[keycloak-dev] min-time-between-jwks-requests Problems when running tests

Stian Thorgersen sthorger at redhat.com
Tue Mar 7 02:54:23 EST 2017


Of course - didn't consider that it's a "refresh the list request" and not
a fetch a "specific key request".

On 6 March 2017 at 16:11, Marek Posolda <mposolda at redhat.com> wrote:

> On 06/03/17 15:38, Stian Thorgersen wrote:
>
> I'm not 100% sure, but thinking that there are cases where it could cause
> issues. For example if a service gets bad requests from a client, say every
> 5 seconds, it won't be able to fetch new proper keys. I'm probably
> overthinking this though.
>
> It should be able to download new proper keys in this particular scenario
> though. Adapter will just downloads proper keys when it sees unknown KID.
>
> So the scenario will be like:
> - Bad request to the adapter with the kid "bad-kid" .
> - Adapter will try to download new keys because it doesn't know "bad-kid"
> kid. It will download "good-kid" key
> - Adapter saves the key for "good-kid" and then it rejects the request
> from "bad-kid" client
> - Proper request coming to the adapter with "good-kid" will immediatelly
> see the "good-kid" key as it was already downloaded thanks to bad client :)
> - Another request from "bad-kid" coming after 5 seconds will be rejected
> due to 10 seconds interval.
> - Yet another bad request in additional 5 seconds will try to download
> keys again and request to the server will be sent then and it will
> re-download "good-kid". However one request per 10 second shouldn't be
> sufficient to simulate DoS.
>
> Good clients aren't blocked anyhow and at the same time, there is no DoS
> from bad clients.
>
> Marek
>
>
>
> On 6 March 2017 at 15:27, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Will it be useful for other scenarios besides automated tests? I am not
>> seeing why someone would re-import realm every 10 seconds in real
>> environment?
>>
>> Even the tests can be easily fixed by put the keys into JSON reps. And
>> once we fix the adapter tests to not require realm re-import after every
>> method, even that won't be needed.
>>
>> Marek
>>
>>
>> On 06/03/17 13:07, Stian Thorgersen wrote:
>>
>> Is this maybe something we should improve in the adapter in the first
>> place? A blind only allow one request every 10 seconds seems a bit to
>> forceful. Would it not be better to allow X number of failed attempts
>> within some window?
>>
>> On 2 March 2017 at 12:26, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> On 02/03/17 10:08, Marek Posolda wrote:
>>> > On 02/03/17 00:29, Bill Burke wrote:
>>> >> Ok, I just spent 1.5 days on debugging a problem and I was ready to
>>> >> throw my Laptop out of the window I was getting so frustrated.
>>> >>
>>> >> #1 I copied code from the arquillian adapter tests to deploy my own
>>> >> servlet.  When running in IntelliJ, all logging messages by the
>>> servlet
>>> >> and OIDC adapters were eaten and never displayed.
>>> > Keycloak logging disabled in
>>> > testsuite/integration-arquillian/tests/base/src/test/resourc
>>> es/log4j.properties
>>> > . AFAIK it's disabled just because running whole testsuite produces
>>> very
>>> > big logs, which caused issues with travis.
>>> >
>>> > I hope it's possible to fix that and have Keycloak logging enabled when
>>> > running from IDE, but still keep it disabled when running from command
>>> > line with "mvn" command. Will try to look into it. Created :
>>> > https://issues.jboss.org/browse/KEYCLOAK-4520
>>> Fixed now. Logging for both server and adapters is enabled now when
>>> running test from IDE.
>>>
>>> Marek
>>> >
>>> >> #2 If you have a @Deployment it deploys it in @BeforeClass and only
>>> once
>>> >> for all tests run in the class
>>> >>
>>> >> #3 I  recreate/destroy my realms for every test
>>> >>
>>> >> #4 The default "min-time-between-jwks-requests" is 10
>>> seconds...Because
>>> >> my servlet doesn't get redeployed per test, the 1st test would set up
>>> >> the cache for the realm key for the servlet.  The 2nd test would run,
>>> >> because the realms were recreated, there is a different key, but the
>>> >> min-time-between-jwkds-requests was 10 seconds so it wasn't updating
>>> the
>>> >> key and my logins would fail.  This was extermely frustrating to debug
>>> >> because of #1 and because it only happened if I was running all tests
>>> in
>>> >> the class.
>>> >>
>>> >> The workaround is to set "min-time-between-jwks-requests" to zero in
>>> >> your adapter configuration.  This is an FYI just in case somebody else
>>> >> runs into this.  Took me awhile to figure out.
>>> > Another possibility is to put private/public keys into your realm JSON.
>>> > Then there is always same keys and same "kid" and application doesn't
>>> > need to re-download it.
>>> >
>>> > FYI. with my latest changes, there is no realm reimport for every test
>>> > for most of the tests (see other thread I sent yesterday). But
>>> > unfortunately this is not yet the case for Adapter tests (subclasses of
>>> > AbstractAdapterTest)...
>>> >
>>> > Marek
>>> >> _______________________________________________
>>> >> keycloak-dev mailing list
>>> >> keycloak-dev at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>
>


More information about the keycloak-dev mailing list