Error

From rajkiran.k at inteqsolutions.com Fri Jul 1 02:06:16 2016 From: rajkiran.k at inteqsolutions.com (Rajkiran K) Date: Fri, 1 Jul 2016 11:36:16 +0530 Subject: [keycloak-user] Customize length of of user_attribute table value field Message-ID: <1ef01d3b-b31f-932e-bc49-a827dde79c0a@inteqsolutions.com> Hi, I had a requirement for inserting 450 characters string in to keycloak custom attribute, but value field is 255 characters in user_attribute table. is there any provision to modify this value. Please let me know how can i do this. Regards, Raj Kiran K From thomas.darimont at googlemail.com Fri Jul 1 03:53:54 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Jul 2016 09:53:54 +0200 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References: Message-ID: Hello Brian, I gave this a spin (with 1.9.x and master) and I think that currently the only way to extend the information in the userinfo endpoint is by defining a custom mapper and register that for the client you use to get the access-token. The protocol mappers of this client will be used for the userinfo endpoint. However the downside of this approach is that this information is now also added to the access-token which you wanted to avoid. It would be great of one had an additional switchable option for custom protocol mappers like "include in userinfo". With this enabled one could control very explicitly what should go where. I added a small curl command sequence below that can be used for testing. Cheers, Thomas # Setup KC_REALM=acme-test KC_USERNAME=tester KC_PASSWORD=test KC_CLIENT=test-client KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 KC_SERVER=192.168.99.1:8080 KC_CONTEXT=auth CURL_OPTS="-k -v --noproxy 192.168.99.1" # Step 1 Request Tokens for credentials KC_RESPONSE=$( \ curl $CURL_OPTS -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=$KC_USERNAME" \ -d "password=$KC_PASSWORD" \ -d 'grant_type=password' \ -d "client_id=$KC_CLIENT" \ -d "client_secret=$KC_CLIENT_SECRET" \ "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \ | jq . ) # Step 2 Split tokens KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) # Step 3 (Debug) Show all keycloak env variables set | grep KC_* # Step 4 Access Keycloak User Info curl $CURL_OPTS \ -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "access_token=$KC_ACCESS_TOKEN" \ "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" | jq . # Step 5 Define a new protocol mapper for the client test-client in the admin-console # via clients -> test-client -> mappers -> new -> as an example map a custom user attribute -> add to access token # After that a request to the userinfo endpoint will show your custom attribute. # Step 6 Access Keycloak User Info curl $CURL_OPTS \ -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "access_token=$KC_ACCESS_TOKEN" \ "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" | jq . 2016-06-30 16:41 GMT+02:00 Brian Watson : > Hi all, > > Keycloak version: 1.9.8 > > Here is my use case: I want to keep the access token JWS as lean as > possible, only containing user roles and a few custom claims I have added. > I want no PII in the access token. However, I would like my internal > services to obtain the full user profile (name, email, etc...) from the > OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the > "sub" claim and the few custom claims that already exist in the access > token. I don't see any support for adding scope values to the request. > > Is there any way to accomplish what I would like, or any other ways of > obtaining this info that I may be missing? > > Thanks in advance > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/6d4a14a0/attachment.html From akaya at expedia.com Fri Jul 1 04:16:36 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 1 Jul 2016 08:16:36 +0000 Subject: [keycloak-user] Lost session when removing an instance off cluster Message-ID: Hello, I have tried various ways of configuring infinispan but it just seems like if I deploy a new instance to the cluster and remove one, then some sessions are lost and an exception is thrown saying that it was not handled. This is the Infinispan exception: Exception handling request to /auth/realms/realmname/protocol/openid-connect/auth: org.jboss.resteasy.spi.UnhandledException: org.infinispan.util.concurrent.TimeoutException: Replication timeout for 79a0757ecab3 at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for 79a0757ecab3 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) This causes browsers to see Internal Server Error. Shouldn't that be handled in Keycloak as lost session, therefore KC should try to handle it rather than showing that it's an Internal Server Error? My current infinispan configuration looks like this: I use Keycloak version 1.9.5. My question is am I doing something wrong with my configuration? I tried both replicated-cache and distributed-cache and tried all transaction mode on both of them. None of them seems to solve the error that I've had above. Kind Regards, Sarp Kaya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/ebced1fe/attachment-0001.html From thomas.darimont at googlemail.com Fri Jul 1 05:12:38 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Jul 2016 11:12:38 +0200 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References:

Message-ID: Hello Brian, I gave this a quick spin - I introduced an additional option that allows to configure whether a claim from a client mapper should be included in userinfo or not. With that in place one can now control whether a claim should be contained in the access-token, id-token or userinfo which helps to keep access-tokens lean. For the sake of simplicity I only added support for controlling user attributes but I think this could be a useful for other mappers as well. Branch is here: https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint relevant commit: https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f Cheers, Thomas 2016-07-01 9:53 GMT+02:00 Thomas Darimont : > Hello Brian, > > I gave this a spin (with 1.9.x and master) and I think that currently the > only way to extend the information in the > userinfo endpoint is by defining a custom mapper and register that for the > client you use to get the > access-token. > The protocol mappers of this client will be used for the userinfo > endpoint. However the downside of this approach is that > this information is now also added to the access-token which you wanted to > avoid. > > It would be great of one had an additional switchable option for custom > protocol mappers like "include in userinfo". > With this enabled one could control very explicitly what should go where. > > I added a small curl command sequence below that can be used for testing. > > Cheers, > Thomas > > # Setup > KC_REALM=acme-test > KC_USERNAME=tester > KC_PASSWORD=test > KC_CLIENT=test-client > KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 > KC_SERVER=192.168.99.1:8080 > KC_CONTEXT=auth > CURL_OPTS="-k -v --noproxy 192.168.99.1" > > # Step 1 Request Tokens for credentials > KC_RESPONSE=$( \ > curl $CURL_OPTS -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "username=$KC_USERNAME" \ > -d "password=$KC_PASSWORD" \ > -d 'grant_type=password' \ > -d "client_id=$KC_CLIENT" \ > -d "client_secret=$KC_CLIENT_SECRET" \ > "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" > \ > | jq . > ) > > # Step 2 Split tokens > KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) > KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) > KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) > > # Step 3 (Debug) Show all keycloak env variables > set | grep KC_* > > # Step 4 Access Keycloak User Info > curl $CURL_OPTS \ > -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "access_token=$KC_ACCESS_TOKEN" \ > "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" > | jq . > > # Step 5 Define a new protocol mapper for the client test-client in the > admin-console > # via clients -> test-client -> mappers -> new -> as an example map a > custom user attribute -> add to access token > # After that a request to the userinfo endpoint will show your custom > attribute. > > # Step 6 Access Keycloak User Info > curl $CURL_OPTS \ > -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "access_token=$KC_ACCESS_TOKEN" \ > "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" > | jq . > > > > 2016-06-30 16:41 GMT+02:00 Brian Watson : > >> Hi all, >> >> Keycloak version: 1.9.8 >> >> Here is my use case: I want to keep the access token JWS as lean as >> possible, only containing user roles and a few custom claims I have added. >> I want no PII in the access token. However, I would like my internal >> services to obtain the full user profile (name, email, etc...) from the >> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the >> "sub" claim and the few custom claims that already exist in the access >> token. I don't see any support for adding scope values to the request. >> >> Is there any way to accomplish what I would like, or any other ways of >> obtaining this info that I may be missing? >> >> Thanks in advance >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/c1441d4a/attachment.html From sthorger at redhat.com Fri Jul 1 05:17:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 11:17:01 +0200 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References: Message-ID: Can you please include more details from the log if there is any, at least a full stack trace and not just the bit you've included. We also need to know details around how you've configured the caches and Infinispan. On 1 July 2016 at 10:16, Sarp Kaya wrote: > Hello, > > I have tried various ways of configuring infinispan but it just seems like > if I deploy a new instance to the cluster and remove one, then some > sessions are lost and an exception is thrown saying that it was not > handled. This is the Infinispan exception: > > Exception handling request to /auth/realms/realmname/protocol/openid- > connect/auth: org.jboss.resteasy.spi.UnhandledException: org.infinispan. > util.concurrent.TimeoutException: Replication timeout for 79a0757ecab3 at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler. > java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) at org.jboss.resteasy.core. > SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org > .jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher. > java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server. > servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java > :221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher. > service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins. > server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io. > undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java > :85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) at org.keycloak.services.filters. > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter( > FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler. > handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers. > security.ServletSecurityRoleHandler.handleRequest( > ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers. > ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers. > PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow. > servlet.handlers.security.SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers > .security.ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers. > PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow. > security.handlers.AbstractConfidentialityHandler.handleRequest( > AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers. > security.ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) at io.undertow.security. > handlers.AuthenticationMechanismsHandler.handleRequest( > AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers. > security.CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) at io.undertow.security. > handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) at io.undertow.security.handlers. > AbstractSecurityContextAssociationHandler.handleRequest( > AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server. > handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org. > wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers > .PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow. > server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) at io.undertow.servlet.handlers. > ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at > io.undertow.servlet.handlers.ServletInitialHandler.access$000( > ServletInitialHandler.java:81) at io.undertow.servlet.handlers. > ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) > Caused by: org.infinispan.util.concurrent.TimeoutException: Replication > timeout for 79a0757ecab3 at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan. > remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72( > JGroupsTransport.java:599) at java.util.concurrent.CompletableFuture. > uniApply(CompletableFuture.java:602) at java.util.concurrent. > CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java. > util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java: > 1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture. > call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport. > jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java. > util.concurrent.FutureTask.run(FutureTask.java:266) at java.util. > concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201( > ScheduledThreadPoolExecutor.java:180) > > This causes browsers to see Internal Server Error. Shouldn?t that be > handled in Keycloak as lost session, therefore KC should try to handle it > rather than showing that it?s an Internal Server Error? > > My current infinispan configuration looks like this: > > > > > > > I use Keycloak version 1.9.5. My question is am I doing something wrong > with my configuration? I tried both replicated-cache and distributed-cache > and tried all transaction mode on both of them. None of them seems to solve > the error that I?ve had above. > > Kind Regards, > Sarp Kaya > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/4a22c315/attachment-0001.html From sthorger at redhat.com Fri Jul 1 05:18:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 11:18:32 +0200 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References:

Message-ID: +1 To the user info toggle for mappers On 1 July 2016 at 11:12, Thomas Darimont wrote: > Hello Brian, > > I gave this a quick spin - I introduced an additional option that allows > to configure whether a claim from a > client mapper should be included in userinfo or not. > With that in place one can now control whether a claim should be contained > in the access-token, id-token or userinfo > which helps to keep access-tokens lean. > > For the sake of simplicity I only added support for controlling user > attributes but I think this could be a useful > for other mappers as well. > > Branch is here: > > https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint > relevant commit: > > https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f > > Cheers, > Thomas > > 2016-07-01 9:53 GMT+02:00 Thomas Darimont > : > >> Hello Brian, >> >> I gave this a spin (with 1.9.x and master) and I think that currently the >> only way to extend the information in the >> userinfo endpoint is by defining a custom mapper and register that for >> the client you use to get the >> access-token. >> The protocol mappers of this client will be used for the userinfo >> endpoint. However the downside of this approach is that >> this information is now also added to the access-token which you wanted >> to avoid. >> >> It would be great of one had an additional switchable option for custom >> protocol mappers like "include in userinfo". >> With this enabled one could control very explicitly what should go where. >> >> I added a small curl command sequence below that can be used for testing. >> >> Cheers, >> Thomas >> >> # Setup >> KC_REALM=acme-test >> KC_USERNAME=tester >> KC_PASSWORD=test >> KC_CLIENT=test-client >> KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 >> KC_SERVER=192.168.99.1:8080 >> KC_CONTEXT=auth >> CURL_OPTS="-k -v --noproxy 192.168.99.1" >> >> # Step 1 Request Tokens for credentials >> KC_RESPONSE=$( \ >> curl $CURL_OPTS -X POST \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -d "username=$KC_USERNAME" \ >> -d "password=$KC_PASSWORD" \ >> -d 'grant_type=password' \ >> -d "client_id=$KC_CLIENT" \ >> -d "client_secret=$KC_CLIENT_SECRET" \ >> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" >> \ >> | jq . >> ) >> >> # Step 2 Split tokens >> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >> >> # Step 3 (Debug) Show all keycloak env variables >> set | grep KC_* >> >> # Step 4 Access Keycloak User Info >> curl $CURL_OPTS \ >> -X POST \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -d "access_token=$KC_ACCESS_TOKEN" \ >> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >> | jq . >> >> # Step 5 Define a new protocol mapper for the client test-client in the >> admin-console >> # via clients -> test-client -> mappers -> new -> as an example map a >> custom user attribute -> add to access token >> # After that a request to the userinfo endpoint will show your custom >> attribute. >> >> # Step 6 Access Keycloak User Info >> curl $CURL_OPTS \ >> -X POST \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -d "access_token=$KC_ACCESS_TOKEN" \ >> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >> | jq . >> >> >> >> 2016-06-30 16:41 GMT+02:00 Brian Watson : >> >>> Hi all, >>> >>> Keycloak version: 1.9.8 >>> >>> Here is my use case: I want to keep the access token JWS as lean as >>> possible, only containing user roles and a few custom claims I have added. >>> I want no PII in the access token. However, I would like my internal >>> services to obtain the full user profile (name, email, etc...) from the >>> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the >>> "sub" claim and the few custom claims that already exist in the access >>> token. I don't see any support for adding scope values to the request. >>> >>> Is there any way to accomplish what I would like, or any other ways of >>> obtaining this info that I may be missing? >>> >>> Thanks in advance >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/851d6036/attachment.html From thomas.darimont at googlemail.com Fri Jul 1 05:19:29 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Jul 2016 11:19:29 +0200 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References:

Message-ID: Cool - shall I file a jira and issue a PR? Then you can polish it a bit ;-) Cheers, Thomas 2016-07-01 11:18 GMT+02:00 Stian Thorgersen : > +1 To the user info toggle for mappers > > On 1 July 2016 at 11:12, Thomas Darimont > wrote: > >> Hello Brian, >> >> I gave this a quick spin - I introduced an additional option that allows >> to configure whether a claim from a >> client mapper should be included in userinfo or not. >> With that in place one can now control whether a claim should be >> contained in the access-token, id-token or userinfo >> which helps to keep access-tokens lean. >> >> For the sake of simplicity I only added support for controlling user >> attributes but I think this could be a useful >> for other mappers as well. >> >> Branch is here: >> >> https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint >> relevant commit: >> >> https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f >> >> Cheers, >> Thomas >> >> 2016-07-01 9:53 GMT+02:00 Thomas Darimont > >: >> >>> Hello Brian, >>> >>> I gave this a spin (with 1.9.x and master) and I think that currently >>> the only way to extend the information in the >>> userinfo endpoint is by defining a custom mapper and register that for >>> the client you use to get the >>> access-token. >>> The protocol mappers of this client will be used for the userinfo >>> endpoint. However the downside of this approach is that >>> this information is now also added to the access-token which you wanted >>> to avoid. >>> >>> It would be great of one had an additional switchable option for custom >>> protocol mappers like "include in userinfo". >>> With this enabled one could control very explicitly what should go where. >>> >>> I added a small curl command sequence below that can be used for testing. >>> >>> Cheers, >>> Thomas >>> >>> # Setup >>> KC_REALM=acme-test >>> KC_USERNAME=tester >>> KC_PASSWORD=test >>> KC_CLIENT=test-client >>> KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 >>> KC_SERVER=192.168.99.1:8080 >>> KC_CONTEXT=auth >>> CURL_OPTS="-k -v --noproxy 192.168.99.1" >>> >>> # Step 1 Request Tokens for credentials >>> KC_RESPONSE=$( \ >>> curl $CURL_OPTS -X POST \ >>> -H "Content-Type: application/x-www-form-urlencoded" \ >>> -d "username=$KC_USERNAME" \ >>> -d "password=$KC_PASSWORD" \ >>> -d 'grant_type=password' \ >>> -d "client_id=$KC_CLIENT" \ >>> -d "client_secret=$KC_CLIENT_SECRET" \ >>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" >>> \ >>> | jq . >>> ) >>> >>> # Step 2 Split tokens >>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >>> >>> # Step 3 (Debug) Show all keycloak env variables >>> set | grep KC_* >>> >>> # Step 4 Access Keycloak User Info >>> curl $CURL_OPTS \ >>> -X POST \ >>> -H "Content-Type: application/x-www-form-urlencoded" \ >>> -d "access_token=$KC_ACCESS_TOKEN" \ >>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>> | jq . >>> >>> # Step 5 Define a new protocol mapper for the client test-client in the >>> admin-console >>> # via clients -> test-client -> mappers -> new -> as an example map a >>> custom user attribute -> add to access token >>> # After that a request to the userinfo endpoint will show your custom >>> attribute. >>> >>> # Step 6 Access Keycloak User Info >>> curl $CURL_OPTS \ >>> -X POST \ >>> -H "Content-Type: application/x-www-form-urlencoded" \ >>> -d "access_token=$KC_ACCESS_TOKEN" \ >>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>> | jq . >>> >>> >>> >>> 2016-06-30 16:41 GMT+02:00 Brian Watson : >>> >>>> Hi all, >>>> >>>> Keycloak version: 1.9.8 >>>> >>>> Here is my use case: I want to keep the access token JWS as lean as >>>> possible, only containing user roles and a few custom claims I have added. >>>> I want no PII in the access token. However, I would like my internal >>>> services to obtain the full user profile (name, email, etc...) from the >>>> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the >>>> "sub" claim and the few custom claims that already exist in the access >>>> token. I don't see any support for adding scope values to the request. >>>> >>>> Is there any way to accomplish what I would like, or any other ways of >>>> obtaining this info that I may be missing? >>>> >>>> Thanks in advance >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/3b22731f/attachment-0001.html From sthorger at redhat.com Fri Jul 1 05:24:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 11:24:08 +0200 Subject: [keycloak-user] Mongo and 2.0.0.Final In-Reply-To: References: <25333792.5332896.1467328788071.JavaMail.zimbra@redhat.com> Message-ID: The latest image is rebuilt and includes the fix, so if you don't specify a version when you run the cartridge it'll work fine. On 1 July 2016 at 02:24, John Bartko wrote: > Thanks! Here's an example workaround for running Keycloak > 2.0.0.Final+MongoDB in the meantime: > > https://github.com/jbartko/keycloak/blob/feature/mongo-authpersister/server-mongo/changeDatabase.jq#L2 > > On Thu, Jun 30, 2016 at 6:19 PM, Pedro Igor Silva > wrote: > >> There is an issue with keycloak-mongo image. It is missing the >> configuration for 'authorizationPersister.provider' [2]. >> >> [2] https://issues.jboss.org/browse/KEYCLOAK-3230 >> >> ----- Original Message ----- >> From: "John Bartko" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, June 30, 2016 7:16:35 PM >> Subject: [keycloak-user] Mongo and 2.0.0.Final >> >> Hello all, >> >> I get the following stack trace attempting to use 2.0.0.Final against a >> MongoDB backend. Following the keycloak-mongo readme should reproduce the >> behavior. >> >> >> >> 21:58:31,802 ERROR [org.jboss.msc.service.fail] (ServerService Thread >> Pool -- 47) MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >> at >> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >> at >> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >> at >> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >> at >> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >> at >> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >> at >> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >> at >> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >> ... 6 more >> Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to >> be specified in the configuration >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:131) >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:60) >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:48) >> at >> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >> at >> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:54) >> at >> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:35) >> at >> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:32) >> at >> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >> at >> org.keycloak.models.authorization.infinispan.CachedPolicyStore.getStoreFactory(CachedPolicyStore.java:193) >> at >> org.keycloak.models.authorization.infinispan.CachedPolicyStore.getDelegate(CachedPolicyStore.java:201) >> at >> org.keycloak.models.authorization.infinispan.CachedPolicyStore.findByType(CachedPolicyStore.java:179) >> at >> org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75) >> at >> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:64) >> at >> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:130) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >> ... 19 more >> >> 21:58:31,809 ERROR [org.jboss.as.controller.management-operation] >> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >> ([("deployment" => "keycloak-server.war")]) - failure description: >> {"WFLYCTL0080: Failed services" => >> {"jboss.undertow.deployment.default-server.default-host./auth" => >> "org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to >> be specified in the configuration"}} >> >> >> Any thoughts? >> >> Thanks, >> -John Bartko >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/f748c04a/attachment.html From sthorger at redhat.com Fri Jul 1 05:24:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 11:24:59 +0200 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References:

Message-ID: Ideally PR should come with polish and testing. Otherwise it'll just sit in the queue ;) On 1 July 2016 at 11:19, Thomas Darimont wrote: > Cool - shall I file a jira and issue a PR? Then you can polish it a bit ;-) > > Cheers, > Thomas > > 2016-07-01 11:18 GMT+02:00 Stian Thorgersen : > >> +1 To the user info toggle for mappers >> >> On 1 July 2016 at 11:12, Thomas Darimont >> wrote: >> >>> Hello Brian, >>> >>> I gave this a quick spin - I introduced an additional option that allows >>> to configure whether a claim from a >>> client mapper should be included in userinfo or not. >>> With that in place one can now control whether a claim should be >>> contained in the access-token, id-token or userinfo >>> which helps to keep access-tokens lean. >>> >>> For the sake of simplicity I only added support for controlling user >>> attributes but I think this could be a useful >>> for other mappers as well. >>> >>> Branch is here: >>> >>> https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint >>> relevant commit: >>> >>> https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f >>> >>> Cheers, >>> Thomas >>> >>> 2016-07-01 9:53 GMT+02:00 Thomas Darimont < >>> thomas.darimont at googlemail.com>: >>> >>>> Hello Brian, >>>> >>>> I gave this a spin (with 1.9.x and master) and I think that currently >>>> the only way to extend the information in the >>>> userinfo endpoint is by defining a custom mapper and register that for >>>> the client you use to get the >>>> access-token. >>>> The protocol mappers of this client will be used for the userinfo >>>> endpoint. However the downside of this approach is that >>>> this information is now also added to the access-token which you wanted >>>> to avoid. >>>> >>>> It would be great of one had an additional switchable option for custom >>>> protocol mappers like "include in userinfo". >>>> With this enabled one could control very explicitly what should go >>>> where. >>>> >>>> I added a small curl command sequence below that can be used for >>>> testing. >>>> >>>> Cheers, >>>> Thomas >>>> >>>> # Setup >>>> KC_REALM=acme-test >>>> KC_USERNAME=tester >>>> KC_PASSWORD=test >>>> KC_CLIENT=test-client >>>> KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 >>>> KC_SERVER=192.168.99.1:8080 >>>> KC_CONTEXT=auth >>>> CURL_OPTS="-k -v --noproxy 192.168.99.1" >>>> >>>> # Step 1 Request Tokens for credentials >>>> KC_RESPONSE=$( \ >>>> curl $CURL_OPTS -X POST \ >>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>> -d "username=$KC_USERNAME" \ >>>> -d "password=$KC_PASSWORD" \ >>>> -d 'grant_type=password' \ >>>> -d "client_id=$KC_CLIENT" \ >>>> -d "client_secret=$KC_CLIENT_SECRET" \ >>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" >>>> \ >>>> | jq . >>>> ) >>>> >>>> # Step 2 Split tokens >>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >>>> >>>> # Step 3 (Debug) Show all keycloak env variables >>>> set | grep KC_* >>>> >>>> # Step 4 Access Keycloak User Info >>>> curl $CURL_OPTS \ >>>> -X POST \ >>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>> -d "access_token=$KC_ACCESS_TOKEN" \ >>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>>> | jq . >>>> >>>> # Step 5 Define a new protocol mapper for the client test-client in the >>>> admin-console >>>> # via clients -> test-client -> mappers -> new -> as an example map a >>>> custom user attribute -> add to access token >>>> # After that a request to the userinfo endpoint will show your custom >>>> attribute. >>>> >>>> # Step 6 Access Keycloak User Info >>>> curl $CURL_OPTS \ >>>> -X POST \ >>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>> -d "access_token=$KC_ACCESS_TOKEN" \ >>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>>> | jq . >>>> >>>> >>>> >>>> 2016-06-30 16:41 GMT+02:00 Brian Watson : >>>> >>>>> Hi all, >>>>> >>>>> Keycloak version: 1.9.8 >>>>> >>>>> Here is my use case: I want to keep the access token JWS as lean as >>>>> possible, only containing user roles and a few custom claims I have added. >>>>> I want no PII in the access token. However, I would like my internal >>>>> services to obtain the full user profile (name, email, etc...) from the >>>>> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the >>>>> "sub" claim and the few custom claims that already exist in the access >>>>> token. I don't see any support for adding scope values to the request. >>>>> >>>>> Is there any way to accomplish what I would like, or any other ways of >>>>> obtaining this info that I may be missing? >>>>> >>>>> Thanks in advance >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/887657ee/attachment-0001.html From sthorger at redhat.com Fri Jul 1 05:28:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 11:28:33 +0200 Subject: [keycloak-user] Searching on Keycloak mailing list archive In-Reply-To: References: <57557345.2060409@redhat.com>

Message-ID: Ok, trying Nabble with user mailing list now. On 30 June 2016 at 19:54, Bruno Oliveira wrote: > Not only for forums, aerogear is indexed with Nabble[1]. > > That's just an alternative. > > [1] - http://aerogear-dev.1069024.n5.nabble.com > > On Wed, Jun 29, 2016, 11:10 PM Stian Thorgersen > wrote: > >> MarkMail seems to limit what lists they index. I've sent an email asking >> if they can add Keycloak lists. >> >> Nabble is a forum and we don't want to add a forum. The issue is that >> we'd end up with people asking questions there as well and we can't handle >> both locations. >> >> On 30 June 2016 at 06:51, Bruno Oliveira wrote: >> >>> In the worst case scenario, give http://markmail.org/ or >>> http://www.nabble.com/ a try. >>> >>> On Wed, Jun 29, 2016 at 3:40 AM Stian Thorgersen >>> wrote: >>> >>>> Waiting for response on the ticket.. Might be a bit delayed due to >>>> DevNation/Summit. >>>> >>>> On 29 June 2016 at 11:51, Thomas Darimont < >>>> thomas.darimont at googlemail.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> any updates here? >>>>> >>>>> Keycloak Mailing-list is still not searchable via >>>>> http://search.jboss.org/ >>>>> >>>>> Cheers, >>>>> Thomas >>>>> >>>>> 2016-06-07 14:59 GMT+02:00 Stian Thorgersen : >>>>> >>>>>> I sent an email to the JBoss.org guys to ask them to add our mailing >>>>>> lists to search.jboss.org. >>>>>> >>>>>> On 7 June 2016 at 14:03, Thomas Darimont < >>>>>> thomas.darimont at googlemail.com> wrote: >>>>>> >>>>>>> I asked for it here: >>>>>>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp >>>>>>> >>>>>>> Would be really useful to have - I downloaded the news archives >>>>>>> locally and search through with thunderbird. >>>>>>> >>>>>>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares : >>>>>>> >>>>>>>> How can I search for something on keycloak mailing lists archive? >>>>>>>> It appears keycloak lists are not indexed by JBoss Community Search >>>>>>>> engine [1][2] >>>>>>>> >>>>>>>> [1] http://search.jboss.org >>>>>>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ >>>>>>>> >>>>>>>> -- >>>>>>>> ___ >>>>>>>> Rafael T. C. Soares | Solution Architect >>>>>>>> JBoss Enterprise Middleware | Red Hat Brazil >>>>>>>> Mobile: +55 71 98181-3636 >>>>>>>> Phone: +55 11 3529-6096 >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/a8c68eac/attachment.html From watson409 at gmail.com Fri Jul 1 08:49:38 2016 From: watson409 at gmail.com (Brian Watson) Date: Fri, 1 Jul 2016 08:49:38 -0400 Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint In-Reply-To: References:

Message-ID: Great! Thank you all so much for the quick response and effort! On Fri, Jul 1, 2016 at 5:24 AM, Stian Thorgersen wrote: > Ideally PR should come with polish and testing. Otherwise it'll just sit > in the queue ;) > > On 1 July 2016 at 11:19, Thomas Darimont > wrote: > >> Cool - shall I file a jira and issue a PR? Then you can polish it a bit >> ;-) >> >> Cheers, >> Thomas >> >> 2016-07-01 11:18 GMT+02:00 Stian Thorgersen : >> >>> +1 To the user info toggle for mappers >>> >>> On 1 July 2016 at 11:12, Thomas Darimont >> > wrote: >>> >>>> Hello Brian, >>>> >>>> I gave this a quick spin - I introduced an additional option that >>>> allows to configure whether a claim from a >>>> client mapper should be included in userinfo or not. >>>> With that in place one can now control whether a claim should be >>>> contained in the access-token, id-token or userinfo >>>> which helps to keep access-tokens lean. >>>> >>>> For the sake of simplicity I only added support for controlling user >>>> attributes but I think this could be a useful >>>> for other mappers as well. >>>> >>>> Branch is here: >>>> >>>> https://github.com/thomasdarimont/keycloak/tree/poc/KEYCLOAK-XXX-use-mapper-only-for-userinfo-endpoint >>>> relevant commit: >>>> >>>> https://github.com/thomasdarimont/keycloak/commit/eb25e72060f75a00afd188fc3b2c242e7b21aa7f >>>> >>>> Cheers, >>>> Thomas >>>> >>>> 2016-07-01 9:53 GMT+02:00 Thomas Darimont < >>>> thomas.darimont at googlemail.com>: >>>> >>>>> Hello Brian, >>>>> >>>>> I gave this a spin (with 1.9.x and master) and I think that currently >>>>> the only way to extend the information in the >>>>> userinfo endpoint is by defining a custom mapper and register that for >>>>> the client you use to get the >>>>> access-token. >>>>> The protocol mappers of this client will be used for the userinfo >>>>> endpoint. However the downside of this approach is that >>>>> this information is now also added to the access-token which you >>>>> wanted to avoid. >>>>> >>>>> It would be great of one had an additional switchable option for >>>>> custom protocol mappers like "include in userinfo". >>>>> With this enabled one could control very explicitly what should go >>>>> where. >>>>> >>>>> I added a small curl command sequence below that can be used for >>>>> testing. >>>>> >>>>> Cheers, >>>>> Thomas >>>>> >>>>> # Setup >>>>> KC_REALM=acme-test >>>>> KC_USERNAME=tester >>>>> KC_PASSWORD=test >>>>> KC_CLIENT=test-client >>>>> KC_CLIENT_SECRET=3ee678ac-b31b-4bb6-80fa-5f25c7817bf0 >>>>> KC_SERVER=192.168.99.1:8080 >>>>> KC_CONTEXT=auth >>>>> CURL_OPTS="-k -v --noproxy 192.168.99.1" >>>>> >>>>> # Step 1 Request Tokens for credentials >>>>> KC_RESPONSE=$( \ >>>>> curl $CURL_OPTS -X POST \ >>>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>>> -d "username=$KC_USERNAME" \ >>>>> -d "password=$KC_PASSWORD" \ >>>>> -d 'grant_type=password' \ >>>>> -d "client_id=$KC_CLIENT" \ >>>>> -d "client_secret=$KC_CLIENT_SECRET" \ >>>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" >>>>> \ >>>>> | jq . >>>>> ) >>>>> >>>>> # Step 2 Split tokens >>>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >>>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >>>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >>>>> >>>>> # Step 3 (Debug) Show all keycloak env variables >>>>> set | grep KC_* >>>>> >>>>> # Step 4 Access Keycloak User Info >>>>> curl $CURL_OPTS \ >>>>> -X POST \ >>>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>>> -d "access_token=$KC_ACCESS_TOKEN" \ >>>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>>>> | jq . >>>>> >>>>> # Step 5 Define a new protocol mapper for the client test-client in >>>>> the admin-console >>>>> # via clients -> test-client -> mappers -> new -> as an example map a >>>>> custom user attribute -> add to access token >>>>> # After that a request to the userinfo endpoint will show your custom >>>>> attribute. >>>>> >>>>> # Step 6 Access Keycloak User Info >>>>> curl $CURL_OPTS \ >>>>> -X POST \ >>>>> -H "Content-Type: application/x-www-form-urlencoded" \ >>>>> -d "access_token=$KC_ACCESS_TOKEN" \ >>>>> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/userinfo" >>>>> | jq . >>>>> >>>>> >>>>> >>>>> 2016-06-30 16:41 GMT+02:00 Brian Watson : >>>>> >>>>>> Hi all, >>>>>> >>>>>> Keycloak version: 1.9.8 >>>>>> >>>>>> Here is my use case: I want to keep the access token JWS as lean as >>>>>> possible, only containing user roles and a few custom claims I have added. >>>>>> I want no PII in the access token. However, I would like my internal >>>>>> services to obtain the full user profile (name, email, etc...) from the >>>>>> OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the >>>>>> "sub" claim and the few custom claims that already exist in the access >>>>>> token. I don't see any support for adding scope values to the request. >>>>>> >>>>>> Is there any way to accomplish what I would like, or any other ways >>>>>> of obtaining this info that I may be missing? >>>>>> >>>>>> Thanks in advance >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/bf0491df/attachment-0001.html From sthorger at redhat.com Fri Jul 1 09:14:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jul 2016 15:14:55 +0200 Subject: [keycloak-user] Want to work on Keycloak? Message-ID: We're looking for two people to join our team so if anyone is interested you can contact me directly or apply online. For more details about the positions take a look at the job descriptions: * SDK and developer experience - https://careers-redhat.icims.com/jobs/53428/senior-software-engineer/job * Web Application developer - https://careers-redhat.icims.com/jobs/51802/senior-software-engineer/job -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/f4e67635/attachment.html From asarathi at vizuri.com Fri Jul 1 12:39:32 2016 From: asarathi at vizuri.com (Aswini Sarathi) Date: Fri, 1 Jul 2016 12:39:32 -0400 Subject: [keycloak-user] OAuth Access Token Response in XML Message-ID: Hi, I am trying to find out if there is a way to get response from token endpoint /realms/{realm-name}/protocol/openid-connect/token in xml or json format based on the Accept header. If its not supported out of the box, what other options are available to do this? Should I look at creating a custom endpoint by implementing the SPI to do the mapping? Thanks!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160701/f309e9c5/attachment.html From petervn1 at yahoo.com Sat Jul 2 14:39:22 2016 From: petervn1 at yahoo.com (Peter Nalyvayko) Date: Sat, 2 Jul 2016 18:39:22 +0000 (UTC) Subject: [keycloak-user] Keycloak and Salesforce IdP identity brokering In-Reply-To: <206335081.4376505.1467246580929.JavaMail.yahoo@mail.yahoo.com> References: <206335081.4376505.1467246580929.JavaMail.yahoo.ref@mail.yahoo.com> <206335081.4376505.1467246580929.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1451986391.933009.1467484762648.JavaMail.yahoo@mail.yahoo.com> After a bit of digging through the keycloak archives, I believe I've foundan answer to my own question. There is indeed a way to set up identitybrokering in keycloak with Salesforce, although the processis not as straightforward as one would expect. To get the values for?ACS URL and Entity Id one should create a SAML 2.0 external IdP,and then "Export" the IdP using the "Export" button.? --Peter? >Hello, >I am trying to integrate keycloak and Salesforce using Salesforce?>as an identity provider. It seems some of the information required to?>properly set up the Salesforce as SAML IdP is ?missing in the keycloak's SAML?>identity provider configuration. For example, "Entity Id", according to the?>Salesforce documentation:?>"This value comes from the service provider.?>Each entity ID in an organization must be unique. If you?re accessing multiple?>apps from your service provider, you only need to define the service provider?>>once, and then use the?RelayState?parameter to append the URL values?>to direct the user to the correct app after signing in." (https://help.salesforce.com/HTViewHelpDoc?>id=service_provider_define.htm&language=en_US).?>The SAML identity provider configuration in keycloak does not have?>a setting to specify "Entity Id". Another missing attribute is "ACS URL"?>(The ACS, or assertion consumer service, URL comes from the SAML?>service provider.).? >Has anyone been able to set up Salesforce as IdP and keycloak?>as SP using keycloak's SAML identity provider? Is this even possible?>given that some required parameters are missing?>Thx>Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160702/a9ee1392/attachment.html From tema.voskoboynick at gmail.com Sun Jul 3 15:16:38 2016 From: tema.voskoboynick at gmail.com (Artem Voskoboynick) Date: Sun, 3 Jul 2016 23:16:38 +0400 Subject: [keycloak-user] Why scope permission denial affects the whole resource avaiability? Message-ID: I have a resource and a few scopes associated with the resource. Both the resource and the scope have permissions associated with them. It seems logical that if one of the resource permissions resolves to DENY, the whole resource is denied for the user. But why the same happens with scope permissions? As I understood from the docuemntation, scopes are verbs that can act upon a resource. So if an user isn't authorized to perform one of the verbs (one of the scopes), the user still should have access to the resource itself, if the resource permissions allow, but it doesn't to seem to work this way. I expected to automaticlaly block users that are not authorized for the resource. With the rest users I expected to check each scope programmatically for avaiability of corresponding actions (resource:view, resource:edit, etc). I used the "hello-world-authz-service" example (Keycloak server configuration and the application code) with a few changes (added scopes) to check it. Didn't work - access denied if one of the scope permissions fails. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160703/3c8bc7b5/attachment.html From tema.voskoboynick at gmail.com Sun Jul 3 16:41:09 2016 From: tema.voskoboynick at gmail.com (Artem Voskoboynick) Date: Mon, 4 Jul 2016 00:41:09 +0400 Subject: [keycloak-user] Why scope permission denial affects the whole resource avaiability? In-Reply-To: References: Message-ID: Looks I've clarified the problem: A resource with scopes won't be permitted if there are no permitted scopes. This is a strange behavior - if there are no permitted scopes, the resource should still be available, it just doesn't have any additional actions (scopes) permitted. In support, if you take a resource without scopes, the resource is available (given all resource permissions are permitted). But following the current logic Keycloak handles scopes, the resource shouldn't be available then, since there are no available scopes. Now, the only solution is to create a dummy scope and always assign it to resources, so that they don't get blocked when no other scopes are available. I think, this behavior should be changed. What do you think? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/734ac0dd/attachment-0001.html From bradleybeddoes at aaf.edu.au Mon Jul 4 00:37:46 2016 From: bradleybeddoes at aaf.edu.au (Bradley Beddoes) Date: Mon, 4 Jul 2016 14:37:46 +1000 Subject: [keycloak-user] Fwd: functionality questions (Keycloak 2) In-Reply-To: References: Message-ID: Hello, I've been evaluating Keycloak 2 releases recently (documentation and local deployment) to determine if Keycloak might be a suitable fit for a future project we're considering. A lot of the moving parts we require are present but I see a few incompatibilities when it comes to the model we need vs my interpretation of Keycloak functionality. To help explain what I'm trying to achieve I've created two small diagrams: 1. https://drive.google.com/file/d/0B9Ye3fFQSfx-YWUtcEF2Z0MxSjA/view This is the overall goal. On the far right 1 or more OIDC or SAML service instances are grouped together and overseen by 1 or more local administrators. Each group then relies on some central process to handle authentication, sso and identity resolution by some process it doesn't need to care about. In our case this would be mostly by authentication against and identity transfer from multiple SAML 2.x IdP (Shibboleth) from which we'd locally store/update/augment as a single cache of identity data. Groups would have the ability to translate/augment identity data before returning it back to the service instance the end user was attempting to access. End users would have the ability to: - Approve release of identity information to a service group (approval would apply to all service instances within a group); - Review all identity information which is held about them centrally and update if required; - View a list of previous release approvals across all service groups (and revoke if desired); - Undertake a range of standard session based actions, such as revoking currently active tokens, determining where active sessions are held etc. 2. https://drive.google.com/file/d/0B9Ye3fFQSfx-amJZVGF5QWZwdmM/view This is my interpretation of Keycloak functionality. OIDC and SAML service instances belong to realms and administrators are assigned to a realm. Each realm can be configured to offload authentication and identity resolution to a central realm which can be configured to talk to 1 or more SAML 2.x IdP. This realm will cache identity data locally. When an end user approves identity release it applies to all service instances within the owning realm. >From here though I believe the following differences are present: - Each realm duplicates identity data for every user who authenticates to a service within that realm - If user identity changes in the master realm those changes are not reflected in all service facing realms - Any augmentation of identity, such as role membership, is per realm - Users can only manage identity information, release approvals etc per realm - Session based actions are only per realm Based on the above descriptions, any help the community could offer to align my design goals with functionality present Keycloak would be fantastic. cheers, Bradley -- *Bradley Beddoes* *Australian Access Federation Inc* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/088af180/attachment.html From sthorger at redhat.com Mon Jul 4 03:04:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jul 2016 09:04:54 +0200 Subject: [keycloak-user] OAuth Access Token Response in XML In-Reply-To: References: Message-ID: We only support JWT with OpenID Connect. Can you elaborate on why you want an XML token? You could add a custom REST endpoint or a custom protocol to do this, but not sure I'd recommend doing it as there's a fair bit of logic that goes into the token endpoint. On 1 July 2016 at 18:39, Aswini Sarathi wrote: > Hi, > > I am trying to find out if there is a way to get response from token > endpoint /realms/{realm-name}/protocol/openid-connect/token in xml or > json format based on the Accept header. If its not supported out of the > box, what other options are available to do this? Should I look at creating > a custom endpoint by implementing the SPI to do the mapping? > > Thanks!! > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/cb78301a/attachment.html From sthorger at redhat.com Mon Jul 4 06:11:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jul 2016 12:11:05 +0200 Subject: [keycloak-user] Customize length of of user_attribute table value field In-Reply-To: <1ef01d3b-b31f-932e-bc49-a827dde79c0a@inteqsolutions.com> References: <1ef01d3b-b31f-932e-bc49-a827dde79c0a@inteqsolutions.com> Message-ID: We have an outstanding issue to increase this: https://issues.jboss.org/browse/KEYCLOAK-2382. However, it's not so trivial as we need to support many different DBs and it may also have some performance impact. You can manually change the size for the column directly in your database. Once we incorporate KEYCLOAK-2382 it would then be changed to our new setting for this column. On 1 July 2016 at 08:06, Rajkiran K wrote: > Hi, > > I had a requirement for inserting 450 characters string in to keycloak > custom attribute, but value field is 255 characters in user_attribute > table. is there any provision to modify this value. Please let me know > how can i do this. > > Regards, > > Raj Kiran K > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/7f876828/attachment.html From akaya at expedia.com Mon Jul 4 07:59:21 2016 From: akaya at expedia.com (Sarp Kaya) Date: Mon, 4 Jul 2016 11:59:21 +0000 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References: Message-ID: Hello, Below is exactly how Infinispan is configured:

Message-ID: Adding list back - please use reply all I'm not following. The response payload is the token, so not sure what it is that you want in XML. On 4 July 2016 at 15:41, wrote: > Sorry if I wasn't clear earlier. I don't want the token itself to be in > xml. I just want the response payload from the token endpoint to be xml or > Json based on the accept header. > > > On Jul 4, 2016, at 3:04 AM, Stian Thorgersen wrote: > > We only support JWT with OpenID Connect. Can you elaborate on why you want > an XML token? > > You could add a custom REST endpoint or a custom protocol to do this, but > not sure I'd recommend doing it as there's a fair bit of logic that goes > into the token endpoint. > > On 1 July 2016 at 18:39, Aswini Sarathi wrote: > >> Hi, >> >> I am trying to find out if there is a way to get response from token >> endpoint /realms/{realm-name}/protocol/openid-connect/token in xml or >> json format based on the Accept header. If its not supported out of the >> box, what other options are available to do this? Should I look at creating >> a custom endpoint by implementing the SPI to do the mapping? >> >> Thanks!! >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/064becbe/attachment.html From asarathi at vizuri.com Mon Jul 4 13:32:39 2016 From: asarathi at vizuri.com (Aswini Sarathi) Date: Mon, 4 Jul 2016 13:32:39 -0400 Subject: [keycloak-user] OAuth Access Token Response in XML In-Reply-To: References:

Message-ID: I tried getting a token using the token endpoint with grant type as "password" and this is what I got in the response and the content-type was set to application/json in the header. My question is what would I need to do if I want the below response in xml. I have a user who wants to parse a XML response instead and get the access token. Please let me know if I am not doing anything correctly. { "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjZWVjZmNiZS1lODJmLTQ2MWQtODljMi05MGY0NGZiNTcwNTIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJWZW5kb3JBUEkiLCJzZXNzaW9uX3N0YXRlIjoiOWNhOTYxYzktMWI4OC00NzhlLWI0OTEtNTE1YWZiMDYwZTY1IiwiY2xpZW50X3Nlc3Npb24iOiI1MDgxNGZjMi02NWIwLTQ4YmYtYWY3OS04ZDZmODlhMWFkODciLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidmVuZG9yIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJ2ZW5kb3JJZCI6MTg5NTUsInByZWZlcnJlZF91c2VybmFtZSI6InRyYWRlYWx6In0.faGKCcK79sLrYRxCdXHo7iaROKDXJjXsUh83PdnbV2DVWJ5HlaA735zhCoM2XJ3Fn4HIg68zjQy4Q__eC8_UcXDi_qcVz3qcHLhKRHX3xZXMWwaSGrIgmcU--0ntH4Ot4qDayolzk4xOdXahMdRQW4u0Cwiwsfi715TipP0IgOK4B4VcsdbBFF5UlQFwUDTkaKiI8kST-XK6elZcbUGjheVo5qU5-_uVZX9c2DBTyPJ2BRn6UEGfpXigqXEoQS6MXWj4aLiI4vIo8cTQ0dfTbontQMsv17wUif-IikHwoYWkI9TFCBo0Knh3l7D2Z6rEZc8UvmQNeGqRaMVvWN0_TA", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNzZlMjcxZS1hNjYxLTQwMjEtOGNiOC0yOWM2MjRmMTE4ZDIiLCJleHAiOjE0Njc2NTUwMDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiVmVuZG9yQVBJIiwic2Vzc2lvbl9zdGF0ZSI6IjljYTk2MWM5LTFiODgtNDc4ZS1iNDkxLTUxNWFmYjA2MGU2NSIsImNsaWVudF9zZXNzaW9uIjoiNTA4MTRmYzItNjViMC00OGJmLWFmNzktOGQ2Zjg5YTFhZDg3IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInZlbmRvciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.AcgsUMKH6Yczq6RxAxiwgViXRoiS2KuqFYdWOAYDmwL7_esy4E3guX9XR-8tBULiEspCNxCbgJca7t3_4jMxeIdhBq4DDqdecCe0XuU6HRugFD8nGDxHGMmotWarZn3mjj1jZmLCwYptoWgNVAJa6bILQafYFTHjb1Xzy_5j6lzk0waT9NMe0LFtVLFnW5xMqWs2gUMLUuY7XLlmNjarl_-LHsE3yiwWw1WR528JN3ld87tlQhGDv8FNfyK6jQ6VJwJbXgPuzfnVfoCVZOMx7K2fhSOTc8m8FgkCtVtX9noWqQt4DzI5N0LkycB9oIndLwZTQDklmuhaRCPkYOvU5g", "token_type": "bearer", "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NDMwYmVhMi0xN2FiLTQ3OTUtODNiMC0wYTVkYTc0YzdlNjIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJJRCIsImF6cCI6IlZlbmRvckFQSSIsInNlc3Npb25fc3RhdGUiOiI5Y2E5NjFjOS0xYjg4LTQ3OGUtYjQ5MS01MTVhZmIwNjBlNjUiLCJuYW1lIjoiIiwidmVuZG9ySWQiOjE4OTU1LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0cmFkZWFseiJ9.hhCaW_naA6Agx4rYoP3YP_wYqwXG7oq6DIHFup6JRPG2YckZ0ups46tYRwXG-6DPrRRfCdD36YiGA3sggJZllMlBL-SI4XZ5amayi4J_Ktz_1IleOsQRG49DFflIyk9W4ZWMDSqut2ZYTE0Bfm_yc5XZUNKEY7quPQLGg2JdF2kT7Ka80aHQOIQPvC-Q0IkL7-uyT2Swq2sU8RO4OGMJziKY71UWPpn-ht1p5dOL1lKlZoULS-VCPeCupGoOuR9Y9t88N7vbjFDv3dw3zw67BCA9BwwtsGKCJkhopvaJWS4tiRqFsoSF-_O2IzkuoEjAW3LalMe3vusQjzuFOSdOMQ", "not-before-policy": 0, "session_state": "9ca961c9-1b88-478e-b491-515afb060e65" } On Mon, Jul 4, 2016 at 1:11 PM, Stian Thorgersen wrote: > Adding list back - please use reply all > > I'm not following. The response payload is the token, so not sure what it > is that you want in XML. > > On 4 July 2016 at 15:41, wrote: > >> Sorry if I wasn't clear earlier. I don't want the token itself to be in >> xml. I just want the response payload from the token endpoint to be xml or >> Json based on the accept header. >> >> >> On Jul 4, 2016, at 3:04 AM, Stian Thorgersen wrote: >> >> We only support JWT with OpenID Connect. Can you elaborate on why you >> want an XML token? >> >> You could add a custom REST endpoint or a custom protocol to do this, but >> not sure I'd recommend doing it as there's a fair bit of logic that goes >> into the token endpoint. >> >> On 1 July 2016 at 18:39, Aswini Sarathi wrote: >> >>> Hi, >>> >>> I am trying to find out if there is a way to get response from >>> token endpoint /realms/{realm-name}/protocol/openid-connect/token in >>> xml or json format based on the Accept header. If its not supported out of >>> the box, what other options are available to do this? Should I look at >>> creating a custom endpoint by implementing the SPI to do the mapping? >>> >>> Thanks!! >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/36fb34b8/attachment.html From sthorger at redhat.com Mon Jul 4 13:42:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jul 2016 19:42:20 +0200 Subject: [keycloak-user] OAuth Access Token Response in XML In-Reply-To: References:

Message-ID: Well.. This is OpenID Connect and the response should be in JSON. You should tell your user to parse the JSON and not expect XML. If he really wants XML then maybe he'd be happy with using SAML instead. I'd recommend against doing something custom, but you can in theory do that with either the protocol SPI or the rest resource spi. On 4 July 2016 at 19:32, Aswini Sarathi wrote: > I tried getting a token using the token endpoint with grant type as > "password" and this is what I got in the response and the content-type was > set to application/json in the header. My question is what would I need to > do if I want the below response in xml. I have a user who wants to parse a > XML response instead and get the access token. Please let me know if I am > not doing anything correctly. > > { > "access_token": > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjZWVjZmNiZS1lODJmLTQ2MWQtODljMi05MGY0NGZiNTcwNTIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJWZW5kb3JBUEkiLCJzZXNzaW9uX3N0YXRlIjoiOWNhOTYxYzktMWI4OC00NzhlLWI0OTEtNTE1YWZiMDYwZTY1IiwiY2xpZW50X3Nlc3Npb24iOiI1MDgxNGZjMi02NWIwLTQ4YmYtYWY3OS04ZDZmODlhMWFkODciLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidmVuZG9yIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJ2ZW5kb3JJZCI6MTg5NTUsInByZWZlcnJlZF91c2VybmFtZSI6InRyYWRlYWx6In0.faGKCcK79sLrYRxCdXHo7iaROKDXJjXsUh83PdnbV2DVWJ5HlaA735zhCoM2XJ3Fn4HIg68zjQy4Q__eC8_UcXDi_qcVz3qcHLhKRHX3xZXMWwaSGrIgmcU--0ntH4Ot4qDayolzk4xOdXahMdRQW4u0Cwiwsfi715TipP0IgOK4B4VcsdbBFF5UlQFwUDTkaKiI8kST-XK6elZcbUGjheVo5qU5-_uVZX9c2DBTyPJ2BRn6UEGfpXigqXEoQS6MXWj4aLiI4vIo8cTQ0dfTbontQMsv17wUif-IikHwoYWkI9TFCBo0Knh3l7D2Z6rEZc8UvmQNeGqRaMVvWN0_TA", > "expires_in": 300, > "refresh_expires_in": 1800, > "refresh_token": > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNzZlMjcxZS1hNjYxLTQwMjEtOGNiOC0yOWM2MjRmMTE4ZDIiLCJleHAiOjE0Njc2NTUwMDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiVmVuZG9yQVBJIiwic2Vzc2lvbl9zdGF0ZSI6IjljYTk2MWM5LTFiODgtNDc4ZS1iNDkxLTUxNWFmYjA2MGU2NSIsImNsaWVudF9zZXNzaW9uIjoiNTA4MTRmYzItNjViMC00OGJmLWFmNzktOGQ2Zjg5YTFhZDg3IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInZlbmRvciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.AcgsUMKH6Yczq6RxAxiwgViXRoiS2KuqFYdWOAYDmwL7_esy4E3guX9XR-8tBULiEspCNxCbgJca7t3_4jMxeIdhBq4DDqdecCe0XuU6HRugFD8nGDxHGMmotWarZn3mjj1jZmLCwYptoWgNVAJa6bILQafYFTHjb1Xzy_5j6lzk0waT9NMe0LFtVLFnW5xMqWs2gUMLUuY7XLlmNjarl_-LHsE3yiwWw1WR528JN3ld87tlQhGDv8FNfyK6jQ6VJwJbXgPuzfnVfoCVZOMx7K2fhSOTc8m8FgkCtVtX9noWqQt4DzI5N0LkycB9oIndLwZTQDklmuhaRCPkYOvU5g", > "token_type": "bearer", > "id_token": > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NDMwYmVhMi0xN2FiLTQ3OTUtODNiMC0wYTVkYTc0YzdlNjIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJJRCIsImF6cCI6IlZlbmRvckFQSSIsInNlc3Npb25fc3RhdGUiOiI5Y2E5NjFjOS0xYjg4LTQ3OGUtYjQ5MS01MTVhZmIwNjBlNjUiLCJuYW1lIjoiIiwidmVuZG9ySWQiOjE4OTU1LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0cmFkZWFseiJ9.hhCaW_naA6Agx4rYoP3YP_wYqwXG7oq6DIHFup6JRPG2YckZ0ups46tYRwXG-6DPrRRfCdD36YiGA3sggJZllMlBL-SI4XZ5amayi4J_Ktz_1IleOsQRG49DFflIyk9W4ZWMDSqut2ZYTE0Bfm_yc5XZUNKEY7quPQLGg2JdF2kT7Ka80aHQOIQPvC-Q0IkL7-uyT2Swq2sU8RO4OGMJziKY71UWPpn-ht1p5dOL1lKlZoULS-VCPeCupGoOuR9Y9t88N7vbjFDv3dw3zw67BCA9BwwtsGKCJkhopvaJWS4tiRqFsoSF-_O2IzkuoEjAW3LalMe3vusQjzuFOSdOMQ", > "not-before-policy": 0, > "session_state": "9ca961c9-1b88-478e-b491-515afb060e65" > } > > On Mon, Jul 4, 2016 at 1:11 PM, Stian Thorgersen > wrote: > >> Adding list back - please use reply all >> >> I'm not following. The response payload is the token, so not sure what it >> is that you want in XML. >> >> On 4 July 2016 at 15:41, wrote: >> >>> Sorry if I wasn't clear earlier. I don't want the token itself to be in >>> xml. I just want the response payload from the token endpoint to be xml or >>> Json based on the accept header. >>> >>> >>> On Jul 4, 2016, at 3:04 AM, Stian Thorgersen >>> wrote: >>> >>> We only support JWT with OpenID Connect. Can you elaborate on why you >>> want an XML token? >>> >>> You could add a custom REST endpoint or a custom protocol to do this, >>> but not sure I'd recommend doing it as there's a fair bit of logic that >>> goes into the token endpoint. >>> >>> On 1 July 2016 at 18:39, Aswini Sarathi wrote: >>> >>>> Hi, >>>> >>>> I am trying to find out if there is a way to get response from >>>> token endpoint /realms/{realm-name}/protocol/openid-connect/token in >>>> xml or json format based on the Accept header. If its not supported out of >>>> the box, what other options are available to do this? Should I look at >>>> creating a custom endpoint by implementing the SPI to do the mapping? >>>> >>>> Thanks!! >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/11c387e8/attachment-0001.html From asarathi at vizuri.com Mon Jul 4 13:49:02 2016 From: asarathi at vizuri.com (Aswini Sarathi) Date: Mon, 4 Jul 2016 13:49:02 -0400 Subject: [keycloak-user] OAuth Access Token Response in XML In-Reply-To: References:

Message-ID: Appreciate the response.I wanted a confirmation before telling them. Thank you ! > On Jul 4, 2016, at 1:42 PM, Stian Thorgersen wrote: > > Well.. This is OpenID Connect and the response should be in JSON. You should tell your user to parse the JSON and not expect XML. > > If he really wants XML then maybe he'd be happy with using SAML instead. > > I'd recommend against doing something custom, but you can in theory do that with either the protocol SPI or the rest resource spi. > > On 4 July 2016 at 19:32, Aswini Sarathi > wrote: > I tried getting a token using the token endpoint with grant type as "password" and this is what I got in the response and the content-type was set to application/json in the header. My question is what would I need to do if I want the below response in xml. I have a user who wants to parse a XML response instead and get the access token. Please let me know if I am not doing anything correctly. > > { > "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjZWVjZmNiZS1lODJmLTQ2MWQtODljMi05MGY0NGZiNTcwNTIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJWZW5kb3JBUEkiLCJzZXNzaW9uX3N0YXRlIjoiOWNhOTYxYzktMWI4OC00NzhlLWI0OTEtNTE1YWZiMDYwZTY1IiwiY2xpZW50X3Nlc3Npb24iOiI1MDgxNGZjMi02NWIwLTQ4YmYtYWY3OS04ZDZmODlhMWFkODciLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidmVuZG9yIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJ2ZW5kb3JJZCI6MTg5NTUsInByZWZlcnJlZF91c2VybmFtZSI6InRyYWRlYWx6In0.faGKCcK79sLrYRxCdXHo7iaROKDXJjXsUh83PdnbV2DVWJ5HlaA735zhCoM2XJ3Fn4HIg68zjQy4Q__eC8_UcXDi_qcVz3qcHLhKRHX3xZXMWwaSGrIgmcU--0ntH4Ot4qDayolzk4xOdXahMdRQW4u0Cwiwsfi715TipP0IgOK4B4VcsdbBFF5UlQFwUDTkaKiI8kST-XK6elZcbUGjheVo5qU5-_uVZX9c2DBTyPJ2BRn6UEGfpXigqXEoQS6MXWj4aLiI4vIo8cTQ0dfTbontQMsv17wUif-IikHwoYWkI9TFCBo0Knh3l7D2Z6rEZc8UvmQNeGqRaMVvWN0_TA", > "expires_in": 300, > "refresh_expires_in": 1800, > "refresh_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNzZlMjcxZS1hNjYxLTQwMjEtOGNiOC0yOWM2MjRmMTE4ZDIiLCJleHAiOjE0Njc2NTUwMDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiVmVuZG9yQVBJIiwic2Vzc2lvbl9zdGF0ZSI6IjljYTk2MWM5LTFiODgtNDc4ZS1iNDkxLTUxNWFmYjA2MGU2NSIsImNsaWVudF9zZXNzaW9uIjoiNTA4MTRmYzItNjViMC00OGJmLWFmNzktOGQ2Zjg5YTFhZDg3IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInZlbmRvciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.AcgsUMKH6Yczq6RxAxiwgViXRoiS2KuqFYdWOAYDmwL7_esy4E3guX9XR-8tBULiEspCNxCbgJca7t3_4jMxeIdhBq4DDqdecCe0XuU6HRugFD8nGDxHGMmotWarZn3mjj1jZmLCwYptoWgNVAJa6bILQafYFTHjb1Xzy_5j6lzk0waT9NMe0LFtVLFnW5xMqWs2gUMLUuY7XLlmNjarl_-LHsE3yiwWw1WR528JN3ld87tlQhGDv8FNfyK6jQ6VJwJbXgPuzfnVfoCVZOMx7K2fhSOTc8m8FgkCtVtX9noWqQt4DzI5N0LkycB9oIndLwZTQDklmuhaRCPkYOvU5g", > "token_type": "bearer", > "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NDMwYmVhMi0xN2FiLTQ3OTUtODNiMC0wYTVkYTc0YzdlNjIiLCJleHAiOjE0Njc2NTM1MDgsIm5iZiI6MCwiaWF0IjoxNDY3NjUzMjA4LCJpc3MiOiJodHRwOi8vdml6MDIubmV0MzIubmV0OjgwODAvYXV0aC9yZWFsbXMvTmV0MzIiLCJhdWQiOiJWZW5kb3JBUEkiLCJzdWIiOiIxYjhhZWJkNC1iNDU0LTQzYTYtODRlOS05MmQxMjc1NGFmNDUiLCJ0eXAiOiJJRCIsImF6cCI6IlZlbmRvckFQSSIsInNlc3Npb25fc3RhdGUiOiI5Y2E5NjFjOS0xYjg4LTQ3OGUtYjQ5MS01MTVhZmIwNjBlNjUiLCJuYW1lIjoiIiwidmVuZG9ySWQiOjE4OTU1LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0cmFkZWFseiJ9.hhCaW_naA6Agx4rYoP3YP_wYqwXG7oq6DIHFup6JRPG2YckZ0ups46tYRwXG-6DPrRRfCdD36YiGA3sggJZllMlBL-SI4XZ5amayi4J_Ktz_1IleOsQRG49DFflIyk9W4ZWMDSqut2ZYTE0Bfm_yc5XZUNKEY7quPQLGg2JdF2kT7Ka80aHQOIQPvC-Q0IkL7-uyT2Swq2sU8RO4OGMJziKY71UWPpn-ht1p5dOL1lKlZoULS-VCPeCupGoOuR9Y9t88N7vbjFDv3dw3zw67BCA9BwwtsGKCJkhopvaJWS4tiRqFsoSF-_O2IzkuoEjAW3LalMe3vusQjzuFOSdOMQ", > "not-before-policy": 0, > "session_state": "9ca961c9-1b88-478e-b491-515afb060e65" > } > > On Mon, Jul 4, 2016 at 1:11 PM, Stian Thorgersen > wrote: > Adding list back - please use reply all > > I'm not following. The response payload is the token, so not sure what it is that you want in XML. > > On 4 July 2016 at 15:41, > wrote: > Sorry if I wasn't clear earlier. I don't want the token itself to be in xml. I just want the response payload from the token endpoint to be xml or Json based on the accept header. > > > On Jul 4, 2016, at 3:04 AM, Stian Thorgersen > wrote: > >> We only support JWT with OpenID Connect. Can you elaborate on why you want an XML token? >> >> You could add a custom REST endpoint or a custom protocol to do this, but not sure I'd recommend doing it as there's a fair bit of logic that goes into the token endpoint. >> >> On 1 July 2016 at 18:39, Aswini Sarathi > wrote: >> Hi, >> >> I am trying to find out if there is a way to get response from token endpoint /realms/{realm-name}/protocol/openid-connect/token in xml or json format based on the Accept header. If its not supported out of the box, what other options are available to do this? Should I look at creating a custom endpoint by implementing the SPI to do the mapping? >> >> Thanks!! >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160704/825ebd13/attachment.html From bruno at abstractj.org Mon Jul 4 16:41:17 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 4 Jul 2016 17:41:17 -0300 Subject: [keycloak-user] MDC log messages not showing up In-Reply-To: <8B014D08-BE11-4942-8E9B-F710BBEEC2D3@smartling.com> References: <8B014D08-BE11-4942-8E9B-F710BBEEC2D3@smartling.com> Message-ID: <20160704204117.GA2556@abstractj.org> Have you tried org.jboss.logmanager.MDC instead of org.jboss.logging.MDC? It seems like that's your issue: https://issues.jboss.org/browse/JBLOGGING-54 Anyways I would definitely try to ask at WildFly user's forum[1] [1] - http://wildfly.org/gethelp/ On 2016-06-24, Scott Rossillo wrote: > > I?m trying to use a use the Mapped Diagnostic Context (MDC) on org.jboss.logging.MDC to register a custom header for logging. I?m populating the MDC from an Undertow HttpHandler. This part is working, however, the value set in the MDC is never logged. I?m using %X{MDC_KEY} in standalone.xml. > > Does anyone know why MDC values aren?t logged? > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From bvs78 at rediffmail.com Tue Jul 5 00:43:31 2016 From: bvs78 at rediffmail.com (Subrahmanyam BV) Date: 5 Jul 2016 04:43:31 -0000 Subject: [keycloak-user] =?utf-8?q?Keycloak-Headerbased_authentication?= Message-ID: <20160705044331.16543.qmail@f4mail-235-189.rediffmail.com> HI, Just wanted to know whether keycloak supports header-based authentication as supported by siteminder. Please let me know on this. Regards,Subrahmanyam. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/8a5f4866/attachment.html From thomas.darimont at googlemail.com Tue Jul 5 02:24:42 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 5 Jul 2016 08:24:42 +0200 Subject: [keycloak-user] Keycloak-Headerbased authentication In-Reply-To: <20160705044331.16543.qmail@f4mail-235-189.rediffmail.com> References: <20160705044331.16543.qmail@f4mail-235-189.rediffmail.com> Message-ID: Hello, I'm not familiar with siteminder and quickly googled https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product Based on that I think that mod_auth_oidc might do what you want. https://github.com/keycloak/securing_apps_guide/blob/master/topics/oidc/mod-auth-openidc.adoc https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example/blob/master/README.md Cheers, Thomas Am 05.07.2016 6:44 vorm. schrieb "Subrahmanyam BV" : > HI, > Just wanted to know whether keycloak supports header-based > authentication as supported by siteminder. Please let me know on this. > > Regards, > Subrahmanyam. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/9110c5a4/attachment-0001.html From sthorger at redhat.com Tue Jul 5 02:29:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jul 2016 08:29:25 +0200 Subject: [keycloak-user] Keycloak-Headerbased authentication In-Reply-To: References: <20160705044331.16543.qmail@f4mail-235-189.rediffmail.com> Message-ID: You can also use Keycloak Proxy or mod_auth_mellon. On 5 July 2016 at 08:24, Thomas Darimont wrote: > Hello, > > I'm not familiar with siteminder and quickly googled > https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product > > Based on that I think that mod_auth_oidc might do what you want. > > > https://github.com/keycloak/securing_apps_guide/blob/master/topics/oidc/mod-auth-openidc.adoc > > > https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example/blob/master/README.md > > Cheers, > Thomas > Am 05.07.2016 6:44 vorm. schrieb "Subrahmanyam BV" : > >> HI, >> Just wanted to know whether keycloak supports header-based >> authentication as supported by siteminder. Please let me know on this. >> >> Regards, >> Subrahmanyam. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/950e539a/attachment.html From sthorger at redhat.com Tue Jul 5 02:33:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jul 2016 08:33:30 +0200 Subject: [keycloak-user] User impersonation - JWT In-Reply-To: References: Message-ID: The impersonation feature we have logs the admin in as the impersonated user rather than generate tokens. We decided on this approach as it would be transparent to applications and they wouldn't need to build-in special impersonation. What you want is not possible at the moment, but you can create a JIRA feature request for it. It would have to be a community contribution if you want it added in a timely manner. On 4 July 2016 at 18:52, Harry Trinta wrote: > Dears, > > > > I need a help with user impersonation on keycloak. > > > > I am authenticating users through the > "/realms/test/protocol/openid-connect/token". As expected, it returns a > token JWT. > > In my app, all requests go through apiman, which validates the JWT. > > > > Now, I need to personification of user. I'm calling the service > "/admin/realms/test/users/USER_ID/impersonation", sending the token in the > header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). > > The service /impersonation creates the user session on keycloak, however > doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of > personified user instead of cookie.* It's possible? > > > > Best regards > > Harry Costa > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/fe680164/attachment.html From sthorger at redhat.com Tue Jul 5 02:41:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jul 2016 08:41:25 +0200 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References: Message-ID: The sessions cache is a distributed-cache, but by default it only has 1 owner of each segment. This means that sessions are not replicated to multiple nodes. So it's expected that you loose sessions when a node is removed. If you want sessions to survive the removal of a node you should increase the number of owners for the cache. For example: We've not actually tried with enabling transactions on the sessions, but I would say performance is more important. Worst case scenario is that a session is lost and a user has to re-authenticate. BTW the config you have for offlineSessions and loginFailures are wrong they both need to be distributed caches as well in clustered mode:

On 4 July 2016 at 15:45, Sarp Kaya wrote: > Just to add on this. > > I think I misunderstood something or Keycloak does not really implement > the infinispan caching lifetime correctly. > > So first thing I did is to TRACE the infinispan logs. So I added this > logger in standalone.xml: > > > > > > > The next thing I did is to do the timing. Basically my test is that what > happens when I log in. I also enabled events and printing the events as > well. > > What I found is: > > > 1. Login event is triggered at 13:18:35,193 in Keycloak. > 2. The browser got the full response at 13:18:35,273 > 3. Now the surprising part is the fact that there are whole a lot of > infinispan logging out occurring for ?sessions? cache after the browser got > the response. The last log message occurring is like this: > > 2016-07-04 13:18:35,345 TRACE [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-4) Response(s) to TxCompletionNotificationCommand{ xid=null, internalId=0, topologyId=19, gtx=GlobalTransaction::239:local, cacheName=sessions} is {} > > > To see the all the logs after event trigger please check here: > > > http://pastebin.com/p4K2Ghff > > So my understanding was that I marked sessions as SYNC, which meant to me > that it is supposed to do all of the synchronization before it sends the > response back to the browser. If it does the other way around then it > should be ASYNC mode. Could you please clarify the intended/expected > behavior? > > Kind Regards, > Sarp Kaya > > > From: Abdullah Sarp Kaya > Date: Monday, July 4, 2016 at 9:59 PM > To: "stian at redhat.com" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off > cluster > > Hello, > > Below is exactly how Infinispan is configured: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is the complete exception: > > 03:49:40,241 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-12) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [ba74e523-3299-42b3-801e-9f8cb5a0d81d]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 03:49:40,250 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-12) RESTEASY002025: Unknown exception while executing GET > /realms/partner-dmz/protocol/openid-connect/auth: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 03:49:40,257 ERROR [io.undertow.request] (default task-12) UT005023: > Exception handling request to > /auth/realms/partner-dmz/protocol/openid-connect/auth: > org.jboss.resteasy.spi.UnhandledException: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.infinispan.util.concurrent.TimeoutException: Replication > timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > ... 3 more > > 03:49:41,251 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default task-3) > ISPN000136: Error executing command PrepareCommand, writing keys > [02cff8bb-0ab9-4ab9-905f-17ffb3226050]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 03:49:41,258 ERROR > [org.infinispan.transaction.impl.TransactionCoordinator] (default task-3) > ISPN000097: Error while processing a prepare in a single-phase transaction: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 03:49:45,504 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel > server: [kc1|4] (1) [kc1] > 03:49:45,507 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel > keycloak: [kc1|4] (1) [kc1] > 03:49:45,534 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel web: > [kc1|4] (1) [kc1] > 03:49:45,538 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel ejb: > [kc1|4] (1) [kc1] > 03:49:45,548 WARN [com.arjuna.ats.jta] (default task-3) ARJUNA016039: > onePhaseCommit on < formatId=131077, gtrid_length=29, bqual_length=36, > tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, > branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, > eis_name=unknown eis name > > (TransactionXaAdapter{localTransaction=LocalXaTransaction{xid=< > formatId=131077, gtrid_length=29, bqual_length=36, > tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, > branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, > eis_name=unknown eis name >} LocalTransaction{remoteLockedNodes=null, > isMarkedForRollback=false, lockedKeys=null, backupKeyLocks=null, > topologyId=6, stateTransferFlag=null} > org.infinispan.transaction.xa.LocalXaTransaction at 3ef}) failed with > exception XAException.XA_HEURRB: javax.transaction.xa.XAException > at > org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) > at > org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) > at > org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) > at > com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) > at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) > at > org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) > at > org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) > at > org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.infinispan.util.concurrent.TimeoutException: Replication > timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > ... 3 more > > 03:49:45,563 WARN [org.infinispan.cache.impl.CacheImpl] (default task-3) > ISPN000160: Could not complete injected transaction.: > javax.transaction.RollbackException: ARJUNA016053: Could not commit > transaction. > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) > at > org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) > at > org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) > at > org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Suppressed: javax.transaction.xa.XAException > at > org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) > at > org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) > at > org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) > at > com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) > at > com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) > ... 54 more > Caused by: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > ... 3 more > > 03:49:45,575 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel > hibernate: [kc1|4] (1) [kc1] > 03:49:45,575 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-3) RESTEASY002025: Unknown exception while executing GET > /realms/partner-dmz/protocol/openid-connect/auth: > org.infinispan.commons.CacheException: Could not commit implicit transaction > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) > at > org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) > at > org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) > at > org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not > commit transaction. > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) > ... 51 more > Suppressed: javax.transaction.xa.XAException > at > org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) > at > org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) > at > org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) > at > com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) > at > com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) > ... 54 more > Caused by: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > ... 3 more > > 03:49:45,596 ERROR [io.undertow.request] (default task-3) UT005023: > Exception handling request to > /auth/realms/partner-dmz/protocol/openid-connect/auth: > org.jboss.resteasy.spi.UnhandledException: > org.infinispan.commons.CacheException: Could not commit implicit transaction > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.infinispan.commons.CacheException: Could not commit > implicit transaction > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) > at > org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) > at > org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) > at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) > at > org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) > ... 38 more > Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not > commit transaction. > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) > at > org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) > ... 51 more > Suppressed: javax.transaction.xa.XAException > at > org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) > at > org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) > at > org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) > at > com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) > at > com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) > at > com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) > ... 54 more > Caused by: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for kc2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) > at > org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > ... 3 more > > > > Here kc2 is the removed instance. > > Kind Regards, > Sarp Kaya > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, July 1, 2016 at 7:17 PM > To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off > cluster > > Can you please include more details from the log if there is any, at least > a full stack trace and not just the bit you've included. We also need to > know details around how you've configured the caches and Infinispan. > > On 1 July 2016 at 10:16, Sarp Kaya wrote: > >> Hello, >> >> I have tried various ways of configuring infinispan but it just seems >> like if I deploy a new instance to the cluster and remove one, then some >> sessions are lost and an exception is thrown saying that it was not >> handled. This is the Infinispan exception: >> >> Exceptionhandlingrequestto/auth/realms/realmname/protocol/openid-connect/ >> auth:org.jboss.resteasy.spi.UnhandledException:org.infinispan.util. >> concurrent.TimeoutException:Replicationtimeoutfor79a0757ecab3atorg.jboss. >> resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) >> atorg.jboss.resteasy.core.SynchronousDispatcher.writeException( >> SynchronousDispatcher.java:168) atorg.jboss.resteasy.core. >> SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) atorg >> .jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher. >> java:415) atorg.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:202) atorg.jboss.resteasy.plugins.server. >> servlet.ServletContainerDispatcher.service(ServletContainerDispatcher. >> java:221) atorg.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) atorg.jboss. >> resteasy.plugins.server.servlet.HttpServletDispatcher.service( >> HttpServletDispatcher.java:51) atjavax.servlet.http.HttpServlet.service( >> HttpServlet.java:790) atio.undertow.servlet.handlers.ServletHandler. >> handleRequest(ServletHandler.java:85) atio.undertow.servlet.handlers. >> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) atorg. >> keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >> KeycloakSessionServletFilter.java:88) atio.undertow.servlet.core. >> ManagedFilter.doFilter(ManagedFilter.java:60) atio.undertow.servlet. >> handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler. >> java:84) atio.undertow.servlet.handlers.security. >> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java: >> 62) atio.undertow.servlet.handlers.ServletDispatchingHandler. >> handleRequest(ServletDispatchingHandler.java:36) atorg.wildfly.extension. >> undertow.security.SecurityContextAssociationHandler.handleRequest( >> SecurityContextAssociationHandler.java:78) atio.undertow.server.handlers. >> PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow. >> servlet.handlers.security.SSLInformationAssociationHandler.handleRequest( >> SSLInformationAssociationHandler.java:131) atio.undertow.servlet.handlers >> .security.ServletAuthenticationCallHandler.handleRequest( >> ServletAuthenticationCallHandler.java:57) atio.undertow.server.handlers. >> PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow. >> security.handlers.AbstractConfidentialityHandler.handleRequest( >> AbstractConfidentialityHandler.java:46) atio.undertow.servlet.handlers. >> security.ServletConfidentialityConstraintHandler.handleRequest( >> ServletConfidentialityConstraintHandler.java:64) atio.undertow.security. >> handlers.AuthenticationMechanismsHandler.handleRequest( >> AuthenticationMechanismsHandler.java:60) atio.undertow.servlet.handlers. >> security.CachedAuthenticatedSessionHandler.handleRequest( >> CachedAuthenticatedSessionHandler.java:77) atio.undertow.security. >> handlers.NotificationReceiverHandler.handleRequest( >> NotificationReceiverHandler.java:50) atio.undertow.security.handlers. >> AbstractSecurityContextAssociationHandler.handleRequest( >> AbstractSecurityContextAssociationHandler.java:43) atio.undertow.server. >> handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atorg. >> wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >> handleRequest(JACCContextIdHandler.java:61) atio.undertow.server.handlers >> .PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow. >> server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( >> ServletInitialHandler.java:284) atio.undertow.servlet.handlers. >> ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000( >> ServletInitialHandler.java:81) atio.undertow.servlet.handlers. >> ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> atjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. >> java:1142) atjava.util.concurrent.ThreadPoolExecutor$Worker.run( >> ThreadPoolExecutor.java:617) atjava.lang.Thread.run(Thread.java:745) >> Causedby:org.infinispan.util.concurrent.TimeoutException:Replication >> timeoutfor79a0757ecab3atorg.infinispan.remoting.transport.jgroups. >> JGroupsTransport.checkRsp(JGroupsTransport.java:765) atorg.infinispan. >> remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72 >> (JGroupsTransport.java:599) atjava.util.concurrent.CompletableFuture. >> uniApply(CompletableFuture.java:602) atjava.util.concurrent. >> CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) atjava. >> util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> atjava.util.concurrent.CompletableFuture.complete(CompletableFuture.java: >> 1962) atorg.infinispan.remoting.transport.jgroups.SingleResponseFuture. >> call(SingleResponseFuture.java:46) atorg.infinispan.remoting.transport. >> jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) atjava. >> util.concurrent.FutureTask.run(FutureTask.java:266) atjava.util. >> concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201( >> ScheduledThreadPoolExecutor.java:180) >> >> This causes browsers to see Internal Server Error. Shouldn?t that be >> handled in Keycloak as lost session, therefore KC should try to handle it >> rather than showing that it?s an Internal Server Error? >> >> My current infinispan configuration looks like this: >> >> >> >> >> >> >> I use Keycloak version 1.9.5. My question is am I doing something wrong >> with my configuration? I tried both replicated-cache and distributed-cache >> and tried all transaction mode on both of them. None of them seems to solve >> the error that I?ve had above. >> >> Kind Regards, >> Sarp Kaya >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/629b6321/attachment-0001.html From akaya at expedia.com Tue Jul 5 02:50:57 2016 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 5 Jul 2016 06:50:57 +0000 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References: Message-ID: Hi Stian, You are right, it needs to have owner. By default the configuration had owners but as I experimented I forgot to add it. However adding owners does not fix the problem. Initially I also experimented this with offlineSessions and loginFailures being distributed-cache so logins were already failing with that (same issue, Internal Server Error being presented). Anyway, if worse case user needs to re-authenticate, then Internal Server Error problem should be fixed right? (it?s the below exception I have pasted) Because whenever there is org.jboss.resteasy.spi.UnhandledException then browsers will see 500, instead of logging in again (there could be something added as such as handling this exception and asking user to log in again). Kind Regards, Sarp Kaya From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, July 5, 2016 at 4:41 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off cluster The sessions cache is a distributed-cache, but by default it only has 1 owner of each segment. This means that sessions are not replicated to multiple nodes. So it's expected that you loose sessions when a node is removed. If you want sessions to survive the removal of a node you should increase the number of owners for the cache. For example: We've not actually tried with enabling transactions on the sessions, but I would say performance is more important. Worst case scenario is that a session is lost and a user has to re-authenticate. BTW the config you have for offlineSessions and loginFailures are wrong they both need to be distributed caches as well in clustered mode:

On 4 July 2016 at 15:45, Sarp Kaya > wrote: Just to add on this. I think I misunderstood something or Keycloak does not really implement the infinispan caching lifetime correctly. So first thing I did is to TRACE the infinispan logs. So I added this logger in standalone.xml: The next thing I did is to do the timing. Basically my test is that what happens when I log in. I also enabled events and printing the events as well. What I found is: 1. Login event is triggered at 13:18:35,193 in Keycloak. 2. The browser got the full response at 13:18:35,273 3. Now the surprising part is the fact that there are whole a lot of infinispan logging out occurring for ?sessions? cache after the browser got the response. The last log message occurring is like this: 2016-07-04 13:18:35,345 TRACE [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-4) Response(s) to TxCompletionNotificationCommand{ xid=null, internalId=0, topologyId=19, gtx=GlobalTransaction::239:local, cacheName=sessions} is {} To see the all the logs after event trigger please check here: http://pastebin.com/p4K2Ghff So my understanding was that I marked sessions as SYNC, which meant to me that it is supposed to do all of the synchronization before it sends the response back to the browser. If it does the other way around then it should be ASYNC mode. Could you please clarify the intended/expected behavior? Kind Regards, Sarp Kaya From: Abdullah Sarp Kaya > Date: Monday, July 4, 2016 at 9:59 PM To: "stian at redhat.com" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off cluster Hello, Below is exactly how Infinispan is configured:

This is the complete exception: 03:49:40,241 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-12) ISPN000136: Error executing command PutKeyValueCommand, writing keys [ba74e523-3299-42b3-801e-9f8cb5a0d81d]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 03:49:40,250 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002025: Unknown exception while executing GET /realms/partner-dmz/protocol/openid-connect/auth: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 03:49:40,257 ERROR [io.undertow.request] (default task-12) UT005023: Exception handling request to /auth/realms/partner-dmz/protocol/openid-connect/auth: org.jboss.resteasy.spi.UnhandledException: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ... 3 more 03:49:41,251 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-3) ISPN000136: Error executing command PrepareCommand, writing keys [02cff8bb-0ab9-4ab9-905f-17ffb3226050]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 03:49:41,258 ERROR [org.infinispan.transaction.impl.TransactionCoordinator] (default task-3) ISPN000097: Error while processing a prepare in a single-phase transaction: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 03:49:45,504 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel server: [kc1|4] (1) [kc1] 03:49:45,507 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel keycloak: [kc1|4] (1) [kc1] 03:49:45,534 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel web: [kc1|4] (1) [kc1] 03:49:45,538 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel ejb: [kc1|4] (1) [kc1] 03:49:45,548 WARN [com.arjuna.ats.jta] (default task-3) ARJUNA016039: onePhaseCommit on < formatId=131077, gtrid_length=29, bqual_length=36, tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, eis_name=unknown eis name > (TransactionXaAdapter{localTransaction=LocalXaTransaction{xid=< formatId=131077, gtrid_length=29, bqual_length=36, tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, eis_name=unknown eis name >} LocalTransaction{remoteLockedNodes=null, isMarkedForRollback=false, lockedKeys=null, backupKeyLocks=null, topologyId=6, stateTransferFlag=null} org.infinispan.transaction.xa.LocalXaTransaction at 3ef}) failed with exception XAException.XA_HEURRB: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ... 3 more 03:49:45,563 WARN [org.infinispan.cache.impl.CacheImpl] (default task-3) ISPN000160: Could not complete injected transaction.: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction. at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Suppressed: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) ... 54 more Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ... 3 more 03:49:45,575 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel hibernate: [kc1|4] (1) [kc1] 03:49:45,575 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-3) RESTEASY002025: Unknown exception while executing GET /realms/partner-dmz/protocol/openid-connect/auth: org.infinispan.commons.CacheException: Could not commit implicit transaction at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction. at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) ... 51 more Suppressed: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) ... 54 more Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ... 3 more 03:49:45,596 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /auth/realms/partner-dmz/protocol/openid-connect/auth: org.jboss.resteasy.spi.UnhandledException: org.infinispan.commons.CacheException: Could not commit implicit transaction at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.infinispan.commons.CacheException: Could not commit implicit transaction at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) ... 38 more Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction. at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) ... 51 more Suppressed: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) ... 54 more Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) at org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) ... 3 more Here kc2 is the removed instance. Kind Regards, Sarp Kaya From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, July 1, 2016 at 7:17 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off cluster Can you please include more details from the log if there is any, at least a full stack trace and not just the bit you've included. We also need to know details around how you've configured the caches and Infinispan. On 1 July 2016 at 10:16, Sarp Kaya > wrote: Hello, I have tried various ways of configuring infinispan but it just seems like if I deploy a new instance to the cluster and remove one, then some sessions are lost and an exception is thrown saying that it was not handled. This is the Infinispan exception: Exceptionhandlingrequestto/auth/realms/realmname/protocol/openid-connect/auth:org.jboss.resteasy.spi.UnhandledException:org.infinispan.util.concurrent.TimeoutException:Replicationtimeoutfor79a0757ecab3atorg.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) atorg.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) atjavax.servlet.http.HttpServlet.service(HttpServlet.java:790) atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) atio.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) atio.undertow.server.Connectors.executeRootHandler(Connectors.java:202) atio.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) atjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) atjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) atjava.lang.Thread.run(Thread.java:745) Causedby:org.infinispan.util.concurrent.TimeoutException:Replicationtimeoutfor79a0757ecab3atorg.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) atorg.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) atjava.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) atjava.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) atjava.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) atjava.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) atorg.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) atorg.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) atjava.util.concurrent.FutureTask.run(FutureTask.java:266) atjava.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) This causes browsers to see Internal Server Error. Shouldn?t that be handled in Keycloak as lost session, therefore KC should try to handle it rather than showing that it?s an Internal Server Error? My current infinispan configuration looks like this: I use Keycloak version 1.9.5. My question is am I doing something wrong with my configuration? I tried both replicated-cache and distributed-cache and tried all transaction mode on both of them. None of them seems to solve the error that I?ve had above. Kind Regards, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/7ff56054/attachment-0001.html From sthorger at redhat.com Tue Jul 5 02:58:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jul 2016 08:58:52 +0200 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References: Message-ID: There probably will be some errors from Infinispan when you remove a node at least if there's ongoing replication/messages being sent to the cluster. Can you try with the latest Keycloak and with the default clustering config and only increasing owners? We have tested session failover ourselves and it was working fine. So could be down to the way you've configured it or could be an issue due to your network setup. On 5 July 2016 at 08:50, Sarp Kaya wrote: > Hi Stian, > > You are right, it needs to have owner. By default the configuration had > owners but as I experimented I forgot to add it. However adding owners does > not fix the problem. > > Initially I also experimented this with offlineSessions and loginFailures > being distributed-cache so logins were already failing with that (same > issue, Internal Server Error being presented). > > Anyway, if worse case user needs to re-authenticate, then Internal Server > Error problem should be fixed right? (it?s the below exception I have > pasted) Because whenever there is org.jboss.resteasy.spi.UnhandledException > then browsers will see 500, instead of logging in again (there could be > something added as such as handling this exception and asking user to log > in again). > > Kind Regards, > Sarp Kaya > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, July 5, 2016 at 4:41 PM > To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off > cluster > > The sessions cache is a distributed-cache, but by default it only has 1 > owner of each segment. This means that sessions are not replicated to > multiple nodes. So it's expected that you loose sessions when a node is > removed. If you want sessions to survive the removal of a node you should > increase the number of owners for the cache. For example: > > > > We've not actually tried with enabling transactions on the sessions, but I > would say performance is more important. Worst case scenario is that a > session is lost and a user has to re-authenticate. > > BTW the config you have for offlineSessions and loginFailures are wrong > they both need to be distributed caches as well in clustered mode: > > > > > > On 4 July 2016 at 15:45, Sarp Kaya wrote: > >> Just to add on this. >> >> I think I misunderstood something or Keycloak does not really implement >> the infinispan caching lifetime correctly. >> >> So first thing I did is to TRACE the infinispan logs. So I added this >> logger in standalone.xml: >> >> >> >> >> >> >> The next thing I did is to do the timing. Basically my test is that what >> happens when I log in. I also enabled events and printing the events as >> well. >> >> What I found is: >> >> >> 1. Login event is triggered at 13:18:35,193 in Keycloak. >> 2. The browser got the full response at 13:18:35,273 >> 3. Now the surprising part is the fact that there are whole a lot of >> infinispan logging out occurring for ?sessions? cache after the browser got >> the response. The last log message occurring is like this: >> >> 2016-07-04 13:18:35,345 TRACE [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-4) Response(s) to TxCompletionNotificationCommand{ xid=null, internalId=0, topologyId=19, gtx=GlobalTransaction::239:local, cacheName=sessions} is {} >> >> >> To see the all the logs after event trigger please check here: >> >> >> http://pastebin.com/p4K2Ghff >> >> So my understanding was that I marked sessions as SYNC, which meant to me >> that it is supposed to do all of the synchronization before it sends the >> response back to the browser. If it does the other way around then it >> should be ASYNC mode. Could you please clarify the intended/expected >> behavior? >> >> Kind Regards, >> Sarp Kaya >> >> >> From: Abdullah Sarp Kaya >> Date: Monday, July 4, 2016 at 9:59 PM >> To: "stian at redhat.com" >> Cc: "keycloak-user at lists.jboss.org" >> Subject: Re: [keycloak-user] Lost session when removing an instance off >> cluster >> >> Hello, >> >> Below is exactly how Infinispan is configured: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> This is the complete exception: >> >> 03:49:40,241 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-12) ISPN000136: Error executing command PutKeyValueCommand, writing >> keys [ba74e523-3299-42b3-801e-9f8cb5a0d81d]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 03:49:40,250 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-12) RESTEASY002025: Unknown exception while executing GET >> /realms/partner-dmz/protocol/openid-connect/auth: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 03:49:40,257 ERROR [io.undertow.request] (default task-12) UT005023: >> Exception handling request to >> /auth/realms/partner-dmz/protocol/openid-connect/auth: >> org.jboss.resteasy.spi.UnhandledException: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.infinispan.util.concurrent.TimeoutException: Replication >> timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> ... 3 more >> >> 03:49:41,251 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default task-3) >> ISPN000136: Error executing command PrepareCommand, writing keys >> [02cff8bb-0ab9-4ab9-905f-17ffb3226050]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 03:49:41,258 ERROR >> [org.infinispan.transaction.impl.TransactionCoordinator] (default task-3) >> ISPN000097: Error while processing a prepare in a single-phase transaction: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 03:49:45,504 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel >> server: [kc1|4] (1) [kc1] >> 03:49:45,507 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel >> keycloak: [kc1|4] (1) [kc1] >> 03:49:45,534 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel web: >> [kc1|4] (1) [kc1] >> 03:49:45,538 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel ejb: >> [kc1|4] (1) [kc1] >> 03:49:45,548 WARN [com.arjuna.ats.jta] (default task-3) ARJUNA016039: >> onePhaseCommit on < formatId=131077, gtrid_length=29, bqual_length=36, >> tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, >> branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, >> eis_name=unknown eis name > >> (TransactionXaAdapter{localTransaction=LocalXaTransaction{xid=< >> formatId=131077, gtrid_length=29, bqual_length=36, >> tx_uid=0:ffffac110003:-7fcaa87f:5779dc60:f01, node_name=1, >> branch_uid=0:ffffac110003:-7fcaa87f:5779dc60:f02, subordinatenodename=null, >> eis_name=unknown eis name >} LocalTransaction{remoteLockedNodes=null, >> isMarkedForRollback=false, lockedKeys=null, backupKeyLocks=null, >> topologyId=6, stateTransferFlag=null} >> org.infinispan.transaction.xa.LocalXaTransaction at 3ef}) failed with >> exception XAException.XA_HEURRB: javax.transaction.xa.XAException >> at >> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) >> at >> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) >> at >> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) >> at >> com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) >> at >> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) >> at >> org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) >> at >> org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) >> at >> org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) >> at >> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.infinispan.util.concurrent.TimeoutException: Replication >> timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> ... 3 more >> >> 03:49:45,563 WARN [org.infinispan.cache.impl.CacheImpl] (default task-3) >> ISPN000160: Could not complete injected transaction.: >> javax.transaction.RollbackException: ARJUNA016053: Could not commit >> transaction. >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) >> at >> org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) >> at >> org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) >> at >> org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) >> at >> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Suppressed: javax.transaction.xa.XAException >> at >> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) >> at >> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) >> at >> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) >> at >> com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) >> at >> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) >> ... 54 more >> Caused by: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at >> java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> ... 3 more >> >> 03:49:45,575 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-3,dev,kc1) ISPN000094: Received new cluster view for channel >> hibernate: [kc1|4] (1) [kc1] >> 03:49:45,575 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-3) RESTEASY002025: Unknown exception while executing GET >> /realms/partner-dmz/protocol/openid-connect/auth: >> org.infinispan.commons.CacheException: Could not commit implicit transaction >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) >> at >> org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) >> at >> org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) >> at >> org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) >> at >> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not >> commit transaction. >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) >> ... 51 more >> Suppressed: javax.transaction.xa.XAException >> at >> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) >> at >> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) >> at >> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) >> at >> com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) >> at >> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) >> ... 54 more >> Caused by: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at >> java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> ... 3 more >> >> 03:49:45,596 ERROR [io.undertow.request] (default task-3) UT005023: >> Exception handling request to >> /auth/realms/partner-dmz/protocol/openid-connect/auth: >> org.jboss.resteasy.spi.UnhandledException: >> org.infinispan.commons.CacheException: Could not commit implicit transaction >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.infinispan.commons.CacheException: Could not commit >> implicit transaction >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1725) >> at >> org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1679) >> at >> org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) >> at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) >> at >> org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction$CacheTask.execute(InfinispanUserSessionProvider.java:854) >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider$InfinispanKeycloakTransaction.commit(InfinispanUserSessionProvider.java:750) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:104) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121) >> at >> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466) >> ... 38 more >> Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not >> commit transaction. >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1212) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) >> at >> org.infinispan.cache.impl.CacheImpl.tryCommit(CacheImpl.java:1722) >> ... 51 more >> Suppressed: javax.transaction.xa.XAException >> at >> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) >> at >> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) >> at >> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:112) >> at >> com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelOnePhaseCommit(XAResourceRecord.java:704) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2366) >> at >> com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:96) >> at >> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1200) >> ... 54 more >> Caused by: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for kc2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:47) >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.call(RspListFuture.java:16) >> at >> java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> ... 3 more >> >> >> >> Here kc2 is the removed instance. >> >> Kind Regards, >> Sarp Kaya >> >> >> From: Stian Thorgersen >> Reply-To: "stian at redhat.com" >> Date: Friday, July 1, 2016 at 7:17 PM >> To: Abdullah Sarp Kaya >> Cc: "keycloak-user at lists.jboss.org" >> Subject: Re: [keycloak-user] Lost session when removing an instance off >> cluster >> >> Can you please include more details from the log if there is any, at >> least a full stack trace and not just the bit you've included. We also need >> to know details around how you've configured the caches and Infinispan. >> >> On 1 July 2016 at 10:16, Sarp Kaya wrote: >> >>> Hello, >>> >>> I have tried various ways of configuring infinispan but it just seems >>> like if I deploy a new instance to the cluster and remove one, then some >>> sessions are lost and an exception is thrown saying that it was not >>> handled. This is the Infinispan exception: >>> >>> Exceptionhandlingrequestto/auth/realms/realmname/protocol/openid-connect >>> /auth:org.jboss.resteasy.spi.UnhandledException:org.infinispan.util. >>> concurrent.TimeoutException:Replicationtimeoutfor79a0757ecab3atorg.jboss >>> .resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java: >>> 247) atorg.jboss.resteasy.core.SynchronousDispatcher.writeException( >>> SynchronousDispatcher.java:168) atorg.jboss.resteasy.core. >>> SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> SynchronousDispatcher.java:415) atorg.jboss.resteasy.core. >>> SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) atorg.jboss >>> .resteasy.plugins.server.servlet.ServletContainerDispatcher.service( >>> ServletContainerDispatcher.java:221) atorg.jboss.resteasy.plugins.server >>> .servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( >>> HttpServletDispatcher.java:51) atjavax.servlet.http.HttpServlet.service( >>> HttpServlet.java:790) atio.undertow.servlet.handlers.ServletHandler. >>> handleRequest(ServletHandler.java:85) atio.undertow.servlet.handlers. >>> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) atorg. >>> keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >>> KeycloakSessionServletFilter.java:88) atio.undertow.servlet.core. >>> ManagedFilter.doFilter(ManagedFilter.java:60) atio.undertow.servlet. >>> handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>> atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler >>> .java:84) atio.undertow.servlet.handlers.security. >>> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java >>> :62) atio.undertow.servlet.handlers.ServletDispatchingHandler. >>> handleRequest(ServletDispatchingHandler.java:36) atorg.wildfly.extension >>> .undertow.security.SecurityContextAssociationHandler.handleRequest( >>> SecurityContextAssociationHandler.java:78) atio.undertow.server.handlers >>> .PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow. >>> servlet.handlers.security.SSLInformationAssociationHandler.handleRequest >>> (SSLInformationAssociationHandler.java:131) atio.undertow.servlet. >>> handlers.security.ServletAuthenticationCallHandler.handleRequest( >>> ServletAuthenticationCallHandler.java:57) atio.undertow.server.handlers. >>> PredicateHandler.handleRequest(PredicateHandler.java:43) atio.undertow. >>> security.handlers.AbstractConfidentialityHandler.handleRequest( >>> AbstractConfidentialityHandler.java:46) atio.undertow.servlet.handlers. >>> security.ServletConfidentialityConstraintHandler.handleRequest( >>> ServletConfidentialityConstraintHandler.java:64) atio.undertow.security. >>> handlers.AuthenticationMechanismsHandler.handleRequest( >>> AuthenticationMechanismsHandler.java:60) atio.undertow.servlet.handlers. >>> security.CachedAuthenticatedSessionHandler.handleRequest( >>> CachedAuthenticatedSessionHandler.java:77) atio.undertow.security. >>> handlers.NotificationReceiverHandler.handleRequest( >>> NotificationReceiverHandler.java:50) atio.undertow.security.handlers. >>> AbstractSecurityContextAssociationHandler.handleRequest( >>> AbstractSecurityContextAssociationHandler.java:43) atio.undertow.server. >>> handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atorg. >>> wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >>> handleRequest(JACCContextIdHandler.java:61) atio.undertow.server. >>> handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) atio. >>> undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler >>> .java:43) atio.undertow.servlet.handlers.ServletInitialHandler. >>> handleFirstRequest(ServletInitialHandler.java:284) atio.undertow.servlet >>> .handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler. >>> java:263) atio.undertow.servlet.handlers.ServletInitialHandler.access$ >>> 000(ServletInitialHandler.java:81) atio.undertow.servlet.handlers. >>> ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>> atjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. >>> java:1142) atjava.util.concurrent.ThreadPoolExecutor$Worker.run( >>> ThreadPoolExecutor.java:617) atjava.lang.Thread.run(Thread.java:745) >>> Causedby:org.infinispan.util.concurrent.TimeoutException:Replication >>> timeoutfor79a0757ecab3atorg.infinispan.remoting.transport.jgroups. >>> JGroupsTransport.checkRsp(JGroupsTransport.java:765) atorg.infinispan. >>> remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$ >>> 72(JGroupsTransport.java:599) atjava.util.concurrent.CompletableFuture. >>> uniApply(CompletableFuture.java:602) atjava.util.concurrent. >>> CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) atjava. >>> util.concurrent.CompletableFuture.postComplete(CompletableFuture.java: >>> 474) atjava.util.concurrent.CompletableFuture.complete(CompletableFuture >>> .java:1962) atorg.infinispan.remoting.transport.jgroups. >>> SingleResponseFuture.call(SingleResponseFuture.java:46) atorg.infinispan >>> .remoting.transport.jgroups.SingleResponseFuture.call( >>> SingleResponseFuture.java:17) atjava.util.concurrent.FutureTask.run( >>> FutureTask.java:266) atjava.util.concurrent.ScheduledThreadPoolExecutor$ >>> ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> >>> This causes browsers to see Internal Server Error. Shouldn?t that be >>> handled in Keycloak as lost session, therefore KC should try to handle it >>> rather than showing that it?s an Internal Server Error? >>> >>> My current infinispan configuration looks like this: >>> >>> >>> >>> >>> >>> >>> I use Keycloak version 1.9.5. My question is am I doing something wrong >>> with my configuration? I tried both replicated-cache and distributed-cache >>> and tried all transaction mode on both of them. None of them seems to solve >>> the error that I?ve had above. >>> >>> Kind Regards, >>> Sarp Kaya >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/dd12c2d3/attachment-0001.html From akaya at expedia.com Tue Jul 5 03:10:41 2016 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 5 Jul 2016 07:10:41 +0000 Subject: [keycloak-user] Lost session when removing an instance off cluster In-Reply-To: References:

Message-ID: Hi Stian, I have tested with owners being 4 and had 4 instances, removed 1 off and still had the issue. I?ll try it with version 2.0.0 with 4 owners in sessions and the rest with 1 owners. I don?t have any network issues because it?s all tested locally. Kind Regards, Sarp Kaya From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, July 5, 2016 at 4:58 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off cluster There probably will be some errors from Infinispan when you remove a node at least if there's ongoing replication/messages being sent to the cluster. Can you try with the latest Keycloak and with the default clustering config and only increasing owners? We have tested session failover ourselves and it was working fine. So could be down to the way you've configured it or could be an issue due to your network setup. On 5 July 2016 at 08:50, Sarp Kaya > wrote: Hi Stian, You are right, it needs to have owner. By default the configuration had owners but as I experimented I forgot to add it. However adding owners does not fix the problem. Initially I also experimented this with offlineSessions and loginFailures being distributed-cache so logins were already failing with that (same issue, Internal Server Error being presented). Anyway, if worse case user needs to re-authenticate, then Internal Server Error problem should be fixed right? (it?s the below exception I have pasted) Because whenever there is org.jboss.resteasy.spi.UnhandledException then browsers will see 500, instead of logging in again (there could be something added as such as handling this exception and asking user to log in again). Kind Regards, Sarp Kaya From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, July 5, 2016 at 4:41 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Lost session when removing an instance off cluster The sessions cache is a distributed-cache, but by default it only has 1 owner of each segment. This means that sessions are not replicated to multiple nodes. So it's expected that you loose sessions when a node is removed. If you want sessions to survive the removal of a node you should increase the number of owners for the cache. For example: We've not actually tried with enabling transactions on the sessions, but I would say performance is more important. Worst case scenario is that a session is lost and a user has to re-authenticate. BTW the config you have for offlineSessions and loginFailures are wrong they both need to be distributed caches as well in clustered mode:

Message-ID: Stian, thanks for the reply! There is no service to retrieve a token passing the cookies as a parameter? I was looking at TokenEndpoint.java, but I have not found a way. Thanks 2016-07-05 3:33 GMT-03:00 Stian Thorgersen : > The impersonation feature we have logs the admin in as the impersonated > user rather than generate tokens. We decided on this approach as it would > be transparent to applications and they wouldn't need to build-in special > impersonation. What you want is not possible at the moment, but you can > create a JIRA feature request for it. It would have to be a community > contribution if you want it added in a timely manner. > > On 4 July 2016 at 18:52, Harry Trinta wrote: > >> Dears, >> >> >> >> I need a help with user impersonation on keycloak. >> >> >> >> I am authenticating users through the >> "/realms/test/protocol/openid-connect/token". As expected, it returns a >> token JWT. >> >> In my app, all requests go through apiman, which validates the JWT. >> >> >> >> Now, I need to personification of user. I'm calling the service >> "/admin/realms/test/users/USER_ID/impersonation", sending the token in the >> header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). >> >> The service /impersonation creates the user session on keycloak, however >> doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of >> personified user instead of cookie.* It's possible? >> >> >> >> Best regards >> >> Harry Costa >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/56fbb754/attachment.html From valerij.timofeev at gmail.com Tue Jul 5 08:54:31 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Tue, 5 Jul 2016 14:54:31 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login Message-ID: Hi all, it looks like the Brute Force Detection breaks Social login. I've: 1) downloaded keycloak-demo-1.9.8.Final 2) setup Facebook Identity provider 3) successfully tested Facebook login 4) activated Brute Force Detection with default values 5) tested Facebook login: it fails with the error message: "Account is disabled, contact admin." I wonder whether somebody has ever tested this combination. Kind regards Valerij Timofeev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/804984d8/attachment-0001.html From bruno at abstractj.org Tue Jul 5 09:59:10 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 5 Jul 2016 10:59:10 -0300 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: References: Message-ID: <20160705135910.GB10833@abstractj.org> Hi Valerij, I've tested against 2.0.0.Final right now and I couldn't reproduce your issue. I have brute force enabled by default here and Facebook configured exactly like described at the docs. Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a try? On 2016-07-05, Valerij Timofeev wrote: > Hi all, > > it looks like the Brute Force Detection breaks Social login. > > I've: > 1) downloaded keycloak-demo-1.9.8.Final > 2) setup Facebook Identity provider > 3) successfully tested Facebook login > 4) activated Brute Force Detection with default values > 5) tested Facebook login: it fails with the error message: "Account is > disabled, contact admin." > > I wonder whether somebody has ever tested this combination. > > > Kind regards > Valerij Timofeev > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From valerij.timofeev at gmail.com Tue Jul 5 10:40:14 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Tue, 5 Jul 2016 16:40:14 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: <20160705135910.GB10833@abstractj.org> References: <20160705135910.GB10833@abstractj.org> Message-ID: Hi Bruno, thank you for the check. We are going to migrate our production setup from Keycloak 1.9.4 to Red Hat SSO 7.0, which is based on Keycloak 1.9.8. Direct migration to 2.0.0.Final would be for us too risky, but still an option somewhen later. @All, any ideas for Keycloak 1.9.x? May be there is some setting we miss allowing us to use both "peacefully". Kind regards Valerij 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : > Hi Valerij, > > I've tested against 2.0.0.Final right now and I couldn't reproduce your > issue. > > I have brute force enabled by default here and Facebook configured > exactly like described at the docs. > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a try? > > On 2016-07-05, Valerij Timofeev wrote: > > Hi all, > > > > it looks like the Brute Force Detection breaks Social login. > > > > I've: > > 1) downloaded keycloak-demo-1.9.8.Final > > 2) setup Facebook Identity provider > > 3) successfully tested Facebook login > > 4) activated Brute Force Detection with default values > > 5) tested Facebook login: it fails with the error message: "Account is > > disabled, contact admin." > > > > I wonder whether somebody has ever tested this combination. > > > > > > Kind regards > > Valerij Timofeev > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/0e8863b8/attachment.html From bruno at abstractj.org Tue Jul 5 10:51:43 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 5 Jul 2016 11:51:43 -0300 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: References: <20160705135910.GB10833@abstractj.org> Message-ID: <20160705145143.GA18957@abstractj.org> I've just downloaded and tried with 1.9.8 too, it works. Is this happening with all users? Have you considered to setup an isolated environment from scratch? On 2016-07-05, Valerij Timofeev wrote: > Hi Bruno, > > thank you for the check. > We are going to migrate our production setup from Keycloak 1.9.4 to Red Hat > SSO 7.0, which is based on Keycloak 1.9.8. > Direct migration to 2.0.0.Final would be for us too risky, but still an > option somewhen later. > > @All, > any ideas for Keycloak 1.9.x? May be there is some setting we miss allowing > us to use both "peacefully". > > Kind regards > Valerij > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : > > > Hi Valerij, > > > > I've tested against 2.0.0.Final right now and I couldn't reproduce your > > issue. > > > > I have brute force enabled by default here and Facebook configured > > exactly like described at the docs. > > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a try? > > > > On 2016-07-05, Valerij Timofeev wrote: > > > Hi all, > > > > > > it looks like the Brute Force Detection breaks Social login. > > > > > > I've: > > > 1) downloaded keycloak-demo-1.9.8.Final > > > 2) setup Facebook Identity provider > > > 3) successfully tested Facebook login > > > 4) activated Brute Force Detection with default values > > > 5) tested Facebook login: it fails with the error message: "Account is > > > disabled, contact admin." > > > > > > I wonder whether somebody has ever tested this combination. > > > > > > > > > Kind regards > > > Valerij Timofeev > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Tue Jul 5 10:59:02 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 5 Jul 2016 11:59:02 -0300 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: <20160705145143.GA18957@abstractj.org> References: <20160705135910.GB10833@abstractj.org> <20160705145143.GA18957@abstractj.org> Message-ID: <20160705145902.GA19930@abstractj.org> I just completely tried in a fresh new browser profile and managed to reproduce your issue. It happens with 1.9.x and Facebook accounts. I've create da Jira for this: https://issues.jboss.org/browse/KEYCLOAK-3267 On 2016-07-05, Bruno Oliveira wrote: > I've just downloaded and tried with 1.9.8 too, it works. Is this happening with > all users? Have you considered to setup an isolated environment from > scratch? > > On 2016-07-05, Valerij Timofeev wrote: > > Hi Bruno, > > > > thank you for the check. > > We are going to migrate our production setup from Keycloak 1.9.4 to Red Hat > > SSO 7.0, which is based on Keycloak 1.9.8. > > Direct migration to 2.0.0.Final would be for us too risky, but still an > > option somewhen later. > > > > @All, > > any ideas for Keycloak 1.9.x? May be there is some setting we miss allowing > > us to use both "peacefully". > > > > Kind regards > > Valerij > > > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : > > > > > Hi Valerij, > > > > > > I've tested against 2.0.0.Final right now and I couldn't reproduce your > > > issue. > > > > > > I have brute force enabled by default here and Facebook configured > > > exactly like described at the docs. > > > > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a try? > > > > > > On 2016-07-05, Valerij Timofeev wrote: > > > > Hi all, > > > > > > > > it looks like the Brute Force Detection breaks Social login. > > > > > > > > I've: > > > > 1) downloaded keycloak-demo-1.9.8.Final > > > > 2) setup Facebook Identity provider > > > > 3) successfully tested Facebook login > > > > 4) activated Brute Force Detection with default values > > > > 5) tested Facebook login: it fails with the error message: "Account is > > > > disabled, contact admin." > > > > > > > > I wonder whether somebody has ever tested this combination. > > > > > > > > > > > > Kind regards > > > > Valerij Timofeev > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > -- > > > > > > abstractj > > > PGP: 0x84DC9914 > > > > > -- > > abstractj > PGP: 0x84DC9914 -- abstractj PGP: 0x84DC9914 From sthorger at redhat.com Tue Jul 5 13:22:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jul 2016 19:22:59 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: <20160705145902.GA19930@abstractj.org> References: <20160705135910.GB10833@abstractj.org> <20160705145143.GA18957@abstractj.org> <20160705145902.GA19930@abstractj.org> Message-ID: Thanks Bruno. I've added an RH-SSO issue and scheduled it to be included in RH-SSO 7.0.1. On 5 July 2016 at 16:59, Bruno Oliveira wrote: > I just completely tried in a fresh new browser profile and managed to > reproduce your issue. It happens with 1.9.x and Facebook accounts. > > I've create da Jira for this: > https://issues.jboss.org/browse/KEYCLOAK-3267 > > > On 2016-07-05, Bruno Oliveira wrote: > > I've just downloaded and tried with 1.9.8 too, it works. Is this > happening with > > all users? Have you considered to setup an isolated environment from > > scratch? > > > > On 2016-07-05, Valerij Timofeev wrote: > > > Hi Bruno, > > > > > > thank you for the check. > > > We are going to migrate our production setup from Keycloak 1.9.4 to > Red Hat > > > SSO 7.0, which is based on Keycloak 1.9.8. > > > Direct migration to 2.0.0.Final would be for us too risky, but still an > > > option somewhen later. > > > > > > @All, > > > any ideas for Keycloak 1.9.x? May be there is some setting we miss > allowing > > > us to use both "peacefully". > > > > > > Kind regards > > > Valerij > > > > > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : > > > > > > > Hi Valerij, > > > > > > > > I've tested against 2.0.0.Final right now and I couldn't reproduce > your > > > > issue. > > > > > > > > I have brute force enabled by default here and Facebook configured > > > > exactly like described at the docs. > > > > > > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a > try? > > > > > > > > On 2016-07-05, Valerij Timofeev wrote: > > > > > Hi all, > > > > > > > > > > it looks like the Brute Force Detection breaks Social login. > > > > > > > > > > I've: > > > > > 1) downloaded keycloak-demo-1.9.8.Final > > > > > 2) setup Facebook Identity provider > > > > > 3) successfully tested Facebook login > > > > > 4) activated Brute Force Detection with default values > > > > > 5) tested Facebook login: it fails with the error message: > "Account is > > > > > disabled, contact admin." > > > > > > > > > > I wonder whether somebody has ever tested this combination. > > > > > > > > > > > > > > > Kind regards > > > > > Valerij Timofeev > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > -- > > > > > > > > abstractj > > > > PGP: 0x84DC9914 > > > > > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- > > abstractj > PGP: 0x84DC9914 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160705/35c57491/attachment-0001.html From charlee.ch at gmail.com Wed Jul 6 03:48:35 2016 From: charlee.ch at gmail.com (Charlee Chitsuk) Date: Wed, 6 Jul 2016 14:48:35 +0700 Subject: [keycloak-user] Cannot create Drolls policy. Message-ID: Hi, I'm using the keycloak version 2.0.0.Final with default standalone. I've build and install the maven artifact, the "org.keycloak:photoz-authz-policy:2.0.0.Final" and tried to create the Drools policy. as the following mavenArtifactGroupId = org.keycloak mavenArtifactId = photoz-authz-policy mavenArtifactVersion = 2.0.0.Final" When I click the "Resolve" button, the system shows me as "Error! An unexpected server error has occurred" The "standalone/log/server.log" also shows as [io.undertow.request] (default task-80) UT005023: Exception handling request to /auth/admin/realms/photoz/clients/001e0705-8bc6-47de-b408-dd07a5ebba9b/authz/resource-server/policy/drools/resolveModules: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64 at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) ... Caused by: java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64 at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:168) I can ensure that 1. The "commons-codec-1.10.jar" is existed at "modules/system/layers/base/org/apache/commons/codec/main" 2. The "org.keycloak:photoz-authz-policy:2.0.0.Final" is existed at my local repository at "some/drive/m2/repo/org/keycloak/photoz-authz-policy/2.0.0.Final/photoz-authz-policy-2.0.0.Final.jar". Could you please help to advise further? -- Best Regards, Charlee Ch -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160706/24232e81/attachment.html From valerij.timofeev at gmail.com Wed Jul 6 05:18:56 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Wed, 6 Jul 2016 11:18:56 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: References: <20160705135910.GB10833@abstractj.org> <20160705145143.GA18957@abstractj.org> <20160705145902.GA19930@abstractj.org> Message-ID: Hi Stian, https://access.redhat.com/products/red-hat-single-sign-on http://blog.keycloak.org/2016/06/productized-keycloak-now-available-from.html We are able to download RH SSO 7.0.0 via our RH EAP account. But there is no information whether RH SSO is included in the EAP licence. We've contacted sales of the RH Partner in Germany, where we purchased the EAP licence: they said that they will be able to give clear answer approximately in 1-2 months. As already mentioned in this thread we would like to migrate our production setup from Keycloak 1.9.4 to RH SSO 7.0.x But I won't get OK for migration from my boss as long as the situation with the licence is not clear. Could you please clarify this point? Kind regards Valerij 2016-07-05 19:22 GMT+02:00 Stian Thorgersen : > Thanks Bruno. > > I've added an RH-SSO issue and scheduled it to be included in RH-SSO 7.0.1. > > On 5 July 2016 at 16:59, Bruno Oliveira wrote: > >> I just completely tried in a fresh new browser profile and managed to >> reproduce your issue. It happens with 1.9.x and Facebook accounts. >> >> I've create da Jira for this: >> https://issues.jboss.org/browse/KEYCLOAK-3267 >> >> >> On 2016-07-05, Bruno Oliveira wrote: >> > I've just downloaded and tried with 1.9.8 too, it works. Is this >> happening with >> > all users? Have you considered to setup an isolated environment from >> > scratch? >> > >> > On 2016-07-05, Valerij Timofeev wrote: >> > > Hi Bruno, >> > > >> > > thank you for the check. >> > > We are going to migrate our production setup from Keycloak 1.9.4 to >> Red Hat >> > > SSO 7.0, which is based on Keycloak 1.9.8. >> > > Direct migration to 2.0.0.Final would be for us too risky, but still >> an >> > > option somewhen later. >> > > >> > > @All, >> > > any ideas for Keycloak 1.9.x? May be there is some setting we miss >> allowing >> > > us to use both "peacefully". >> > > >> > > Kind regards >> > > Valerij >> > > >> > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : >> > > >> > > > Hi Valerij, >> > > > >> > > > I've tested against 2.0.0.Final right now and I couldn't reproduce >> your >> > > > issue. >> > > > >> > > > I have brute force enabled by default here and Facebook configured >> > > > exactly like described at the docs. >> > > > >> > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a >> try? >> > > > >> > > > On 2016-07-05, Valerij Timofeev wrote: >> > > > > Hi all, >> > > > > >> > > > > it looks like the Brute Force Detection breaks Social login. >> > > > > >> > > > > I've: >> > > > > 1) downloaded keycloak-demo-1.9.8.Final >> > > > > 2) setup Facebook Identity provider >> > > > > 3) successfully tested Facebook login >> > > > > 4) activated Brute Force Detection with default values >> > > > > 5) tested Facebook login: it fails with the error message: >> "Account is >> > > > > disabled, contact admin." >> > > > > >> > > > > I wonder whether somebody has ever tested this combination. >> > > > > >> > > > > >> > > > > Kind regards >> > > > > Valerij Timofeev >> > > > >> > > > > _______________________________________________ >> > > > > keycloak-user mailing list >> > > > > keycloak-user at lists.jboss.org >> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > >> > > > >> > > > -- >> > > > >> > > > abstractj >> > > > PGP: 0x84DC9914 >> > > > >> > >> > -- >> > >> > abstractj >> > PGP: 0x84DC9914 >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160706/f9347332/attachment.html From thomas.raehalme at aitiofinland.com Wed Jul 6 05:57:33 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Wed, 6 Jul 2016 12:57:33 +0300 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: References: <20160705135910.GB10833@abstractj.org> <20160705145143.GA18957@abstractj.org> <20160705145902.GA19930@abstractj.org> Message-ID: Hi! I was told just last week by our local RedHat distributor that RH SSO 7.0 is part of the JBoss Core Services and that JBoss Core Services subscriptions are included at no additional charge with subscriptions for JBoss EAP, JBoss Data Grid, JBoss Fuse, JBoss A-MQ, JBoss Data Virtualization, JBoss BRMS and JBoss BPM Suite. Subscribers to these products receive full entitlement to all the components within JBoss Core Services Collection. Best regards, Thomas On Wed, Jul 6, 2016 at 12:18 PM, Valerij Timofeev < valerij.timofeev at gmail.com> wrote: > Hi Stian, > > https://access.redhat.com/products/red-hat-single-sign-on > > http://blog.keycloak.org/2016/06/productized-keycloak-now-available-from.html > > We are able to download RH SSO 7.0.0 via our RH EAP account. > But there is no information whether RH SSO is included in the EAP licence. > We've contacted sales of the RH Partner in Germany, where we purchased the > EAP licence: they said that they will be able to give clear answer > approximately in 1-2 months. > > As already mentioned in this thread we would like to migrate our > production setup from Keycloak 1.9.4 to RH SSO 7.0.x > But I won't get OK for migration from my boss as long as the situation > with the licence is not clear. > > Could you please clarify this point? > > Kind regards > Valerij > > > 2016-07-05 19:22 GMT+02:00 Stian Thorgersen : > >> Thanks Bruno. >> >> I've added an RH-SSO issue and scheduled it to be included in RH-SSO >> 7.0.1. >> >> On 5 July 2016 at 16:59, Bruno Oliveira wrote: >> >>> I just completely tried in a fresh new browser profile and managed to >>> reproduce your issue. It happens with 1.9.x and Facebook accounts. >>> >>> I've create da Jira for this: >>> https://issues.jboss.org/browse/KEYCLOAK-3267 >>> >>> >>> On 2016-07-05, Bruno Oliveira wrote: >>> > I've just downloaded and tried with 1.9.8 too, it works. Is this >>> happening with >>> > all users? Have you considered to setup an isolated environment from >>> > scratch? >>> > >>> > On 2016-07-05, Valerij Timofeev wrote: >>> > > Hi Bruno, >>> > > >>> > > thank you for the check. >>> > > We are going to migrate our production setup from Keycloak 1.9.4 to >>> Red Hat >>> > > SSO 7.0, which is based on Keycloak 1.9.8. >>> > > Direct migration to 2.0.0.Final would be for us too risky, but still >>> an >>> > > option somewhen later. >>> > > >>> > > @All, >>> > > any ideas for Keycloak 1.9.x? May be there is some setting we miss >>> allowing >>> > > us to use both "peacefully". >>> > > >>> > > Kind regards >>> > > Valerij >>> > > >>> > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : >>> > > >>> > > > Hi Valerij, >>> > > > >>> > > > I've tested against 2.0.0.Final right now and I couldn't reproduce >>> your >>> > > > issue. >>> > > > >>> > > > I have brute force enabled by default here and Facebook configured >>> > > > exactly like described at the docs. >>> > > > >>> > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a >>> try? >>> > > > >>> > > > On 2016-07-05, Valerij Timofeev wrote: >>> > > > > Hi all, >>> > > > > >>> > > > > it looks like the Brute Force Detection breaks Social login. >>> > > > > >>> > > > > I've: >>> > > > > 1) downloaded keycloak-demo-1.9.8.Final >>> > > > > 2) setup Facebook Identity provider >>> > > > > 3) successfully tested Facebook login >>> > > > > 4) activated Brute Force Detection with default values >>> > > > > 5) tested Facebook login: it fails with the error message: >>> "Account is >>> > > > > disabled, contact admin." >>> > > > > >>> > > > > I wonder whether somebody has ever tested this combination. >>> > > > > >>> > > > > >>> > > > > Kind regards >>> > > > > Valerij Timofeev >>> > > > >>> > > > > _______________________________________________ >>> > > > > keycloak-user mailing list >>> > > > > keycloak-user at lists.jboss.org >>> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > >>> > > > >>> > > > -- >>> > > > >>> > > > abstractj >>> > > > PGP: 0x84DC9914 >>> > > > >>> > >>> > -- >>> > >>> > abstractj >>> > PGP: 0x84DC9914 >>> >>> -- >>> >>> abstractj >>> PGP: 0x84DC9914 >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160706/368e3d36/attachment-0001.html From dradzikowski at bluesoft.net.pl Wed Jul 6 08:17:39 2016 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Wed, 6 Jul 2016 14:17:39 +0200 Subject: [keycloak-user] Storing attributes in Keycloak session Message-ID: Hi, I'm using Direct Grant API to manage sessions in my application. Is it possible to store some session attributes for logged in user using this API? -- Pozdrawiam, Daniel Radzikowski. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160706/6daa3b38/attachment.html From psilva at redhat.com Wed Jul 6 09:13:04 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 6 Jul 2016 09:13:04 -0400 (EDT) Subject: [keycloak-user] Cannot create Drolls policy. In-Reply-To: References: Message-ID: <844087401.6969673.1467810784671.JavaMail.zimbra@redhat.com> Hi, Could not reproduce that issue in my environment. Here is what I did: - Download standalone server distribution [1] - Download examples [2] - Extract both server and examples - Build examples - Run server - Import keycloak-examples-2.0.0.Final/authz/photoz/photoz-realm.json - Create a Drools Policy just like you did after selecting the "photoz-restful-api" client application. Could you send the full stack trace ? Am I'm missing any step in order to reproduce this ? Btw, I have also tested using the demo distribution. Regards. Pedro Igor [1] https://downloads.jboss.org/keycloak/2.0.0.Final/keycloak-2.0.0.Final.zip [2] https://downloads.jboss.org/keycloak/2.0.0.Final/keycloak-examples-2.0.0.Final.zip ----- Original Message ----- From: "Charlee Chitsuk" To: keycloak-user at lists.jboss.org Sent: Wednesday, July 6, 2016 4:48:35 AM Subject: [keycloak-user] Cannot create Drolls policy. Hi, I'm using the keycloak version 2.0.0.Final with default standalone. I've build and install the maven artifact, the "org.keycloak:photoz-authz-policy:2.0.0.Final" and tried to create the Drools policy. as the following mavenArtifactGroupId = org.keycloak mavenArtifactId = photoz-authz-policy mavenArtifactVersion = 2.0.0.Final" When I click the "Resolve" button, the system shows me as "Error! An unexpected server error has occurred" The "standalone/log/server.log" also shows as [io.undertow.request] (default task-80) UT005023: Exception handling request to /auth/admin/realms/photoz/clients/001e0705-8bc6-47de-b408-dd07a5ebba9b/authz/resource-server/policy/drools/resolveModules: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64 at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) ... Caused by: java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64 at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:168) I can ensure that 1. The "commons-codec-1.10.jar" is existed at "modules/system/layers/base/org/apache/commons/codec/main" 2. The "org.keycloak:photoz-authz-policy:2.0.0.Final" is existed at my local repository at "some/drive/m2/repo/org/keycloak/photoz-authz-policy/2.0.0.Final/photoz-authz-policy-2.0.0.Final.jar". Could you please help to advise further? -- Best Regards, Charlee Ch _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Wed Jul 6 11:00:03 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 6 Jul 2016 11:00:03 -0400 Subject: [keycloak-user] Storing attributes in Keycloak session In-Reply-To: References: Message-ID: <14561877-89e1-36c3-231a-64bbd1a2fc5a@redhat.com> No. Sounds interesting, but no. On 7/6/16 8:17 AM, Daniel Radzikowski wrote: > Hi, > > I'm using Direct Grant API to manage sessions in my application. Is it > possible to store some session attributes for logged in user using > this API? > > -- > Pozdrawiam, > Daniel Radzikowski. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160706/cbc38121/attachment.html From charlee.ch at gmail.com Wed Jul 6 23:31:34 2016 From: charlee.ch at gmail.com (Charlee Chitsuk) Date: Thu, 7 Jul 2016 10:31:34 +0700 Subject: [keycloak-user] Cannot create Drolls policy. In-Reply-To: <844087401.6969673.1467810784671.JavaMail.zimbra@redhat.com> References: <844087401.6969673.1467810784671.JavaMail.zimbra@redhat.com> Message-ID: Hi, Thank you very much for your guide. I've tried to follow your step, but there is no luck. The stacktrace show me as Caused by: java.lang.ClassNotFoundException: org.apache.commons.codec.binary.Base64 from [Module "org.drools:main" from local module loader @33e5ccce (finder: local module finder @5a42bbf4 ( roots: C:\Java.Application\jboss\keycloak-2.0.0.Final\modules, C:\Java.Application\jboss\keycloak-2.0.0.Final\modules\system\layers\keycloak, C:\Java.Application\jboss\keycloak-2.0.0.Final\modules\system\layers\base ))] Then I decided to copy the "commons-codec-1.10.jar" from " modules/system/layers/base/org/apache/commons/codec/main" to "modules" directly. At the moment I can resolve that maven artifact for Drools. I'm not sure if it is a suitable way or not. Could you please help to advise how to put the dependency jars, e.g. the "commons-codec-1.10.jar", to the proper location? -- Best Regards, Charlee Ch 2016-07-06 20:13 GMT+07:00 Pedro Igor Silva : > Hi, > > Could not reproduce that issue in my environment. Here is what I did: > > - Download standalone server distribution [1] > - Download examples [2] > - Extract both server and examples > - Build examples > - Run server > - Import > keycloak-examples-2.0.0.Final/authz/photoz/photoz-realm.json > - Create a Drools Policy just like you did after selecting the > "photoz-restful-api" client application. > > Could you send the full stack trace ? Am I'm missing any step in order > to reproduce this ? > > Btw, I have also tested using the demo distribution. > > Regards. > Pedro Igor > > [1] > https://downloads.jboss.org/keycloak/2.0.0.Final/keycloak-2.0.0.Final.zip > [2] > https://downloads.jboss.org/keycloak/2.0.0.Final/keycloak-examples-2.0.0.Final.zip > > ----- Original Message ----- > From: "Charlee Chitsuk" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, July 6, 2016 4:48:35 AM > Subject: [keycloak-user] Cannot create Drolls policy. > > Hi, > > I'm using the keycloak version 2.0.0.Final with default standalone. I've > build and install the maven artifact, the > "org.keycloak:photoz-authz-policy:2.0.0.Final" and tried to create the > Drools policy. as the following > > mavenArtifactGroupId = org.keycloak > mavenArtifactId = photoz-authz-policy > mavenArtifactVersion = 2.0.0.Final" > > > > When I click the "Resolve" button, the system shows me as "Error! An > unexpected server error has occurred" > > The "standalone/log/server.log" also shows as > > [io.undertow.request] (default task-80) UT005023: Exception handling > request to > > /auth/admin/realms/photoz/clients/001e0705-8bc6-47de-b408-dd07a5ebba9b/authz/resource-server/policy/drools/resolveModules: > org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: > org/apache/commons/codec/binary/Base64 > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > ... > Caused by: java.lang.NoClassDefFoundError: > org/apache/commons/codec/binary/Base64 > at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:168) > > I can ensure that > > 1. The "commons-codec-1.10.jar" is existed at > "modules/system/layers/base/org/apache/commons/codec/main" > > 2. The "org.keycloak:photoz-authz-policy:2.0.0.Final" is existed at my > local repository at > > "some/drive/m2/repo/org/keycloak/photoz-authz-policy/2.0.0.Final/photoz-authz-policy-2.0.0.Final.jar". > > Could you please help to advise further? > > -- > Best Regards, > > Charlee Ch > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160707/08a6b8f9/attachment.html From sthorger at redhat.com Thu Jul 7 00:49:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Jul 2016 06:49:50 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: References: <20160705135910.GB10833@abstractj.org> <20160705145143.GA18957@abstractj.org> <20160705145902.GA19930@abstractj.org>

Message-ID: Valerij - What Thomas said is correct and you should be able to use your JBoss EAP license for any of the services that are included in the JBoss Core Services. Unless there's something specific about your license since it was purchased through a RH Partner. You can get more details about JBoss Core Services here https://access.redhat.com/articles/2294961, maybe ask the RH Partner directly about JBoss Core Services? On 6 July 2016 at 11:57, Thomas Raehalme wrote: > Hi! > > I was told just last week by our local RedHat distributor that RH SSO 7.0 > is part of the JBoss Core Services and that JBoss Core Services > subscriptions are included at no additional charge with subscriptions for > JBoss EAP, JBoss Data Grid, JBoss Fuse, JBoss A-MQ, JBoss Data > Virtualization, JBoss BRMS and JBoss BPM Suite. Subscribers to these > products receive full entitlement to all the components within JBoss Core > Services Collection. > > Best regards, > Thomas > > > On Wed, Jul 6, 2016 at 12:18 PM, Valerij Timofeev < > valerij.timofeev at gmail.com> wrote: > >> Hi Stian, >> >> https://access.redhat.com/products/red-hat-single-sign-on >> >> http://blog.keycloak.org/2016/06/productized-keycloak-now-available-from.html >> >> We are able to download RH SSO 7.0.0 via our RH EAP account. >> But there is no information whether RH SSO is included in the EAP licence. >> We've contacted sales of the RH Partner in Germany, where we purchased >> the EAP licence: they said that they will be able to give clear answer >> approximately in 1-2 months. >> >> As already mentioned in this thread we would like to migrate our >> production setup from Keycloak 1.9.4 to RH SSO 7.0.x >> But I won't get OK for migration from my boss as long as the situation >> with the licence is not clear. >> >> Could you please clarify this point? >> >> Kind regards >> Valerij >> >> >> 2016-07-05 19:22 GMT+02:00 Stian Thorgersen : >> >>> Thanks Bruno. >>> >>> I've added an RH-SSO issue and scheduled it to be included in RH-SSO >>> 7.0.1. >>> >>> On 5 July 2016 at 16:59, Bruno Oliveira wrote: >>> >>>> I just completely tried in a fresh new browser profile and managed to >>>> reproduce your issue. It happens with 1.9.x and Facebook accounts. >>>> >>>> I've create da Jira for this: >>>> https://issues.jboss.org/browse/KEYCLOAK-3267 >>>> >>>> >>>> On 2016-07-05, Bruno Oliveira wrote: >>>> > I've just downloaded and tried with 1.9.8 too, it works. Is this >>>> happening with >>>> > all users? Have you considered to setup an isolated environment from >>>> > scratch? >>>> > >>>> > On 2016-07-05, Valerij Timofeev wrote: >>>> > > Hi Bruno, >>>> > > >>>> > > thank you for the check. >>>> > > We are going to migrate our production setup from Keycloak 1.9.4 to >>>> Red Hat >>>> > > SSO 7.0, which is based on Keycloak 1.9.8. >>>> > > Direct migration to 2.0.0.Final would be for us too risky, but >>>> still an >>>> > > option somewhen later. >>>> > > >>>> > > @All, >>>> > > any ideas for Keycloak 1.9.x? May be there is some setting we miss >>>> allowing >>>> > > us to use both "peacefully". >>>> > > >>>> > > Kind regards >>>> > > Valerij >>>> > > >>>> > > 2016-07-05 15:59 GMT+02:00 Bruno Oliveira : >>>> > > >>>> > > > Hi Valerij, >>>> > > > >>>> > > > I've tested against 2.0.0.Final right now and I couldn't >>>> reproduce your >>>> > > > issue. >>>> > > > >>>> > > > I have brute force enabled by default here and Facebook configured >>>> > > > exactly like described at the docs. >>>> > > > >>>> > > > Not sure how to reproduce your issue :/ Maybe, give 2.0.0.Final a >>>> try? >>>> > > > >>>> > > > On 2016-07-05, Valerij Timofeev wrote: >>>> > > > > Hi all, >>>> > > > > >>>> > > > > it looks like the Brute Force Detection breaks Social login. >>>> > > > > >>>> > > > > I've: >>>> > > > > 1) downloaded keycloak-demo-1.9.8.Final >>>> > > > > 2) setup Facebook Identity provider >>>> > > > > 3) successfully tested Facebook login >>>> > > > > 4) activated Brute Force Detection with default values >>>> > > > > 5) tested Facebook login: it fails with the error message: >>>> "Account is >>>> > > > > disabled, contact admin." >>>> > > > > >>>> > > > > I wonder whether somebody has ever tested this combination. >>>> > > > > >>>> > > > > >>>> > > > > Kind regards >>>> > > > > Valerij Timofeev >>>> > > > >>>> > > > > _______________________________________________ >>>> > > > > keycloak-user mailing list >>>> > > > > keycloak-user at lists.jboss.org >>>> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > > > >>>> > > > >>>> > > > -- >>>> > > > >>>> > > > abstractj >>>> > > > PGP: 0x84DC9914 >>>> > > > >>>> > >>>> > -- >>>> > >>>> > abstractj >>>> > PGP: 0x84DC9914 >>>> >>>> -- >>>> >>>> abstractj >>>> PGP: 0x84DC9914 >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160707/e26d6da2/attachment-0001.html From valerij.timofeev at gmail.com Thu Jul 7 06:38:42 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Thu, 7 Jul 2016 12:38:42 +0200 Subject: [keycloak-user] Brute Force Detection breaks Social login In-Reply-To: