisabled(DefaultAuthenticationFlow.java:349)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:260)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:395)
at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:196)
at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:172)
at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:990)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:321)
at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:292)
at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:276)
at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:349)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)

Use TravisCI to build and upload a JAR for each of this

It would be cool if TravisCI could be configured for this repository to build the JARs and upload them to the releases section.

I love your work and normally end up copying it over to a new repository, with travis configured to push up a JAR. It makes it easy for docker-compose examples to just fetch the JAR remotely.

Possible to change loglevel for Keycloak and extensions while using playground server

I found the logging properties here keycloak-playground-server/src/main/resources/logging.properties, but editing it doesn't seem to have an effect on the Keycloak or extension loglevel. Is there another way to set the level when using the playground server? Thanks!

jaxrs-request-filter-extension not intercepting the requests.

Hi ,

I am trying to add one extra header for tracing purposes using this extension. It got registered successfully I can see in the providers.

but it does not intercept any requests. I am using Keycloak 19.0.3.

NullPointerException using auth-require-role-extension

I installed and configured auth-require-role-extension to restrict logins against a SAML app but unfortunately it does not work.

The problem seems to be that the UserModel user is null therefore the NullPointerException.

I'm hitting the error even before the logging form is displayed (I don't type user nor password)

I am using Keycloak v9.0.0. Do you think it might be a bug of this specific version of Keycloak?

2020-04-01 15:05:25,236 WARN  [org.keycloak.services] (default task-15) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
	at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.userHasRole(RequireRoleAuthenticator.java:49)
	at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.authenticate(RequireRoleAuthenticator.java:31)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:496)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:306)
	at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:998)
	at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:860)
	at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:150)
	at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:582)
	at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:578)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:370)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:263)
	at org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:516)
	at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:591)
	at sun.reflect.GeneratedMethodAccessor758.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.lang.Thread.run(Thread.java:748)

2020-04-01 15:05:25,238 WARN  [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=test, clientId=https://10.80.64.43/mellon/metadata, userId=null, ipAddress=10.80.64.22, error=invalid_user_credentials, auth_method=saml, redirect_uri=https://10.80.64.43/mellon/postResponse, code_id=e687718e-2552-4d6b-b88f-0b7e19415b67, authSessionParentId=e687718e-2552-4d6b-b88f-0b7e19415b67, authSessionTabId=nfB7ULaB4J4

auth-trust-device show invalid username or password

I use auth-trust-device in keycloak 20.0.2 and set authentication flow same as what shown in repo, i test without adding query parameter " &kc_action=register-trusted-device" and what happen is after submitting username and password i get "invalid username or password"

this is the the log

install auth-trust-device extension fails

Hi,

I'm try to test out auth-trust-device extension and it away break my keycloak server. I create jar file
auth-trust-device-1.0.0.0-SNAPSHOT.jar and copy to /keycloak/standalone/deployment and I'll get this error

16:43:04,085 INFO [org.jboss.as.repository] (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location /keycloak/standalone/data/content/ec/239f2ec1d9098df712980dc6c0ef1e31d6f134/content
16:43:04,139 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "auth-trust-device-1.0.0.0-SNAPSHOT.jar" (runtime-name: "auth-trust-device-1.0.0.0-SNAPSHOT.jar")
16:43:04,782 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("org.keycloak.keycloak-server-spi-private") which may be changed or removed in future versions without notice.
16:43:04,784 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("org.apache.httpcomponents") which may be changed or removed in future versions without notice.
16:43:04,788 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice.
16:43:04,793 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("org.bouncycastle") which may be changed or removed in future versions without notice.
16:43:04,794 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("com.google.guava") which may be changed or removed in future versions without notice.
16:43:04,795 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a private module ("org.apache.commons.io") which may be changed or removed in future versions without notice.
16:43:04,797 WARN [org.jboss.as.dependency.deprecated] (MSC service thread 1-1) WFLYSRV0221: Deployment "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" is using a deprecated module ("javax.api") which may be removed in future versions without notice.
16:43:04,812 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: auth-trust-device-1.0.0.0-SNAPSHOT.jar
16:43:04,939 WARN [org.keycloak.services] (MSC service thread 1-2) KC-SERVICES0047: jpa-trusted-device-entity (com.github.thomasdarimont.keycloak.trustdevice.model.jpa.TrustedDeviceJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
16:43:05,010 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."auth-trust-device-1.0.0.0-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."auth-trust-device-1.0.0.0-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "auth-trust-device-1.0.0.0-SNAPSHOT.jar"
at [email protected]//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:189)
at [email protected]//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at [email protected]//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at [email protected]//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.util.ServiceConfigurationError: org.keycloak.authentication.RequiredActionFactory: Provider com.github.thomasdarimont.keycloak.trustdevice.actions.RegisterTrustedDeviceActionFactory could not be instantiated
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:582)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:804)
at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:722)
at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1395)
at [email protected]//org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at [email protected]//org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
at [email protected]//org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:294)
at [email protected]//org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:154)
at [email protected]//org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at [email protected]//org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:58)
at [email protected]//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:182)
... 8 more
Caused by: java.lang.NoClassDefFoundError: org/owasp/html/HtmlPolicyBuilder
at deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.trustdevice.actions.RegisterTrustedDeviceAction.(RegisterTrustedDeviceAction.java:34)
at deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.trustdevice.actions.RegisterTrustedDeviceActionFactory.(RegisterTrustedDeviceActionFactory.java:16)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:780)
... 17 more
Caused by: java.lang.ClassNotFoundException: org.owasp.html.HtmlPolicyBuilder from [Module "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
... 24 more

16:43:05,046 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "auth-trust-device-1.0.0.0-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit."auth-trust-device-1.0.0.0-SNAPSHOT.jar".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment "auth-trust-device-1.0.0.0-SNAPSHOT.jar"
Caused by: java.util.ServiceConfigurationError: org.keycloak.authentication.RequiredActionFactory: Provider com.github.thomasdarimont.keycloak.trustdevice.actions.RegisterTrustedDeviceActionFactory could not be instantiated
Caused by: java.lang.NoClassDefFoundError: org/owasp/html/HtmlPolicyBuilder
Caused by: java.lang.ClassNotFoundException: org.owasp.html.HtmlPolicyBuilder from [Module "deployment.auth-trust-device-1.0.0.0-SNAPSHOT.jar" from Service Module Loader]"}}
16:43:05,570 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "auth-trust-device-1.0.0.0-SNAPSHOT.jar" (runtime-name : "auth-trust-device-1.0.0.0-SNAPSHOT.jar")
16:43:05,573 INFO [org.jboss.as.controller] (DeploymentScanner-threads - 2) WFLYCTL0183: Service status report
WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."auth-trust-device-1.0.0.0-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "auth-trust-device-1.0.0.0-SNAPSHOT.jar"

Any idea what I'm doing wrong?
p.s. I'm new to Keycloak and maybe I'm doing something wrong. Any help would be welcome.

Thanks Ales

NullPointerException using auth-require-group-extension on KeyCloak 11.0.3

I followed all the steps in https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-require-group-extension, configured with a Copy of Browser.

But when I try to login, I got the follow error:

KeyCloak: 11.0.3 running in K8s

01:13:27,149 WARN  [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-21) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector, null]
01:13:27,166 WARN  [org.keycloak.services] (default task-21) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
	at deployment.auth-require-group-extension.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.isMemberOfGroup(RequireGroupAuthenticator.java:47)
	at deployment.auth-require-group-extension.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.authenticate(RequireGroupAuthenticator.java:29)
	at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:443)
	at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:252)
	at [email protected]//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:978)
	at [email protected]//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:840)
	at [email protected]//org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
	at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:481)
	at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:177)
	at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:116)
	at jdk.internal.reflect.GeneratedMethodAccessor722.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at [email protected]//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
	at [email protected]//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
	at [email protected]//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at [email protected]//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
	at [email protected]//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
	at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at [email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at [email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at [email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at [email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
	at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
	at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
	at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
	at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.base/java.lang.Thread.run(Thread.java:834)

Could not initialize class org.xnio.channels.Channels

I can successfully build and execute keycloak-extension-playground but when accessing http://localhost:8081/auth an exception is thrown.

I'm using Java 11.0.15. I've ran mvn install on my Keycloak 18.0.0 project successfully and also the keycloak-admin-ui admin-theme with 18.0.0. This is Windows 10.

I've tried using Java 11.0.14 as there are mentions of 11.0.15 causing errors like this.

I can't see what I've missed in the instructions.

What could be causing this?

16:03:58,110 ERROR XNIO-1 task-1 [io.undertow.request] UT005071: Undertow request failed HttpServerExchange{ GET /auth}
java.io.IOError: java.io.FileNotFoundException: Invalid file path
	at org.xnio.channels.Channels$4.run(Channels.java:1103)
	at org.xnio.channels.Channels$4.run(Channels.java:1093)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.xnio.channels.Channels.<clinit>(Channels.java:1093)
	at io.undertow.servlet.spec.ServletOutputStreamImpl.close(ServletOutputStreamImpl.java:628)
	at io.undertow.servlet.spec.HttpServletResponseImpl.closeStreamAndWriter(HttpServletResponseImpl.java:498)
	at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:587)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:334)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
	at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.io.FileNotFoundException: Invalid file path
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:231)
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:126)
	at org.xnio.channels.Channels$4.run(Channels.java:1098)
	... 23 more
16:03:59,355 ERROR XNIO-1 task-1 [io.undertow.request] UT005071: Undertow request failed HttpServerExchange{ GET /auth}
java.lang.NoClassDefFoundError: Could not initialize class org.xnio.channels.Channels
	at io.undertow.servlet.spec.ServletOutputStreamImpl.close(ServletOutputStreamImpl.java:628)
	at io.undertow.servlet.spec.HttpServletResponseImpl.closeStreamAndWriter(HttpServletResponseImpl.java:498)
	at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:587)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:334)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
	at java.base/java.lang.Thread.run(Thread.java:829)

use remember me cookie to start authentication

thank you for all the extensions.
I'm currently using the dynamic idp redirector extension which is great but I would also like the email to be retrieved from the "remember me" cookie if it is set instead of the form.
Do I need to create my own extension or is that already implemented somewhere ?

I have tried different things like the "script" execution in keycloak, I can retrieve the email but I'm not sure what I have to do next to make the extension work. Set the user in the "context" by looking for users with this email ?

Authentication flow could be either :

Username form
Dynamic IDP Redirector

Remember me Cookie
Dynamic IDP Redirector

NullPointerException using auth-require-group-extension on Keycloak 11.0.2

I am running Keycloak 11.0.2 with the require-group-extension deployed. I am using the below authentication flow (started as a copy from the Broser Flow).

This flow is allowing users in even when the do not have the configured required group. The Keycloak logs show the following that appears to be at the root of the issue....

[0m�[33m20:05:46,239 WARN  [org.keycloak.services] (default task-42) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at deployment.auth-require-group-extension-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.isMemberOfGroup(RequireGroupAuthenticator.java:47)
at deployment.auth-require-group-extension-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.authenticate(RequireGroupAuthenticator.java:29)
at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:443)
....

What am I missing or doing incorrectly please?

TIA!

Abandoned

Is this repo abandoned?

otp backupcodes incompatible with 16.x

$ mvn compile
[INFO] Scanning for projects...
[INFO] 
[INFO] --------< com.github.thomasdarimont.keycloak:auth-backup-codes >--------
[INFO] Building auth-backup-codes 1.0.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The artifact org.apache.commons:commons-io:jar:1.3.2 has been relocated to commons-io:commons-io:jar:1.3.2: https://issues.sonatype.org/browse/MVNCENTRAL-244
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ auth-backup-codes ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 10 resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ auth-backup-codes ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 10 source files to keycloak-extension-playground/auth-backup-codes/target/classes
[INFO] -------------------------------------------------------------
[WARNING] COMPILATION WARNING : 
[INFO] -------------------------------------------------------------
[WARNING] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/BackupCodeGenerator.java: keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/BackupCodeGenerator.java uses or overrides a deprecated API.
[WARNING] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/BackupCodeGenerator.java: Recompile with -Xlint:deprecation for details.
[INFO] 2 warnings 
[INFO] -------------------------------------------------------------
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/action/GenerateBackupCodeAction.java:[158,25] incompatible types: java.util.List<java.lang.Object> cannot be converted to java.util.List<org.keycloak.credential.CredentialModel>
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProviderFactory.java:[10,8] com.github.thomasdarimont.keycloak.backupcodes.credentials.BackupCodeCredentialProviderFactory is not abstract and does not override abstract method close() in org.keycloak.provider.ProviderFactory
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProvider.java:[25,8] com.github.thomasdarimont.keycloak.backupcodes.credentials.BackupCodeCredentialProvider is not abstract and does not override abstract method close() in org.keycloak.provider.Provider
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProvider.java:[55,25] incompatible types: java.util.List<java.lang.Object> cannot be converted to java.util.List<org.keycloak.credential.CredentialModel>
[INFO] 4 errors 
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.268 s
[INFO] Finished at: 2022-01-07T10:24:27-06:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project auth-backup-codes: Compilation failure: Compilation failure: 
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/action/GenerateBackupCodeAction.java:[158,25] incompatible types: java.util.List<java.lang.Object> cannot be converted to java.util.List<org.keycloak.credential.CredentialModel>
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProviderFactory.java:[10,8] com.github.thomasdarimont.keycloak.backupcodes.credentials.BackupCodeCredentialProviderFactory is not abstract and does not override abstract method close() in org.keycloak.provider.ProviderFactory
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProvider.java:[25,8] com.github.thomasdarimont.keycloak.backupcodes.credentials.BackupCodeCredentialProvider is not abstract and does not override abstract method close() in org.keycloak.provider.Provider
[ERROR] keycloak-extension-playground/auth-backup-codes/src/main/java/com/github/thomasdarimont/keycloak/backupcodes/credentials/BackupCodeCredentialProvider.java:[55,25] incompatible types: java.util.List<java.lang.Object> cannot be converted to java.util.List<org.keycloak.credential.CredentialModel>
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

FaceAuth configurations

I am trying to find the specific requirements or configurations for FaceAuth. However, I have yet been unsuccessful. I am sure that we need to bind a new Authentication Flow customized with FaceAuth configurations as I saw it up and running in @thomasdarimont's tweet. I would appreciate it if you provide a more detailed explanation for that.

Developing using intellj jetbrains

Hey,
I am trying to develop plugins using intellj jetbrains. However I cannot get it to properly parse all imports.
I've downloaded and compiled keycloak successfully in a directory at the same level as 'keycloak-extension-playground'.
I tried adding this folder as a external library in my IDEA, which didn't work. Is there something else I have to do so that I can get it to properly find all the keycloak classes?

Thank you

How to link to ForgotUsernameAuthenticator?

I'm assuming that you'd use the ForgotUsernameAuthenticator like the standard forgot password / reset credentials flow in Keycloak, but I don't see an example of its use. My question is how do you create a link and put it somewhere in a form, that would direct the user to that step in the flow? The /login-actions/... links seem to be Keycloak specific, and you can't add arbitrary links that go to a different execution in a flow. In any case, just wondering if you thought how this would be deployed in an authentication flow. Thanks!

BUILD FAILURE : Failed to execute goal on project integration-arquillian-util

Following the readme and starting a:
mvn clean install -DskipTests
leads to the error

[ERROR] Failed to execute goal on project integration-arquillian-util
Could not resolve dependencies for project ork.keycloak.testsuite:integration-arquillian-util:15.0.2

Anyone experiencing same issue?

Auth Require Role Extension not working with direct grant flow

Hello,
I'm trying to use your 'auth require role'-extension to add the require-role check to a direct-grant-flow.
When the user owns the required role, the flow returns the correct token.

But if the user doesn't own the required role, I'm getting a 500 from the token endpoint.
I would like to get a 401.

As far as I understand, the extension is meant to be used for browser-flows.
Can this be updated for usage with direct grant flow?

What would I need to put in the authenticate()-Method for the case the role ist missing?

@Override
public void authenticate(AuthenticationFlowContext context) {

    AuthenticatorConfigModel configModel = context.getAuthenticatorConfig();

    String roleName = configModel.getConfig().get(RequireRoleAuthenticatorFactory.ROLE);
    RealmModel realm = context.getRealm();
    UserModel user = context.getUser();

    if (userHasRole(realm, user, roleName)) {
        context.success();
        return;
    }

    LOG.debugf("Access denied because of missing role. realm=%s username=%s role=%s", realm.getName(), user.getUsername(), roleName);
    context.getEvent().user(user);
    context.getEvent().error(Errors.NOT_ALLOWED);
    
    // the following doesn't work for direct-grant-flow: it returns a 500
    context.forkWithErrorMessage(new FormMessage(Messages.NO_ACCESS));
}

Kind Regards,
Christian

Advice on DynamicIdpRedirectAuthenticator config

I'm trying to setup you DynamicIdpRedirectAuthenticator as https://issues.redhat.com/browse/KEYCLOAK-1515 is not done yet.

My Authentication flow is the following:

Current problem is that it's not executed if it's an Alternative, only if Required. I've attached a break point and the constructor is called, but the authorize method is not. Can you give me some hints what I'm doing wrong?

I think it's related with this:

    /**
     * This method creates the list of authenticators that is presented to the user. For a required execution, this is
     * only the credentials associated to the authenticator, and for an alternative execution, this is all other alternative
     * executions in the flow, including the credentials.
     * <p>
     * In both cases, the credentials take precedence, with the order selected by the user (or his administrator).
     *
     * @param model The current execution model
     * @return an ordered list of the authentication selection options to present the user.
     */
    private List<AuthenticationSelectionOption> createAuthenticationSelectionList(AuthenticationExecutionModel model) {
        return AuthenticationSelectionResolver.createAuthenticationSelectionList(processor, model);
    }

so password takes precedence over DynamicIdpRedirectAuthenticator, but not 100% sure.

localhost:8081 inaccessible from Windows host machine via WSL2 (fixed)

I just want to share an issue that I encountered while tinkering on this project on WSL2

Basically, after setting up the launch configuration for VScode, debugging the KeycloakPlaygroundServer runs on default http://localhost:8081. This is accessible via curl on WSL2, but not accessible on a browser running from the Windows host machine.

Since the KeycloakPlaygroundServer piggybacks on the KeycloakServer testsuite on Keycloak, editing the host from localhost to 0.0.0.0 should fix the issue here.

    public static class KeycloakServerConfig {
        private String host = "0.0.0.0"; // This should fix the issue with WSL2
        private int port = 8081;

Then recompile and reinstall Keycloak using Maven like so:

mvn clean install -DskipTests

Missing terms_accepted in user attributes

Step to reproduce

SPI Correctly builded, deployed.
Registration flow configured and registration.ftl changed following the README.md

I register a new user.

If I check the "Attributes" tab in the user detail I can't find the attribute terms_accepted.

This code runs without errors.

Other debug info

I have added two debug row

Map<String,List<String>> Attributes = context.getUser().getAttributes();
LOG.debugf("\n\n\n\n\n Attributes after " + Attributes);

before and after the row

context.getUser().setSingleAttribute(TERMS_ACCEPTED_ATTRIBUTE, String.valueOf(System.currentTimeMillis()));

This way:

Map<String,List<String>> Attributes = context.getUser().getAttributes();
LOG.debugf("\n\n\n\n\n Attributes after " + Attributes);
context.getUser().setSingleAttribute(TERMS_ACCEPTED_ATTRIBUTE, String.valueOf(System.currentTimeMillis()));
Map<String,List<String>> Attributes2 = context.getUser().getAttributes();
LOG.debugf("\n\n\n\n\n Attributes after " + Attributes2);

I obtain in my log:

Attributes before {firstName=[David], lastName=[Lippi], acceptMarketing=[1], acceptTerms=[1], email=[[email protected]], username=[[email protected]]}                                           
Attributes after {terms_accepted=[1650562125788], firstName=[David], lastName=[Lippi], acceptMarketing=[1], acceptTerms=[1], email=[[email protected]], username=[[email protected]]}

terms_accepted is present!

But in the admin area:

term_accepted is missing

In the DB terms_accepted is missing...

What's is wrong?

Customize access tokens in Keycloak

Dear team,

Can you please help me out with customizing access tokens in Keycloak ?

In my context, the Authorization Server needs to cryptographically generate a token based on the requested attributes its private key and the public key of the introspection server. To be clear, its not a signature, but a more complicated crypto mechanism. The result should be a bearer token. For this purpose, I would like to implement a back-end engine which is in charge of this computation.

Thank you,
Hoan

Template not found for name "text/code-email.ftl" in dynamic-email-code-auth-extension

Hello thank you for your wonderful examples,

I am facing an issue while trying the dynamic-email-code-auth-extension.
keycloak_1 | Caused by: org.keycloak.email.EmailException: Failed to template plain text email. keycloak_1 | at [email protected]//org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.processTemplate(FreeMarkerEmailTemplateProvider.java:221) keycloak_1 | ... 84 more keycloak_1 | Caused by: org.keycloak.theme.FreeMarkerException: Failed to process template text/code-email.ftl keycloak_1 | at [email protected]//org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:71) keycloak_1 | at [email protected]//org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.processTemplate(FreeMarkerEmailTemplateProvider.java:219) keycloak_1 | ... 84 more keycloak_1 | Caused by: freemarker.template.TemplateNotFoundException: Template not found for name "text/code-email.ftl". keycloak_1 | The name was interpreted by this TemplateLoader: org.keycloak.theme.FreeMarkerUtil$ThemeTemplateLoader@112de407. keycloak_1 | at [email protected]//freemarker.template.Configuration.getTemplate(Configuration.java:2883) keycloak_1 | at [email protected]//freemarker.template.Configuration.getTemplate(Configuration.java:2703)

I didn't understand wht you mean by : // Don't forget to add the welcome-email.ftl (html and text) template to your
// theme.
emailProvider.send("emailCodeSubject", subjectParams, "code-email.ftl", mailBodyAttributes);
Thank you.

auth-require-role-extension stopped working on Keycloak 18.0.2 (Quarkus)

First, thanks @thomasdarimont for this work, I have been using a few of your extensions for quite some time and they always worked great.

I upgraded my test Keycloak instance to v18.0.2 and realized the auth-require-role-extension stopped working. On 16.1.1, same code, same jar, same config, worked great.

This the error I am getting on Keycloak 18 (Quarkus):

 2022-10-06 16:03:19,477 WARN  [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector, null]
 2022-10-06 16:03:19,481 WARN  [org.keycloak.services] (executor-thread-0) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
         at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.userHasRole(RequireRoleAuthenticator.java:51)
         at com.github.thomasdarimont.keycloak.auth.requiregroup.RequireRoleAuthenticator.authenticate(RequireRoleAuthenticator.java:33)
         at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:460)
         at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:264)
         at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1030)
         at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
         at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
         at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
         at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
         at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
         at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
         at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
         at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
         at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
         at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
         at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
         at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
         at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
         at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
         at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
         at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
         at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
         at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
         at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
         at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
         at java.base/java.lang.Thread.run(Thread.java:829)

And this is the extension configuration (same I used to have on Keycloak 16 and prior):

And the authentication flow I am using for testing, cloned from Browser (again same it used to work on Keycloak 16 and prior):

I've also tried building the latest version of the code against 18.0.2 but it did not work either.

Any ideas how to fix this? Is someone else experiencing the same issue?

Thanks.

there is no Alternative option in Email code Form Execution.

Hello,
I'm working on a use case where is let the user choose between OTP based sms and based email.
I created a flow containing three execution (username/pwd + sms authentication + email code form).

is there a way to add alternative option on requirement for email code form execution, (see screenshot below).

Thanks in advance.

auth-require-role-extension only checks for user roles

With the current implementation of auth-require-role-extension only those roles assigned to users are taken into account. If the user belongs to a group that has a role assigned, this role is not evaluated, therefore the extension denies user access.

I took a look at the code I think this should be fairly simple to implement. I will summit a PR later today.

session.users().getUserById already NULL when onEvent is called after a DELETE request?

hi,

I'm trying to build an extension that sends an email when a user deletes their own account or when the account is deleted by an admin. Your provisioning event listener example looks very helpful to achieve that.

However, I found that when retrieving the user with getUserById() in either the onEvent(AdminEvent) (in the case of an administrator deleting the account) or the onEvent(Event) handler (when a user deletes their own account) the user is already null:

// admin deletes user account:
public void onEvent(AdminEvent adminEvent, boolean b) {
        if (ResourceType.USER.equals(adminEvent.getResourceType()) &&
            OperationType.DELETE.equals(adminEvent.getOperationType())){
            RealmModel realm = session.realms().getRealm(adminEvent.getRealmId());
            UserModel  user  = session.users().getUserById(adminEvent.getResourcePath()
                .substring("users/".length()), realm); <---- NullPointerException
            (...)

// user deletes their account:
public void onEvent(Event event) {
        if (EventType.DELETE_ACCOUNT.equals(event.getType())) {
            logger.log(Logger.Level.INFO, "Delete user ID: " + event.getUserId();  <---- this works

            RealmModel realm = this.realmProvider.getRealm(event.getRealmId());
            UserModel  user  = this.session.users().getUserById(event.getUserId(), realm);
            logger.log(Logger.Level.INFO, "Delete user with email: " + user.getEmail();  <---- NullPointerException
            (...)

... so this won't work for the USER DELETE event.
I wonder if there's a way around this?

Any pointers welcome :)
Luthien
(using Keycloak v. 12.0.4)

thomasdarimont / keycloak-extension-playground Goto Github PK