captain-p-goldfish / scim-for-keycloak Goto Github PK

using 1.8.3. users in keycloak have the email field populated, but its not showing up when i GET /Users. is there something that i missed?

Please, when generating source code artifact, perform a "delombok" step, so to avoid discrepancies between bytecode and source, which makes debugging much harder.

Thanks!

I'm getting the following error

Aug 25 14:30:19 xstage keycloak-start[1279973]: 2022-08-25 14:30:19,485 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
Aug 25 14:30:19 xstage keycloak-start[1279973]: 2022-08-25 14:30:19,485 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: liquibase.exception.ValidationFailedException: Validation Failed:
Aug 25 14:30:19 xstage keycloak-start[1279973]:      1 change sets check sum
Aug 25 14:30:19 xstage keycloak-start[1279973]:           META-INF/scim-changelog.xml::scim-sdk-1.0::pascal knueppel was: 7:54900cba59debc2ce8fe7a3a8067e8b2 but is now: 8:fc78a5690c6c0f158148d1e19cdc6f22
Aug 25 14:30:19 xstage keycloak-start[1279973]: 2022-08-25 14:30:19,485 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Validation Failed:
Aug 25 14:30:19 xstage keycloak-start[1279973]:      1 change sets check sum
Aug 25 14:30:19 xstage keycloak-start[1279973]:           META-INF/scim-changelog.xml::scim-sdk-1.0::pascal knueppel was: 7:54900cba59debc2ce8fe7a3a8067e8b2 but is now: 8:fc78a5690c6c0f158148d1e19cdc6f22
Aug 25 14:30:19 xstage keycloak-start[1279973]: 2022-08-25 14:30:19,485 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

Not sure what to do. Where did I mess up?

I tried to get the extension working with keycloak:18.0.0-legacy (the jboss distribution). I couldn't get it to work because of some problems with liquibase (first because of liquibase.secureParsing and second because of some error when trying to read the liquibase migration files from the jar).

Is this something that should still be supported or is Quarkus the only supported distribution? If the legacy jboss distribution should still be supported I can provide logfiles and stacktraces for those errors.

First thanks for this great extension!
What I didn't gasp is what permissions are checked on the account that calls the SCIM endpoints. I created a client with a service account and that was immediately allowed to create, modify and delete all users/groups - I had no roles assigned to it.
Is that because it was a service account or could any user with basic login capabilities do that? That in combination with the default settings (SCIM On on every realm, no restriction on the client) would be pretty open door.

I then restricted the SCIM access to the specific client which was enforced, but I am a bit unsure about the general security esp. if someone creates a new realm. Can you enlighten me?

Hi @Captain-P-Goldfish

I've to extend my user schema ("schemas: extension"), but can't find any examples.
Do i need to modify the source code or is there another method?

Thanks for this extension!

Hi,

it seems that the latest tag misses the resource files for the scim admin theme. I have seen that you removed all these files in commit 731c0f6 and that the artifact you have pushed contains a "scim2" folder but I can't find anything like this in the repo. Did I miss something ?

Thanks

Hi,

is there a reason why you don't provide a packaged EAR of the library?

I could easily provide you some GitHub Action script which would at least build the latest master/develop branch. In the same time, I could tell you how to publish it to OSS Maven Central.

What do you think?

Cheers,

Simon

We have deleted the master release on 15-b-2 but found that the groups create and the group members do not come across from AAD (either creating or deleting the memberships) are you able to provide any guidance here or can you advise how we could diagnose?

Currently, liquibase tries to resolve the schema from the db-changes XML file. In general it is ok, that this is performed, but I believe for a security system like Keycloak, it is better to provide a local copy of the XSD schema instead of letting the component to access a resource from the Internet.

You already got this problem reported in #40, but I believe it is more stable to have the version offline.

For example, liquibase changed some addresses as described here: liquibase/liquibase#2448 or liquibase/liquibase#1153.

To make your code independent from liquibase server setup, see the hint posted here:
liquibase/liquibase#1153 (comment)

I've built and deployed kc-14-b3 and installed the .ear file

There are logs that say that it's loading the module

Aug 02 21:26:41 xstage standalone.sh[337787]: 21:26:41,689 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.s4yrny2n5d7yi9kv4vbhjwri55yc4dfr-scim-for-keycloak-kc-14-b3.ear.scim-for-keycloak-server.jar" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice.

But still the menu isn't there

Might be a change that is required for keycloak 15 support?

I'm using the SCIM testsuite from here (https://github.com/wso2-incubator/scim2-compliance-test-suite), and I see that the SCIM endpoints respond with a "406 Not Acceptable" because their test client sets the "Accept: application/json" request header. This doesn't seem to be a violation of the spec. Is it possible to update the resources to allow clients to set this header?

�[0m�[31m20:32:02,350 FATAL [org.keycloak.services] (ServerService Thread Pool -- 61) Error during startup: java.lang.RuntimeException: Exception invoking method [listUnrunChangeSets] on object [liquibase.Liquibase@4cae178e], using arguments [null,(),false]
at [email protected]//org.keycloak.common.util.reflections.Reflections.invokeMethod(Reflections.java:386)
at [email protected]//org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.getLiquibaseUnrunChangeSets(LiquibaseJpaUpdaterProvider.java:288)
at [email protected]//org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.validateChangeSet(LiquibaseJpaUpdaterProvider.java:254)
at [email protected]//org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.validate(LiquibaseJpaUpdaterProvider.java:240)
at [email protected]//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:344)
at [email protected]//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:212)
at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:753)
at [email protected]//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:163)
at [email protected]//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:88)
at [email protected]//org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:66)
at [email protected]//org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:316)
at [email protected]//org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:64)
at [email protected]//org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:40)
at [email protected]//org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:316)
at [email protected]//org.keycloak.services.DefaultKeycloakSession.realmLocalStorage(DefaultKeycloakSession.java:228)
at [email protected]//org.keycloak.models.cache.infinispan.RealmCacheSession.getRealmDelegate(RealmCacheSession.java:149)
at [email protected]//org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:411)
at [email protected]//org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)
at [email protected]//org.keycloak.services.resources.KeycloakApplication$3.run(KeycloakApplication.java:195)
at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:239)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.bootstrap(KeycloakApplication.java:172)
at [email protected]//org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
at [email protected]//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:239)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:128)
at [email protected]//org.keycloak.provider.wildfly.WildflyPlatform.onStartup(WildflyPlatform.java:36)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:114)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.constructOutsideRequest(ConstructorInjectorImpl.java:225)
at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:209)
at [email protected]//org.jboss.resteasy.core.providerfactory.Utils.createProviderInstance(Utils.java:102)
at [email protected]//org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.createProviderInstance(ResteasyProviderFactoryImpl.java:1385)
at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.createApplication(ResteasyDeploymentImpl.java:418)
at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.initializeObjects(ResteasyDeploymentImpl.java:265)
at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.startInternal(ResteasyDeploymentImpl.java:137)
at [email protected]//org.jboss.resteasy.core.ResteasyDeploymentImpl.start(ResteasyDeploymentImpl.java:121)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:144)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:42)
at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.doIt(RunAsLifecycleInterceptor.java:70)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:76)
at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at [email protected]//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:309)
at [email protected]//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:145)
at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:588)
at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:601)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:106)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:87)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
at [email protected]//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: liquibase.exception.ChangeLogParseException: Error parsing line 5 column 133 of META-INF/scim-changelog.xml: schema_reference.4: Failed to read schema document 'src/main/resources/META-INF/dbchangelog-3.9.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not xsd:schema.
at org.liquibase//liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode(XMLChangeLogSAXParser.java:114)
at org.liquibase//liquibase.parser.core.xml.AbstractChangeLogParser.parse(AbstractChangeLogParser.java:17)
at org.liquibase//liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:229)
at org.liquibase//liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1183)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at [email protected]//org.keycloak.common.util.reflections.Reflections.invokeMethod(Reflections.java:380)
... 64 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 133; schema_reference.4: Failed to read schema document 'src/main/resources/META-INF/dbchangelog-3.9.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not xsd:schema.
at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
at java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.warning(ErrorHandlerWrapper.java:100)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:392)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:306)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaErr(XSDHandler.java:4257)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.reportSchemaWarning(XSDHandler.java:4248)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument1(XSDHandler.java:2542)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2238)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.parseSchema(XSDHandler.java:588)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.loadSchema(XMLSchemaLoader.java:617)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.findSchemaGrammar(XMLSchemaValidator.java:2710)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2069)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:829)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:374)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl$NSContentDriver.scanRootElementHook(XMLNSDocumentScannerImpl.java:613)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3063)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:836)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1216)
at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:635)
at org.liquibase//liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode(XMLChangeLogSAXParser.java:106)
... 72 more
Caused by: java.io.FileNotFoundException: /src/main/resources/META-INF/dbchangelog-3.9.xsd (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.(FileInputStream.java:157)
at java.base/java.io.FileInputStream.(FileInputStream.java:112)
at java.base/sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:86)
at java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:184)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:652)
at java.xml/com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:150)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:593)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse(SchemaParsingConfig.java:696)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaDOMParser.parse(SchemaDOMParser.java:530)
at java.xml/com.sun.org.apache.xerces.internal.impl.xs.traversers.XSDHandler.getSchemaDocument(XSDHandler.java:2226)
... 90 more

Unable to update username when user edits username, it is not synced through scim client as per SCIM 2.0

Hello,
I have keycloak version 18.0.2. I have installed the scim-for-keycloak-kc-18-b1 plugin per the instructions listed on https://github.com/Captain-P-Goldfish/scim-for-keycloak. (By the way, the readme says the artifact from scim-for-keycloak-server/target is an EAR file but in reality it is a jar file.)
When I try to start keycloak after installing the provider, I get an error and keycloak fails to start:

2022-08-17 17:58:35,994 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode 2022-08-17 17:58:35,994 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Cannot invoke "javax.persistence.EntityManagerFactory.createEntityManager(javax.persistence.SynchronizationType)" because "emf" is null

kc.sh show-config output is this:

Current Mode: development Runtime Configuration: kc.cache = local (PersistedConfigSource) kc.config.args = show-config (SysPropConfigSource) kc.db = mysql (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.db-password = ******* (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.db-url = jdbc:mysql://localhost:3306/annakeycloak (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.db-username = root (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.health-enabled = true (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.home.dir = ./../ (SysPropConfigSource) kc.http-enabled = false (PropertiesConfigSource[source=jar:file:///Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/lib/lib/main/org.keycloak.keycloak-quarkus-server-18.0.2.jar!/META-INF/keycloak.conf]) kc.http-relative-path = / (PersistedConfigSource) kc.log-console-output = default (PropertiesConfigSource[source=jar:file:///Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/lib/lib/main/org.keycloak.keycloak-quarkus-server-18.0.2.jar!/META-INF/keycloak.conf]) kc.log-file = ./../data/log/keycloak.log (PropertiesConfigSource[source=jar:file:///Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/lib/lib/main/org.keycloak.keycloak-quarkus-server-18.0.2.jar!/META-INF/keycloak.conf]) kc.metrics-enabled = true (PropertiesConfigSource[source=file:/Users/annanicotera/Documents/Anna/tools/keycloak-18.0.2/bin/./../conf/keycloak.conf]) kc.profile = dev (PersistedConfigSource) kc.provider.file.scim-for-keycloak-kc-18-b1.jar.last-modified = 1660782036013 (PersistedConfigSource) kc.quarkus-properties-enabled = false (PersistedConfigSource) kc.show.config = none (SysPropConfigSource) kc.version = 18.0.2 (SysPropConfigSource)
Any ideas on how I can solve this problem? Thanks in advance.

Hi @Captain-P-Goldfish,
I have a stupid question (or I hope that can be stupid 😓 ), is there the possibility to call the SCIM's endpoint with basic authentication?

for example curl -XGET http://localhost:8080/auth/realms/test/scim/v2/Groups -u admin:password ?

It could be very useful

Thanks again

Hi, when i try to patch a users email, via Azure's provisioning I recived the following error message:

Web Response: {"detail":"No target found for path-filter 'emails[type eq \"work\"].value'","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"scimType":"noTarget"}

When trying to perform the same request using Postman with the following body:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "emails[type eq \"work\"].value",
            "value": "[email protected]"
        }
    ]
}

I reviced the same error message as i did from Azure as I mention earlier, however when using the following operation, the patch work as inteded and I reviced an the email address was updated.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "emails",
            "value": [{ "type": "work","value": "[email protected]", "primary": true }]
        }
    ]
}

I also found out that it was possible to patch a user's phoneNumber via an Operation similar to the email operation that failed.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "phoneNumbers[type eq \"work\"].value",
            "value": "+1 234 567 8915"
        }
    ]
}

How come that it's possible to patch and change the user's phoneNumber via Azure, but not the email field when performing similar operations? Is this behavior intended, or what could cause this error message.

Regarding the instructions in the wiki located here: https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD

At step 5, it gives a powerscript for generating an access token if you're using client ID and client secret, but also early on in the document it recommends using a signed JWT. Just wondering what steps need to be taken to generate that JWT to input into azure ad if needed.

Azure AD group membership from PATCH requests look like they are not being handled as the memberships are not updating in keycloak and the admin events aren't being added.

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#update-group-add-members

heres a request from azure aad

[de.captaingoldfish.scim.sdk.keycloak.scim.ScimEndpoint] (default task-2) scim requestURL:
https://realm.domain.com/auth/realms/realm/scim/v2/Groups/b03edd26-a054-4e46-abf3-98b8fc177faa

[de.captaingoldfish.scim.sdk.keycloak.scim.ScimEndpoint] (default task-2) scim body:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","path":"members","value":[{"value":"132304dd-5616-4d48-845c-b0dec4c6658d"}]}]}

Hi,
I am trying to add an enterprise application in azure AD, i have added scim url and secret token(access token) and clicked on test connection. it is showing error. Attached a screenshot.
using Keycloak version 13. Could you provide support on this.

Found bug in kc-11-b2. Tab SCIM doesn't open and shows error. In logs found an error like "org.keycloak.models.ModelException: java.lang.IllegalArgumentException: Type specified for TypedQuery [de.captaingoldfish.scim.sdk.keycloak.entities.ScimServiceProviderEntity] is incompatible with query return type [class de.captaingoldfish.scim.sdk.keycloak.entities.ScimServiceProviderEntity]". After debugging code found out that it appears in de.captaingoldfish.scim.sdk.keycloak.services.ScimServiceProviderService on line 190. @Captain-P-Goldfish What should i do to fix it?

Hello,

Was wondering how we go about creating a new resource type via this plugin. According to the official docs, it is possible to add a new resource type, however I'm getting a missing schema error when attempting to post via Postman. Any ideas?

https://datatracker.ietf.org/doc/html/rfc7643#page-18
https://datatracker.ietf.org/doc/html/rfc7643#section-6

Thanks in advance.

Hello,

I'm not sure is this the right place to ask this question, but I would like to ask does scim-for-keycloak rise keycloak events when provision new user or updates group members? Is there some extra configuration which I am missing? I can see those activities in the logs but no any admin event. I am publishing all keycloak admin events to RabbitMQ queue and would like to be able to react to those events.
Thank you in advance for you answer :)

Hi @Captain-P-Goldfish thanks for your great work!

I've started to use your Keycloak plugin but I have an issue.
I created by KC's admin panel a group and I tried to add a user (created before by user scim endpoint) to the group.

But the user doesn't appear in group membership.

The URL called with PATCH is:
http://localhost:8080/auth/realms/myrealm/scim/v2/Groups/28bc3597-2046-40cc-ad4a-517049e303e4

This is my request body:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "members",
            "value": [
                {
                    "$ref": "http://localhost:8080/auth/realms/myrealm/scim/v2/Users/e0d3bf3b-f669-4eaf-a139-4b4b9b4df64b",
                    "value": "e0d3bf3b-f669-4eaf-a139-4b4b9b4df64b"
                }
            ]
        }
    ]
}

I receive the response:

{
    "id": "28bc3597-2046-40cc-ad4a-517049e303e4",
    "displayName": "Italy+Communications Italy",
    "members": [
        {
            "value": "c77bf49f-a026-49d5-bdf1-76da2ecc0163",
            "$ref": "http://localhost:8080/auth/realms/enel/scim/v2/Users/c77bf49f-a026-49d5-bdf1-76da2ecc0163",
            "type": "User"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ],
    "meta": {
        "resourceType": "Group",
        "created": "2021-07-15T16:32:26.106Z",
        "lastModified": "2021-07-15T16:32:26.106Z",
        "location": "http://localhost:8080/auth/realms/enel/scim/v2/Groups/28bc3597-2046-40cc-ad4a-517049e303e4"
    }
}

Keycloak version is: 12.0.2

In the response you can notice that the user doesn't appear 😞

Hi there,

I could follow the guide on connecting Azure AD till the point where I had to test the connection between Azure AD and Keycloak.

The connection doesn't work for some reason.

I believe that there is an error in the following endpoint: https://<SERVER>/auth/realms/<REALM>/scim/v2
When I test the endpoint using Postman, I get this error

Azure error:

Background info:

Keycloak: Keycloak-X version 18.0.2
provider version: kc-18-b1

Two questions:

• does the error have something to do with the provider?
• what is the "Secret Token" in Azure Portal? Is it the access token that I get after authenticating against the client or is it the secret in clients -> -> credentials -> secret?
  

I recently got several requests asking for support of RFC7642 to provide push support to Atlassian products.
I have created this ticket to show that this is currently not supported.
I will try to add support as soon as possible. But this will still take some time and the support will be limited based on client-side authentication protocols.

In order to provide this feature I would also need to add support for authentication protocols on client side. Currently I am not aware of what is supported by keycloak on server side to achieve this.

Hi
I wondering if there is a way to only download ear files instead of building the whole process. It would be awesome to provide binaries. Thanks

Hi!

We are using Keycloak in Kubernetes and therefore use the Keycloak Docker image and Helm chart.
Are there any plans on creating a Dockerfile that bundles Keycloak and scim-for-keycloak?

Thanks

Azure AD has a feature flag for closer SCIM 2.0 protocol compliance

On Use-with-Microsoft-Azure-AD in step 5, perhaps suggest adding the aadOptscim062020 query param in the provisioning, to fix some of the Patch behaviour, e.g

Tenant URL = https://your.keycloak-server.ch/auth/realms/beta/scim/v2/?aadOptscim062020 

A similar suggestion is probably appropriate in SCIM-SDK on Support-for-MS-Azure-requests ?

Hello. Is it possible to provision users FROM Keycloak TO Azure AD using this plugin? Or does it work from AAD to KC only?

We encountering parse exception when trying to read scim-changelog.xml.
dbchangelog-3.9.xsd has been moved permanently but our config doesnt handle redirects

using the https:// URL instead of http:// would permanently solve the problem

below the stack trace:

Error during startup: java.lang.RuntimeException: Exception invoking method [listUnrunChangeSets] on object [liquibase.Liquibase@1b4ec4ef], using arguments [null,(),false]

Caused by: liquibase.exception.ChangeLogParseException: Error parsing line 2 column 35 of META-INF/scim-changelog.xml: s4s-elt-character: Non-whitespace characters are not allowed in schema elements other than 'xs:appinfo' and 'xs:documentation'. Saw '301 Moved Permanently'.

Caused by: org.xml.sax.SAXParseException; systemId: http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.9.xsd; lineNumber: 2; columnNumber: 35; s4s-elt-character: Non-whitespace characters are not allowed in schema elements other than 'xs:appinfo' and 'xs:documentation'. Saw '301 Moved Permanently'.

Does the package work for keycloak running in cluster mode?

Thanks for the plugin! When I install it, it appears to function as intended, but I get warnings logged (see end of ticket).

It looks like your release binary is including the classes for Jackson and SLF4J in addition to the classes for the extension itself. Is this intentional and needed?

I'm trying to set up an automated using an embedded Keycloak server, and in that context the bundled Jackson results in a version conflict, as the Jackson you're bundling is older than the one used by the main application, resulting in a NoSuchMethodError.

java.lang.NoSuchMethodError: 'com.fasterxml.jackson.databind.node.ObjectNode com.fasterxml.jackson.databind.node.ObjectNode.withObject(java.lang.String)'

If possible, I think it would be desirable to stop bundling these classes in the release JAR.

I'm currently working with scim-for-keycloak-kc-18-b2 and Keycloak 20.0.2

2023-01-18 16:12:38,622 WARN  [io.quarkus.arc.deployment.SplitPackageProcessor] (build-34) Detected a split package usage which is considered a bad practice and should be avoided. Following packages were detected in multiple archives:
- "com.fasterxml.jackson.core.json" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.exc" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.jsonschema" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.slf4j.event" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.ext" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.util" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.function" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.deser.impl" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.ser.impl" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.deser.std" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.builder" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.annotation" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.arch" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.event" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.cfg" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.slf4j.spi" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.json.async" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.filter" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.jsonFormatVisitors" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.exc" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.reflect" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.module" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.tuple" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.time" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.deser" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.slf4j" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.text" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.slf4j.helpers" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.annotation" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.util" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.compare" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.json" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.ser" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.async" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.jsontype.impl" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.exception" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.mutable" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.jsontype" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.format" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.type" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.concurrent" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.node" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.stream" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.math" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.io" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.base" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.core.sym" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.introspect" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.text.translate" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.ser.std" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.type" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "com.fasterxml.jackson.databind.jdk14" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]
- "org.apache.commons.lang3.concurrent.locks" found in [/Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/keycloak-system-identity-all.jar, /Users/dcarr/repos/ge-scim/keycloak-app/build/keycloak/lib/../providers/scim-for-keycloak-kc-18-b2.jar]

Just curious if there will be a release that works with 19.0.1 or if the existing 18.X will work with it.

I'm trying to see if Keycloak plus your SCIM add-on can be used to provide user/group information to Atlassian Access.

Atlassian Access says that it works with SCIM providers but the documentation is only for a limited set of providers and, from what I can glean, it looks like all of those providers push to Atlassian Access, rather than AA syncing from Keycloak + SCIM.

https://confluence.atlassian.com/cloud/user-provisioning-959305316.html

Is that something I can achieve with the code you've written?

Thanks.

Hello,

Perhaps an error on my side because I'm new on this.
Here is how I tried to deployed:
1/ Get v16.1.1 from https://www.keycloak.org/downloads.html
2/ Then pushed https://github.com/Captain-P-Goldfish/scim-for-keycloak/releases/download/kc-16-b3/scim-for-keycloak-kc-16-b3.ear on keycloak-16.1.1/standalone/deployments/

Deployment is failing and complaining on dbchangelog-3.9.xsd
server.log

Hi,
Regarding adding members to group, we can do it using Patch request right, but its not with put (updating the group) or post(creating the group). is it has any reason? and also can we add extra parameters to create user request body ?

It would be nice with a way to customize the attribute mapping, so for example instead of

phoneNumbers: { "value" : "+4511279865", "type" : "mobile", "primary" : false }

it could be mapped to

mobile: "+4511279865"

Hello, with my team, we have configured the SCIM plugin with the AAD.
But we got an error when we test the connection (wiki step 4).

Our error is : "You are not authorized to access the 'LIST' endpoint on resource type 'users'"

When we disable the "Require Authentication" option of the endpoint to get users, we have another error like this :
{"detail":"sorry but an internal error has occurred.","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":500}

Could you help us, please ?

Thanks for your implication.

Hi @Captain-P-Goldfish,
we started using scim-for-keycloak version 1.8.2 on keycloak version 9.0.
Everything worked fine until we started provisioning users over Azure SCIM where we have issue with case sensitive PATCH operations defined in PatchOp.

When users are patched over Azure SCIM operations have a first letter upper case (Add, Replace, Remove),
and in the Azure documentation under "general guidelines" point six it's stated
"Don't require a case-sensitive match on structural elements in SCIM, in particular PATCH op operation values, as defined in section 3.5.2. AAD emits the values of op as Add, Replace, and Remove."

This case sensitive check where problem lies is in PatchHandler - handlePatchOp.

Is it possible to make it case insensitive in PatchOp in order to be compatible with Azure SCIM?

Hello,

We got an error after installing the plugin, and we don't know if it's the source plugin.

Have you ever encountered these errors?

Thanks for your reply.

PS : We have these errors on the Keycloak server.

BR,

Hello @Captain-P-Goldfish, facing issues related to ScimClient

ScimClient.java

1. Base URLs are not updated as per the latest release.
2. While executing the code, lets say for deleting all users, although bearer token is provided, unauthenticated 401 is returned as response.

Following is the SCIM configuration for "test" realm:

Following is the response:

{
"detail": "not authenticated",
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"status": 401,
"scimType": "unauthenticated"
}

Tried from ScimClient as well as Postman. Same error persists.

Kindly let me know if I am missing anything!

Hello, it seems that both release tags actually point to the same commit bumping the release to the next snapshot kc-12-b2 (3d6dca6).

They should point to respective release commit instead:

• kc-11-b1 -> 6032b19
• kc-12-b1 -> c452d75

Thanks for your work, I'll hope to be able to test it soon!

First thanks for this amazing job.
I am currently trying to sync users & groups from Azure AD but the group membership link is not captured. It seems that your code expects a member type to be set by the SCIM client to know if this is a group membership or a user membership. As far as I can see, this member type is not set by AAD.

As it seems that your extension supports syncing from AAD to keycloak, would you know if this is a limitation of the code or if this requires a specific configuration on AAD side ?

Thanks a lot

Hi
we have scim-for-keycloak running with AZURE and we have currently ~9.000 Users in a realm. Wenn the AZURE SCIM sends a request

https://keycloak.../auth/realms/REALM/scim/v2/Users?filter=userName+eq+%22AzureAD_Test-bdd952ba-be0b-47d4-b4c9-be5afee16d2d%22
(the user doesn't exist. it is sent to test finctionality)
the request runs in a timeout.
I commented out the part in the userrequest, which adds the group-membership to the user object, and then I get a timely response.
In the realm there is no group.

Tried to enable SCIM functionality/theme in Keycloak 19 version and observed the following

Post applying SCIM theme and refresh the page

Clicking on "Go to the home page>> ", theme is reverted to Keycloak 18 version.

Note:
This is not a show-stopper/blocker, it is just about theme.

Hi,

Do you have any plans to support the new Keycloak Quarkus deployments, after version 17.0.0? From what I've been reading, there aren't that many changes other than the removal of Wildfly. And the deploy process is slightly different.

I'm playing around with Keycloak 18.0.0, and copied the scim-for-keycloak EAR file as a JAR file into the providers directory, but the scim theme wasn't loaded. I manually copied the scim theme into the themes directory, but the SCIM admin link is not present in the UI. If I try to manually hit /admin/master/console/#/realms/master/scim/service-provider/settings I get an HTTP 404 from /realms/master/scim/admin/serviceProviderConfig

I also tested with KC_HTTP_RELATIVE_PATH=/auth for backwards compatibility with the paths, but the same thing happened.

Any suggestions for me?

Thanks!

I recently noticed that a misconfiguration between two cluster nodes might occur in keycloak cluster environments. This occurs only under the following circumstances:

1. You got at least two running keycloak nodes
2. you change the configuration of node 1
3. the configuration of node 2 will not be updated

this problem occurs because I missed to store the configuration settings within the infinispan cache and the updated configuration is not read from the database for each request. So a restart of node 2 would fix the problem.

It will take some time until this issue will be fixed.

Hi,
Iam calling bulk users api for creating users, so if a user is already exists, response coming as 409 and next users are not creating and returing the response till that. For example iam sending 10 users in bulk request and 5th user is already exists, then returing response there and request not executing from 6th record onwards. Iam expecting like if 409 is coming also it should create next users. Could you help on me this

For deploying the SCIM connector in a real "production" environment, we would ideally need to rely on the export/import feature of Keycloak to support configuration as code.
It seems that the SCIM provider configuration is not handled by the default import/export mechanisms. Have you already looked at how this could be done ?
My first thought is that it could be exposed as a "component" configuration which would save us from changing the export/import endpoints. Any idea?

Thanks,
Tristan