[keycloak-user] Can not logout from demo broker

Marko Strukelj mstrukel at redhat.com
Wed Nov 4 09:48:00 EST 2015 

Can you confirm that you see the following lines in
your host-controller.log:

[Server:authentication-server-demosetup] 15:58:23,220 INFO
 [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
WFLYUT0021: Registered web context: /auth
[Server:authentication-server-demosetup] 15:58:23,267 INFO
 [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")


What does the following url show: http://localhost:8180/auth

Infinispan in HA mode ensures there is a distributed cache layer in use. It
means there are not two local caches with possibly different states. That's
important if you use round-robin front end proxy without sticky sessions.
Otherwise you may see strange Admin UI behaviour.

On Wed, Nov 4, 2015 at 3:31 PM, Andrej P <ado.boj.83 at gmail.com> wrote:

> Again inside text are my answers.
>
>
>
> On Wed, Nov 4, 2015 at 2:49 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Your log.txt doesn't look right. Only a host controller is started - no
>> server running your idbt-ha profile is started at all.
>>
>> There should be entries in the log looking like:
>>
>> [Server:configuration-server-demosetup] 15:58:05,712 INFO
>>  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
>> [Server:configuration-server-demosetup] 15:58:06,017 INFO
>>  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
>> [Server:configuration-server-demosetup] 15:58:06,118 INFO  [org.jboss.as]
>> (MSC service thread 1-6) WFLYSRV0049: WildFly Full 9.0.1.Final (WildFly
>> Core 1.0.1.Final) starting
>>
> ...
>>
>    In log /opt/wildfly-9.0.1.Final/domain/log/host-controller.log are
> presnt your requested lines (log.txt was copied from command line)
>    2015-11-04 13:38:43,479 INFO  [org.jboss.as.host.controller]
> (Controller Boot Thread) WFLYHC0023: Starting server
> configuration-server-demosetup
>   2015-11-04 13:38:46,125 INFO  [org.jboss.as.host.controller] (Remoting
> "demosetup:MANAGEMENT" task-4) WFLYHC0021: Server
> [Server:configuration-server-demosetup] connected using    connection
> [Channel ID 656dd302 (inbound) of Remoting connection 1d425566 to /
> 127.0.0.1:50449]
>   2015-11-04 13:38:46,193 INFO  [org.jboss.as.host.controller] (Controller
> Boot Thread) WFLYHC0023: Starting server authentication-server-demosetup
> 2015-11-04 13:38:46,246 INFO  [org.jboss.as.host.controller]
> (server-registration-threads - 1) WFLYHC0020: Registering server
> configuration-server-demosetup
> 2015-11-04 13:38:53,794 INFO  [org.jboss.as.host.controller] (Remoting
> "demosetup:MANAGEMENT" task-8) WFLYHC0021: Server
> [Server:authentication-server-demosetup] connected using connection
> [Channel ID 3e8ad11c (inbound) of Remoting connection 67282c6a to /
> 127.0.0.1:52804]
> 2015-11-04 13:38:53,867 INFO  [org.jboss.as.host.controller]
> (server-registration-threads - 1) WFLYHC0020: Registering server
> authentication-server-demosetup
>
>>
>>
>> There must be a problem with your host.xml file. You should have a server
>> definition there referring to one of your server groups, for example:
>>
>> <servers>
>>         <server name="configuration-server-demosetup"
>> group="group-authentication"/>
>>         ...
>> </servers>
>>
>    I attached host-idbt.xml now and from my point of view it looks fine.
>
>
>>
>> Also, in domain-idbt.xml your Infinispan cache is configured to be local.
>> For distributed setup you should be using distributed Infinispan cache:
>>
>>               <cache-container name="keycloak"
>> jndi-name="infinispan/Keycloak">
>>                     <transport lock-timeout="60000"/>
>>                     <invalidation-cache name="realms" mode="SYNC"/>
>>                     <invalidation-cache name="users" mode="SYNC"/>
>>                     <distributed-cache name="sessions" mode="SYNC"
>> owners="1"/>
>>                     <distributed-cache name="loginFailures" mode="SYNC"
>> owners="1"/>
>>               </cache-container>
>>
>    In previous attached domain-idbt.xml I configured Infinispan cache
> like local not distributed, is it conflict, have to be in HA mode?
>
>
>
>>
>>
>>
>> On Wed, Nov 4, 2015 at 2:20 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>
>>> Hi Marko,
>>>
>>> thanks for your hints, I went through but still w/o positive result.
>>> I will write my comments inside your hints.
>>> I attached 2 files: domain-idbt.xml - with added sections for keycloak
>>>                           log.txt - log after start wildfly in command
>>> line
>>>
>>> Br,
>>> Andrej.
>>>
>>> On Tue, Nov 3, 2015 at 4:24 PM, Marko Strukelj <mstrukel at redhat.com>
>>> wrote:
>>>
>>>> From your descriptions of the problem it sounds like your server-one
>>>> which binds to port 8080 doesn't have keycloak-server configured at all -
>>>> it's using a server group, that uses a different profile than the one you
>>>> configured.
>>>>
>>>     Our group/server/profile setup looks like:
>>>
>>>   GROUP SERVER PROFILE   configuration configuration-server-demosetup
>>> idbt-ha   authentication authentication-server-demosetup idbt-ha
>>>
>>>
>>>>
>>>> There are four profiles in the default domain.xml - default, ha, full,
>>>> and full-ha
>>>>
>>>     In our domain-idbt.xml are only 2 profiles:idbt-ha and
>>> idbt-security and I modified inifinispan for idbt-ha (but ha is only in
>>> name not used inside configuration)
>>>
>>>>
>>>> If you want your multiple Keycloak instances to run in high
>>>> availability mode, using a shared Infinispan cache, and a shared database,
>>>> then that's the most complex of all configurations - you have to setup a
>>>> standalone database, use "full-ha" profile to configure the datasource with
>>>> proper database connection url, and configure the distributed Infinispan
>>>> cache. Also add <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>>>> declaration.
>>>>
>>>
>>>     I created Keycloak_DS, which was before missing.
>>>     I add : extension; inifinispan and subsystem section for Keycloak
>>> inside my domain-idbt.xml (I attached finally modified domain-idbt.xml) Pls
>>> you can check it inside.
>>>
>>>>
>>>>
>>>> In server-groups section define a new group or reuse existing one, and
>>>> set its profile to "full-ha", and use "full-ha-sockets" binding group.
>>>> In host.xml make sure that server definitions have the proper group set.
>>>>
>>>> Then you also have to copy some configurations.
>>>>
>>>> Assuming you have two servers defined in host.xml - called server-one,
>>>> and server-two, create a directory:
>>>>
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration
>>>>
>>>> Then copy the following configurations from standalone/configuration:
>>>>
>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>> $WILDFLY_HOME/domain/servers/server-one/configuration/
>>>>
>>>> cp $WILDFLY_HOME/standalone/configuration/keycloak-server.json
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/themes
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>> cp -r $WILDFLY_HOME/standalone/configuration/providers
>>>> $WILDFLY_HOME/domain/servers/server-two/configuration/
>>>>
>>>
>>>   Done all creation and copying steps.
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151104/e0cb79bb/attachment-0001.html

More information about the keycloak-user mailing list