[Hawkular-dev] Token errors with WebSockets and other backend calls

Juraci Paixão Kröhling jpkroehling at redhat.com
Tue Sep 22 06:42:49 EDT 2015 

Team,

I prepared a workaround for this and performed a release of accounts 
with the fix.

I sent also PRs for all projects that are consuming Accounts, as per the 
"Component Dependencies" from our documentation[1].

Some components were using an old version of accounts, while others were 
two versions behind.

- For agent/command-gateway, this change is required to fix the 
127.0.0.1 vs. localhost issue (HAWKULAR-615).

- For most of the components, this change is optional and there's no 
harm in updating. This is valid for components that were on 1.0.12.Final.

- For components that were on very old versions (1.0.1, for instance), 
it might be wise to wait for the MS5 release before merging the PR. As 
far as I *remember*, there were no breaking changes on the API, but we 
have a release in a couple of days :-)

1 - www.hawkular.org/docs/dev/development.html#component-dependencies

- Juca.

On 09/17/2015 05:37 PM, Juraci Paixão Kröhling wrote:
> All,
>
> I've seen some problems lately that are hard to debug and may cause you
> to waste valuable time.
>
> In short, if you face "strange" issues related to authentication,
> specially when trying features that make use of WebSockets (ie: add
> deployment), make sure you are accessing the web UI via 127.0.0.1 , and
> not localhost .
>
> In case you are interested in the details, keep reading.
>
> Upon login, Keycloak issues a token for the client, taking the auth
> server host into consideration (as the "issuer authority"). If you use
> localhost, then that's the hostname that Keycloak will use inside the
> token. This value is later used to validate the incoming token. Ideally,
> all the hostnames would be a match, and that's usually the case if you
> use the "-b" switch when starting Wildfly. But if you don't specify, we
> fall back to 127.0.0.1 [1] , causing the "backend call" to be 127.0.0.1,
> while the "frontend call" came via localhost.
>
> I have a couple of ideas on how to solve this in our side, but until a
> fix is done, tested and merged, please use 127.0.0.1 on the UI.
>
> 1 - http://git.io/vnJfx
>
> - Juca.
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list