[keycloak-user] Can not logout from demo broker

Marko Strukelj mstrukel at redhat.com
Thu Nov 5 17:26:28 EST 2015 

@Andrej, try to use the following instructions to set up Keycloak in domain
mode. These instructions work for me, so if you follow them precisely they
should also work for you.

This setup approach assumes that you may want to deploy your secured
applications into the same server(s) running Keycloak server.

Download keycloak-demo-1.6.1.Final.zip from
http://keycloak.jboss.org/keycloak/downloads.

unzip ~/Downloads/keycloak-demo-1.6.1.Final.zip

cd keycloak-demo-1.6.1.Final/keycloak


Open for edit: domain/configuration/domain.xml

Add to <extensions> section:

    <extension module="org.keycloak.keycloak-server-subsystem"/>
    <extension module="org.keycloak.keycloak-adapter-subsystem"/>

The second one is for securing your deployed .wars with Keycloak server.


Scroll down to <profile name="full-ha">

Add to <subsystem xmlns="urn:jboss:domain:datasources:3.0"> section:

                    <datasource
jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
enabled="true" use-java-context="true">

<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                        <driver>h2</driver>
                        <security>
                            <user-name>sa</user-name>
                            <password>sa</password>
                        </security>
                    </datasource>


Add to <subsystem xmlns="urn:jboss:domain:infinispan:3.0"> section:

                <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                    <transport lock-timeout="60000"/>
                    <invalidation-cache name="realms" mode="SYNC"/>
                    <invalidation-cache name="users" mode="SYNC"/>
                    <distributed-cache name="sessions" mode="SYNC"
owners="1"/>
                    <distributed-cache name="loginFailures" mode="SYNC"
owners="1"/>
                </cache-container>


Before the ending </profile> add:

            <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
                <web-context>auth</web-context>
            </subsystem>

            <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>


The second one is for securing your deployed .wars with Keycloak server.

Make sure that you really add all these sections to 'full-ha'. If you use
search or any kind of shortcuts to jump through the edited file, it very
easy to end up in a different section. So doublecheck.

Now scroll further down to <server-groups> section, and change
'main-server-group' to use 'full-ha' profile:

        <server-group name="main-server-group" profile="full-ha">
            <jvm name="default">
                <heap size="64m" max-size="512m"/>
            </jvm>
            <socket-binding-group ref="full-ha-sockets"/>
        </server-group>


Save the file.


Now start Keycloak in domain mode:

    bin/domain.sh


Observing the log, you should see many entries for 'server-one', and
'server-two'.

You should also see two big stacktraces, as the server will try to start
up, and fail due to not being able to find the keycloak-server.json file.
(The stacktrace should be more descriptive - current error reporting
NullPointerException is a bug)

But that's good, it means that keycloak-server subsystem was picked up, and
started to get initialized.

Running this results in two additional directories created:

    domain/servers/server-one

and

    domain/servers/server-two

Now just copy the configuration from standalone to these two directories:

mkdir domain/servers/server-one/configuration
cp standalone/configuration/keycloak-server.json
domain/servers/server-one/configuration/
cp -r standalone/configuration/themes
domain/servers/server-one/configuration/
cp -r standalone/configuration/providers
domain/servers/server-one/configuration/

mkdir domain/servers/server-two/configuration
cp standalone/configuration/keycloak-server.json
domain/servers/server-two/configuration/
cp -r standalone/configuration/themes
domain/servers/server-two/configuration/
cp -r standalone/configuration/providers
domain/servers/server-two/configuration/


And start the server again:

    bin/domain.sh


You should now see the server start up without any errors. You can now open
Keycloak admin on server-one:

    http://localhost:8080/auth

And on server-two:

    http://localhost:8230/auth/



This procedure has always worked for me. If it fails for you then provide
your domain.xml, and stdout from console with any stack traces.



On Thu, Nov 5, 2015 at 9:02 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I came across this:
> https://issues.jboss.org/browse/KEYCLOAK-2037
>
> Maybe it's the same issue here?
>
> On 4 November 2015 at 16:35, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> On Wed, Nov 4, 2015 at 4:10 PM, Andrej P <ado.boj.83 at gmail.com> wrote:
>>
>>>
>>>
>>> On Wed, Nov 4, 2015 at 3:48 PM, Marko Strukelj <mstrukel at redhat.com>
>>> wrote:
>>>
>>>> Can you confirm that you see the following lines in
>>>> your host-controller.log:
>>>>
>>>> [Server:authentication-server-demosetup] 15:58:23,220 INFO
>>>>  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 72)
>>>> WFLYUT0021: Registered web context: /auth
>>>> [Server:authentication-server-demosetup] 15:58:23,267 INFO
>>>>  [org.jboss.as.server] (ServerService Thread Pool -- 36) WFLYSRV0010:
>>>> Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
>>>>
>>>    No, this lines are missing in log.
>>>
>>
>> That's the root of your problem then. Keycloak server subsystem doesn't
>> seem to be initialized at all.
>> From your config files it follows that your
>> 'authentication-server-demosetup' server is using 'group-authentication'
>> group, and 'group-authentication' group is using 'idbt-ha' profile, and
>> 'idbt-ha' profile contains keycloak-server subsystem declaration ...
>>
>> I see no reason for Keycloak server to not get initialized.
>>
>> I'm sorry to say, but I'm out of ideas. If I were you I would try from
>> scratch with an OOTB domain.xml, and host.xml, and setup up Keycloak server
>> without any additional applications deployed, following the instructions I
>> described previously - just get server-one, and server-two using the same
>> group tied to full-ha profile. That way you should get Keycloak up and
>> running. Then I would slowly evolve the configuration towards what you have
>> now. Somewhere during that process there must be a step, that breaks
>> things, and it's not obvious what that step is.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151105/565e18c8/attachment-0001.html

More information about the keycloak-user mailing list