jgrodziski / keycloak-clojure Goto Github PK

Hi,

There are broken links in README.md.

-https://cljdoc.org/d/keycloak-clojure/keycloak-clojure/CURRENT/doc/securing-your-applications-backend
+https://cljdoc.org/d/keycloak-clojure/keycloak-clojure/CURRENT/doc/securing-your-application-s-backend
-https://cljdoc.org/d/keycloak-clojure/keycloak-clojure/CURRENT/doc/securing-your-applications-frontend
+https://cljdoc.org/d/keycloak-clojure/keycloak-clojure/CURRENT/doc/securing-your-applications-s-frontend

Thank you for sharing awesome library 😃

In release 1.23.16:

The function keycloak.admin/regenerate-secret fails with:

Exception: java.lang.IllegalArgumentException: No matching field found: getClientId for class keycloak.admin$client
 at clojure.lang.Reflector.getInstanceField (Reflector.java:397)
    ...
    keycloak.admin$regenerate_secret.invokeStatic (admin.clj:425)
    keycloak.admin$regenerate_secret.invoke (admin.clj:422)
    keycloak.admin$create_client_BANG_.invokeStatic (admin.clj:438)
    keycloak.admin$create_client_BANG_.invoke (admin.clj:428)
    keycloak.admin$create_or_update_client_BANG_.invokeStatic (admin.clj:464)
    keycloak.admin$create_or_update_client_BANG_.invoke (admin.clj:458)
    braveno.auth.keycloak.management.client$add_client.invokeStatic (client.clj:36)
...

It seems that there is a typo: keycloak.admin/client is a function, not a Java Object.

Hello,

short question, can't find it in the docs. Is there a function to send a verification mail? This is the route: https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_sendverifyemail

Could be very useful, since, as far as I know, one can only send verification mails with an explicit redirect uri via the API. I don't like this, because now I need to do the request on my own, but seems to be the only option. (I want to redirect the user to a "success"-page when she registered and verified her mail).

Thanks!

Hey! Great library 😃 , I wasn't aware of keycloak and it seems to be a good fit for my use case so I'm currently evaluating it. I was wondering if there are some pointers on how to get server-side auth with redirects working? Ideally I'd like to have some routes protected with the cookie/session set by Keycloak, and redirect to the login page if those are missing, without having to load the entire client-side library just for that redirect; however I wasn't sure if the library exposes this (couldn't find a "redirect-to-login" or something like it in the docs), or if it's even worth the trouble? Right now I'm using buddy-auth with http-kit, but not entirely set on that if yada would make these things easier

The function keycloak.user/search-user has a hardcoded first and max results to 0 and 10. It's a little problematic in our use case where a prexisting login is simply a 2 character login and is present in too many login strings.
Unfortunately limiting the search won't help since we are importing roles from our old oauth provider and the keycloak.user/get-user-realm-roles doesn't provide an api to refine the search.
Of course there is a workaround but it involves duplicating a lot of code in the ku namespace and it won't be nice to be able to parameterize the search results using bindings (an optional & opts map won't work since it will break the existing user-id API which has a simple and long form.

Any suggestions are welcome.

Hi Jérémie, nice work!

I am looking into integrating Keycloack service to service and user login into an app so I found this. But the number of dependencies scares me and I would prefer to use my existing web library over Yada. I think it would help adoption if you split it into multiple libraries or a library + an example, with minimal dependencies. F.ex. a core, a library for just service to service auth, a Yada-based library/example for auth backend.... I assume most applications will use but not create users, roles, etc. (Not sure if excluding that would limit the dependencies of the app, though). I find it strange to see talltale in production code as it seems to be primarily a test-time library... And perhaps cheshire could be made optional, allowing the user to provide their own edn<>json transformation (based on the libraries/versions they already use)...

Just some ideas :-)

Timeout often arise when a lot of request are sent to Keycloak, a retry mechanism is therefore needed to avoid errors that interrupts the whole process.
Such behavior is particularly needed when applying a reconciliation plan (that apply the imperative actions to move Keycloak from its existing state to a desired state), so that the reconciliation can be played safely and regularly in a "fire and forget" mode.

Many thanks for creating this library! I'm enjoying learning it.

In my web application I have user entered data which I'd like to link back to the relevant user in Keycloak and my first instinct would be to use the Keycloak User ID / Subject as the reference. The middleware functions in keycloak-clojure verify a user's access token and extract values from it to return to the web application, but the extracted values don't include the User ID.

Is this intentional because I shouldn't be referencing the User ID in my application? In which case, is it best practice to reference the Username instead? Or should I be querying Keycloak again for the User ID?

Otherwise, is there scope to add an :id field (or :user-id or :subject?) to the extracted data in the extract function in keycloak.deployment, for example:

(defn extract
  ...
  ^keycloak.deployment.ClojureAccessToken [^org.keycloak.representations.AccessToken access-token]
  (map->ClojureAccessToken {:username              (.getPreferredUsername access-token)
                            :id                    (.getSubject access-token)  ; <- new value
...

Many thanks for your help!

Missing Docs for keys in Realm Description Sample

The following keys don’t have docs in the Realm Description Sample example.

1. :username-creator-fn
2. :generated-users-by-group-and-role

Mappers (configure which data will be included in the issued tokens) can be added for each client. The "mappers" parameters should be available and handled by the starter functions.

Hi,

I'm quite new to Clojure. I found this library recently and I'm having difficulty understanding on how to integrate it with the existing clojure system. I initially tried using similar method on what you have done in sample, but I ran into multiple issues, one after another.

An example on how to integrate the library with the existing system or a sample code would do wonders for beginners like us. I've read documentation multiple times but I am having issues understanding it properly. Perhaps, its a "me" problem. But, any help or guidance would be highly appreciated.

Thank You.

https://www.keycloak.org/2024/03/keycloak-2400-released

The keycloak.user/user-id function has a very bad behavior:
Retrieveing the user-id from a user implies to use the search-user feature of the Keycloak REST API and we get the first result, but the API does a wilcard search and sometimes another user can be retrieved if the username share a substring of another username. Now the user-id is returned only if an exact match is made with one or all of the input attributes.

Hey this is a great library and it's been working very well so far. However I can't update users' password.
I am not using admin client in master realm. I am using a newly created realm and client and I have assigned all the user management permission to the client.
I tried to call user/update-user! and passed email, firstname, lastname, pasword to see how it works, everything updated except for password. But my actual intention is to update the password. Do you have any idea? thanks

Hi,

when upgrading to 1.16.1 or higher, instantiating a client results in the following error:

Execution error (NoClassDefFoundError) at keycloak.deployment/keycloak-client (deployment.clj:71).
clojure/tools/logging/impl/LoggerFactory

The code is taken straight from the documentation and works until, including, 1.16.0.

(def kc-client
  (-> (client-conf {:auth-server-url auth-url
                    :realm realm
                    :client-id "admin-cli"})
      (keycloak-client backend-admin-id backend-admin-secret)))

The "starter" init process has configuration for targeting a Keycloak instance. The default "/auth" path was always added to the URL now it's an additional parameter.

As the number of users and groups increases, the time it took to sync a Keycloak realm instance increase as well.

A new "reconciliation" behavior would detect the necessary changes (addition, update, deletion) for high count entities such as users, user<->role mappings and groups. The user express a "desired state" and the functions computes the necessary steps to move the current state of Keycloak to the desired state.

A "reconciliation plan" is an intermediary structure that describe the steps that should then be applied through imperative invocations to move the current state to the desired one.

Options:

• A dry-run option already exists and the starter would only print the "reconciliation plan".
• An option to keep the deletions (:apply-deletions? that default to false) steps is added to not remove the entities that were added manually through the console for instance

Hi. I'm building a login page separately instead of using keycloak's. I want to make use of keycloak's OTP feature (google authenticator) but its OTP setup and verification are only available for using its out-of-the-box login page. There is also no developer api for getting the OTP QR code for user to setup. So I think I need to extend (or custom?) the authentication SPI to make such api for my custom login page to call. Is extending authentication SPI supported? or any workaround you can think of to resolve my problem? Thanks

Hi,

Does it supports key rotation?

Looking at 'keycloak.clj' file on the sample directory, it appears to have a static key ID.

Thanks,
Bruno

add a function add-realm-roles-to-group! in keycloak.admin ns and the function to list the roles.

For the SMTP configuration to work in Keycloak the admin account in the "master" realm must have the email, first name and last name filled. The starter doesn't take into account such data for the moment

Add a :user-admin key in the :realm entry of the starter input data structure with the following shape:

:user-admin {:username "admin" :firstname "John" :lastname "Doe" :email "[email protected]"}

Hi,

it seems that debug level prints are enabled in 1.16.5 across the board. Just letting you know. :)

Kind Regards

Alex

Several create calls create response objects, which are not closed. This depletes resources, which causes the calls to block.

keycloak-clojure needs better documentation about its integration in the Clojure ecosystem.

The doc should clearly separate the Keycloak concepts and different interaction: administration of a realm, authentication and authorization checking with "common" Clojure libraries both on the front and serverside (ring, yada, re-frame, reagent, etc.)

When having the following structure:

project.clj

:dependencies [[org.clojure/clojure "1.11.1"]
                           [io.pedestal/pedestal.service "0.5.10"]

                           [io.pedestal/pedestal.jetty "0.5.10"]
                           [keycloak-clojure "1.27.0"]
                           [org.clojure/data.json "0.2.6"]
                           [org.clojure/java.jdbc "0.7.12"]
                           [mysql/mysql-connector-java "8.0.29"]
                           [com.outpace/config "0.13.5"]
                           [org.slf4j/slf4j-simple "1.7.28"]]

and following keycloak-clojure usage:

ports.keycloak.core.clj

(def keycloak-deployment (kc-deploy/deployment (kc-deploy/client-conf "http://localhost:8090"
                                                                      "myrealm"
                                                                      "my-client")))

I have a compilation error as such:

{:clojure.main/message
 "Execution error (ClassNotFoundException) at java.net.URLClassLoader/findClass (URLClassLoader.java:382).\ncom.fasterxml.jackson.core.util.JacksonFeature\n",
 :clojure.main/triage
 {:clojure.error/class java.lang.ClassNotFoundException,
  :clojure.error/line 382,
  :clojure.error/cause
  "com.fasterxml.jackson.core.util.JacksonFeature",
  :clojure.error/symbol java.net.URLClassLoader/findClass,
  :clojure.error/source "URLClassLoader.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
  [{:type clojure.lang.Compiler$CompilerException,
    :message "Syntax error macroexpanding at (core.clj:16:26).",
    :data
    {:clojure.error/phase :execution,
     :clojure.error/line 16,
     :clojure.error/column 26,
     :clojure.error/source "core.clj"},
    :at [clojure.lang.Compiler$InvokeExpr eval "Compiler.java" 3719]}
   {:type clojure.lang.ExceptionInfo,
    :message "Failed to build the keycloak app client",
    :data
    {:credentials {:secret nil},
     :verify-token-audience true,
     :auth-server-url "http://localhost:8090",
     :policy-enforcer {},
     :realm "bakery-keycloak",
     :use-resource-role-mappings true,
     :resource "my-backend",
     :ssl-required "external",
     :confidential-port 0},
    :at
    [keycloak.deployment$deployment invokeStatic "deployment.clj" 23]}
   {:type java.lang.NoClassDefFoundError,
    :message "com/fasterxml/jackson/core/util/JacksonFeature",
    :at
    [com.fasterxml.jackson.databind.ObjectMapper
     <init>
     "ObjectMapper.java"
     655]}
   {:type java.lang.ClassNotFoundException,
    :message "com.fasterxml.jackson.core.util.JacksonFeature",
    :at
    [java.net.URLClassLoader findClass "URLClassLoader.java" 382]}],
  :trace
  [[java.net.URLClassLoader findClass "URLClassLoader.java" 382]

I have found out a workaround, to add the jackson-core to deps:

[com.fasterxml.jackson.core/jackson-core "2.13.2"]