From firemanxbr at fedoraproject.org Thu Sep 1 09:53:50 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Thu, 01 Sep 2016 13:53:50 +0000 Subject: [keycloak-user] How-to configure HTTPS on Keycloak 2.1.0 ? Message-ID: Hi Guys, I don't take more this link: http://www.keycloak.org/docs/userguide/keycloak-server/html/server-installation.html#d4e339, how-to configure HTTPS on standalone mode Keycloak ? Cheers, Marcelo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/75d27645/attachment.html From christian_hebert at hotmail.com Thu Sep 1 10:33:25 2016 From: christian_hebert at hotmail.com (Christian Hebert) Date: Thu, 1 Sep 2016 10:33:25 -0400 Subject: [keycloak-user] How to integrate or make use of KeyCloak user database in my own application? In-Reply-To: References: Message-ID: Hi Ling, I wouldn't recommend mixing the keycloak tables with your own but here is how you could do it. First, you should store the keycloak data in your database instead of using the default H2 database. We are using Oracle in our organization. To do so, you need to create a new datasource in your jboss server (I will not cover how to create this, assuming that you know how) that you will name, let's say "java:jboss/datasources/MyKeycloakDS". In your keycloak-server.json file, change the datasource under "connectionsJpa" for this new datasource.On the startup, keycloak will create all the tables required. Please note that your current data (realm, users, roles, ...) will not be there. You will start as a fresh installation of Keycloak. >From this point, the table you are looking for is "USER_ENTITY". Hope this can help you! Christian From: lingvisa at gmail.com Date: Wed, 31 Aug 2016 10:53:20 -0700 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] How to integrate or make use of KeyCloak user database in my own application? Hi, All: So far I have been playing with KeyCloak and been able to set it up and running the customer-portal example successfully. Now I need to actually use it in my application, and I am not totally sure whether KeyCloak is the thing that I am looking for, but I believe my need is just a common use case and hopefully KeyCloak is the right software that I am looking for.. When a user comes to my website, he registers and makes a post. Both the post and the user information is stored into databases, and the link between the user and post, i.e. who made which post? So I have two tables in my database: Post(id, post) and User(id,name), and another table UserPost(PostID, UserID) to store linking information. This is all fine in my own database. But now when KeyCloak comes into play, the user first registers in KeyCloak server and user information are stored in its own database there, which seems unrelated to the database (Post and User) in my application. I don't want to duplicate two User databases in two servers, right? Even if I can tolerate the duplication, how to make the connection between KeyCloak database and my application database? I am using JBoss, Hibernate/JPA in my application. Maybe I am missing something in the way how to connect KeyCloak with my own application. Is there any tutorial or documentation that I can read? Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/ef93bc57/attachment.html From favez.steve at gmail.com Thu Sep 1 10:54:16 2016 From: favez.steve at gmail.com (Steve Favez) Date: Thu, 1 Sep 2016 16:54:16 +0200 Subject: [keycloak-user] Authentication level realm Message-ID: Dear all, I need to implement the following use case. My web application is authenticated against a given realm on keycloak, using a simple user / password authentication model. But a part of my web app would require a stronger authentication mechanism (a second factor in fact) based on the current user. What's the "best" solution using keycloak ? I was thinking of two different solutions 1. add an attibute in my OIDC token that could be named "level", and having an adapter that would check the level of the token, and if not corresponding, redirect to the realm that would ask for the second factor of authentication 2. Create a "2FA" realm,that would rely on the simple authentication realm... but is it possible in the same web app (I mean, to use two realms) Open to any ideas Thanks St -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/83bde207/attachment.html From j.kamal at ymail.com Thu Sep 1 11:19:54 2016 From: j.kamal at ymail.com (Kamal Jagadevan) Date: Thu, 1 Sep 2016 15:19:54 +0000 (UTC) Subject: [keycloak-user] Fw: Any clue regarding javax.ws.rs.core.UriBuilderException: empty host name In-Reply-To: <432485795.3282038.1472738858985@mail.yahoo.com> References: <432485795.3282038.1472738858985.ref@mail.yahoo.com> <432485795.3282038.1472738858985@mail.yahoo.com> Message-ID: <285287092.3234561.1472743194337@mail.yahoo.com> Hi Folks....?? We had gone with Keycloak implementation in one of our production instance with Keycloak 1.6.1.FinalAnd observing the empty host name log filling up the node consistently.... I know we have to upgrade to latest version but is there any clue or direction to find or block this error message filling up the node.Any help in this regards will be appreciated. ThanksKamal specific bothering log ? 12:46:23 xxx docker/"keycloak"[1051]: #033[0m#033[33m12:46:23,285 WARN? [org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher] (default task-16) Failed to parse request.: javax.ws.rs.core.UriBuilderException: Failed to create URI: null ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:746) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:718) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUriInfo.java:58) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInfo.java:53) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.plugins.server.servlet.ServletUtil.extractUriInfo(ServletUtil.java:41) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:199) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at java.lang.Thread.run(Thread.java:745) ? 12:46:23 xxx docker/"keycloak"[1051]: Caused by: javax.ws.rs.core.UriBuilderException: empty host name ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:537) ? 12:46:23 xxx docker/"keycloak"[1051]: #011at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:740) ? 12:46:23 xxx docker/"keycloak"[1051]: #011... 40 more ? 12:46:23 xxx docker/"keycloak"[1051]: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/e040e595/attachment-0001.html From WKuntz at flvc.org Thu Sep 1 11:47:21 2016 From: WKuntz at flvc.org (Bill Kuntz) Date: Thu, 1 Sep 2016 15:47:21 +0000 Subject: [keycloak-user] Keycloak with EZproxy Message-ID: Has anyone successfully used Keycloak with OCLC's EZProxy? We have been experimenting with Keycloak, and have been able to get it working with other SPs, but not EZProxy. OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO systems if and only if that system uses an authentication sequence identical to a standard Shibboleth Identity Provider (IDP)." Thanks, Bill From jarekala at axway.com Thu Sep 1 12:26:07 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Thu, 1 Sep 2016 16:26:07 +0000 Subject: [keycloak-user] How-to configure HTTPS on Keycloak 2.1.0 ? In-Reply-To: References: Message-ID: Keycloak?s documentation is moved to a different site. Here you go! https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network/https.html Thanks, Jagan Rekala From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marcelo Barbosa Sent: Thursday, September 01, 2016 6:54 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] How-to configure HTTPS on Keycloak 2.1.0 ? Hi Guys, I don't take more this link: http://www.keycloak.org/docs/userguide/keycloak-server/html/server-installation.html#d4e339, how-to configure HTTPS on standalone mode Keycloak ? Cheers, Marcelo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/afea9f37/attachment.html From firemanxbr at fedoraproject.org Thu Sep 1 13:00:35 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Thu, 01 Sep 2016 17:00:35 +0000 Subject: [keycloak-user] How-to configure HTTPS on Keycloak 2.1.0 ? In-Reply-To: References: Message-ID: Hi Jagan, Thank so much. Cheers, Marcelo On Thu, Sep 1, 2016 at 11:26 PM Jagannadha Rekala wrote: > Keycloak?s documentation is moved to a different site. Here you go! > > > https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network/https.html > > > > Thanks, > > Jagan Rekala > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Marcelo Barbosa > *Sent:* Thursday, September 01, 2016 6:54 AM > *To:* keycloak-user at lists.jboss.org > *Subject:* [keycloak-user] How-to configure HTTPS on Keycloak 2.1.0 ? > > > > Hi Guys, > > > > I don't take more this link: > http://www.keycloak.org/docs/userguide/keycloak-server/html/server-installation.html#d4e339, > how-to configure HTTPS on standalone mode Keycloak ? > > > > Cheers, > > > > Marcelo > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/503d0cf6/attachment.html From lingvisa at gmail.com Thu Sep 1 13:25:51 2016 From: lingvisa at gmail.com (Ling) Date: Thu, 1 Sep 2016 10:25:51 -0700 Subject: [keycloak-user] How to integrate or make use of KeyCloak user database in my own application? In-Reply-To: References: Message-ID: hi, Christian: Are you suggesting using two databases, one is MyKeycloakDS to store keycloak data, and the other MyApplicationDS to store my application data? Or you mean just use one database MyKeycloakDS to store both keycloak user data and my application data? You said you don't recommend mixing the keycloak tables with my own, then is it possible to create a connection between the User_Entity table in KeyCloak database, and the Post table in my own database? Not an database expert :) Thank you. On Thu, Sep 1, 2016 at 7:33 AM, Christian Hebert < christian_hebert at hotmail.com> wrote: > Hi Ling, > > I wouldn't recommend mixing the keycloak tables with your own but here is > how you could do it. First, you should store the keycloak data in your > database instead of using the default H2 database. We are using Oracle in > our organization. > > To do so, you need to create a new datasource in your jboss server (I will > not cover how to create this, assuming that you know how) that you will > name, let's say "java:jboss/datasources/MyKeycloakDS". > > In your keycloak-server.json file, change the datasource under > "connectionsJpa" for this new datasource.On the startup, keycloak will > create all the tables required. > > Please note that your current data (realm, users, roles, ...) will not be > there. You will start as a fresh installation of Keycloak. > > From this point, the table you are looking for is "USER_ENTITY". > > Hope this can help you! > > Christian > > ------------------------------ > From: lingvisa at gmail.com > Date: Wed, 31 Aug 2016 10:53:20 -0700 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] How to integrate or make use of KeyCloak user > database in my own application? > > > Hi, All: > > So far I have been playing with KeyCloak and been able to set it up and > running the customer-portal example successfully. Now I need to actually > use it in my application, and I am not totally sure whether KeyCloak is the > thing that I am looking for, but I believe my need is just a common use > case and hopefully KeyCloak is the right software that I am looking for.. > > When a user comes to my website, he registers and makes a post. Both the > post and the user information is stored into databases, and the link > between the user and post, i.e. who made which post? So I have two tables > in my database: Post(id, post) and User(id,name), and another table > UserPost(PostID, UserID) to store linking information. This is all fine in > my own database. > > But now when KeyCloak comes into play, the user first registers in > KeyCloak server and user information are stored in its own database there, > which seems unrelated to the database (Post and User) in my application. I > don't want to duplicate two User databases in two servers, right? Even if I > can tolerate the duplication, how to make the connection between KeyCloak > database and my application database? I am using JBoss, Hibernate/JPA in my > application. > > Maybe I am missing something in the way how to connect KeyCloak with my > own application. Is there any tutorial or documentation that I can read? > > Thank you. > > > > > _______________________________________________ keycloak-user mailing > list keycloak-user at lists.jboss.org https://lists.jboss.org/ > mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/9ea22841/attachment-0001.html From andyyar66 at gmail.com Thu Sep 1 17:34:14 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Thu, 1 Sep 2016 23:34:14 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in Message-ID: Hello, I've created a template of a Angular based app using keycloak.js lib. After a successful login the app/page periodically reloads itself. I guess it's because of the iFrame session check being set to 5sec interval (requesting url: /#state=&code=). This happens in latest Firefox and Edge. Chrome seems to handle these reloads quietly. Is this intended? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160901/3aa0f928/attachment.html From thomas.darimont at googlemail.com Fri Sep 2 04:31:41 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 2 Sep 2016 10:31:41 +0200 Subject: [keycloak-user] Interesting Keycloak based Application on github: IdentityRegistry Message-ID: Hello group, just wanted to share an IMHO interesting github project with you that demonstrates how to use some Keycloak features like basic REST API as well as dynamic user, client and IdentityProvider registration in a Spring Boot app. Might be useful for some of you. Project on github: https://github.com/MaritimeCloud/IdentityRegistry IDP Discovery: https://github.com/MaritimeCloud/IdentityRegistry/blob/master/src/main/java/net/maritimecloud/identityregistry/utils/KeycloakServiceAccountUtil.java Provision Identity Providers, Users: https://github.com/MaritimeCloud/IdentityRegistry/blob/master/src/main/java/net/maritimecloud/identityregistry/utils/KeycloakAdminUtil.java Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160902/41531cda/attachment.html From firemanxbr at fedoraproject.org Fri Sep 2 12:17:44 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Fri, 02 Sep 2016 16:17:44 +0000 Subject: [keycloak-user] Keycloak integrated with Google Apps Message-ID: Hi Guys, I'm try integrate my Keycloak together Google Apps, but I get the same error ever time and all documentation don't help me. Following my screen shots in attached. If someone help me I appreciate any collaboration. If fix this problem I create one post to help another Keycloak users. Cheers, Marcelo[image: Screen Shot 2016-09-02 at 11.11.35 PM.png][image: Screen Shot 2016-09-02 at 11.12.33 PM.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160902/bad6e7eb/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-02 at 11.11.35 PM.png Type: image/png Size: 117760 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160902/bad6e7eb/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-02 at 11.12.33 PM.png Type: image/png Size: 52199 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160902/bad6e7eb/attachment-0003.png From firemanxbr at fedoraproject.org Mon Sep 5 14:17:16 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Mon, 05 Sep 2016 18:17:16 +0000 Subject: [keycloak-user] SAML error for Google Apps Message-ID: Hi all, I'm adjust my certificates and get another error in my integration(Keycloak and Google Apps), If someone see this same error in your environments ? Help |Sign out This service cannot be accessed because your login request contained invalid audience information. Please log in and try again. We are unable to process your request at this time, please try again later. Cheers,[image: Screen Shot 2016-09-06 at 1.08.07 AM.png] Marcelo ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160905/627f8dc9/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-06 at 1.08.07 AM.png Type: image/png Size: 59019 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160905/627f8dc9/attachment-0001.png From mposolda at redhat.com Tue Sep 6 02:17:00 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Sep 2016 08:17:00 +0200 Subject: [keycloak-user] How to integrate or make use of KeyCloak user database in my own application? In-Reply-To: References: Message-ID: <57CE5F5C.4090000@redhat.com> Hi, you can take a look at this example : https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension which uses this feature (especially look at the bottom for custom JPA entities): https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/extensions.html It allows to extend Keycloak database schema with your own entities. Marek On 01/09/16 19:25, Ling wrote: > hi, Christian: > > Are you suggesting using two databases, one is MyKeycloakDS to store > keycloak data, and the other MyApplicationDS to store my application > data? Or you mean just use one database MyKeycloakDS to store both > keycloak user data and my application data? You said you don't > recommend mixing the keycloak tables with my own, then is it possible > to create a connection between the User_Entity table in KeyCloak > database, and the Post table in my own database? Not an database expert :) > > Thank you. > > On Thu, Sep 1, 2016 at 7:33 AM, Christian Hebert > > > wrote: > > Hi Ling, > > I wouldn't recommend mixing the keycloak tables with your own but > here is how you could do it. First, you should store the keycloak > data in your database instead of using the default H2 database. We > are using Oracle in our organization. > > To do so, you need to create a new datasource in your jboss server > (I will not cover how to create this, assuming that you know how) > that you will name, let's say "java:jboss/datasources/MyKeycloakDS". > > In your keycloak-server.json file, change the datasource under > "connectionsJpa" for this new datasource.On the startup, keycloak > will create all the tables required. > > Please note that your current data (realm, users, roles, ...) will > not be there. You will start as a fresh installation of Keycloak. > > From this point, the table you are looking for is "USER_ENTITY". > > Hope this can help you! > > Christian > > ------------------------------------------------------------------------ > From: lingvisa at gmail.com > Date: Wed, 31 Aug 2016 10:53:20 -0700 > To: keycloak-user at lists.jboss.org > > Subject: [keycloak-user] How to integrate or make use of KeyCloak > user database in my own application? > > > Hi, All: > > So far I have been playing with KeyCloak and been able to set it > up and running the customer-portal example successfully. Now I > need to actually use it in my application, and I am not totally > sure whether KeyCloak is the thing that I am looking for, but I > believe my need is just a common use case and hopefully KeyCloak > is the right software that I am looking for.. > > When a user comes to my website, he registers and makes a post. > Both the post and the user information is stored into databases, > and the link between the user and post, i.e. who made which post? > So I have two tables in my database: Post(id, post) and > User(id,name), and another table UserPost(PostID, UserID) to store > linking information. This is all fine in my own database. > > But now when KeyCloak comes into play, the user first registers in > KeyCloak server and user information are stored in its own > database there, which seems unrelated to the database (Post and > User) in my application. I don't want to duplicate two User > databases in two servers, right? Even if I can tolerate the > duplication, how to make the connection between KeyCloak database > and my application database? I am using JBoss, Hibernate/JPA in my > application. > > Maybe I am missing something in the way how to connect KeyCloak > with my own application. Is there any tutorial or documentation > that I can read? > > Thank you. > > > > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/5dff2ad7/attachment.html From mposolda at redhat.com Tue Sep 6 02:19:52 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Sep 2016 08:19:52 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: Message-ID: <57CE6008.8010006@redhat.com> On 01/09/16 23:34, Andy Yar wrote: > Hello, > I've created a template of a Angular based app using keycloak.js lib. > After a successful login the app/page periodically reloads itself. I > guess it's because of the iFrame session check being set to 5sec > interval (requesting url: /#state=&code=). That's strange... IFrame is supposed to just check the cookie, not to do any reload. Maybe take a look at our angular examples and see if you do something differently? See https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app . Note the angular.bootstrap called after Keycloak authentication is fully finished. Marek > > This happens in latest Firefox and Edge. Chrome seems to handle these > reloads quietly. > > Is this intended? > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/5d96ca12/attachment.html From mposolda at redhat.com Tue Sep 6 02:33:06 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Sep 2016 08:33:06 +0200 Subject: [keycloak-user] Authentication level realm In-Reply-To: References: Message-ID: <57CE6322.7020304@redhat.com> We plan to add support for "acr" from OIDC specification. See https://issues.jboss.org/browse/KEYCLOAK-3314 . Until that, you can possibly use some workaround and add your own authentication flow with authenticator implementations. For example based on redirect_uri (which will be different for more "secure" part of your application) you will allow (or not allow) cookie authentication and for the more secure part, you will ensure that OTP authenticator is used. Marek On 01/09/16 16:54, Steve Favez wrote: > Dear all, > I need to implement the following use case. > > My web application is authenticated against a given realm on keycloak, > using a simple user / password authentication model. But a part of my > web app would require a stronger authentication mechanism (a second > factor in fact) based on the current user. > > What's the "best" solution using keycloak ? I was thinking of two > different solutions > 1. add an attibute in my OIDC token that could be named "level", and > having an adapter that would check the level of the token, and if not > corresponding, redirect to the realm that would ask for the second > factor of authentication > 2. Create a "2FA" realm,that would rely on the simple authentication > realm... but is it possible in the same web app (I mean, to use two > realms) > > Open to any ideas > > Thanks > > St > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/cecece6b/attachment.html From mposolda at redhat.com Tue Sep 6 02:36:52 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Sep 2016 08:36:52 +0200 Subject: [keycloak-user] Why is email required when joining via Google? In-Reply-To: References: Message-ID: <57CE6404.2080101@redhat.com> That's strange. Email should be automatically added from Google though. Did you follow the steps for setup your Google application based on our docs? See https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/identity-broker/social/google.html . Also are you sure you are using your gmail account and not some different Google-apps domain account? Marek On 01/09/16 01:04, Chris Hairfield wrote: > Hello, > > I'm attempting to register via the Google OAuth link. Keycloak routes > me to Google where I authorize my app. Then I'm returned to Keycloak. > > Why am I asked to input my email (below)? Keycloak requests > > the email scope and Google is an email provider. Why is my Google > email not automatically stored at the email of this new account? > > I even have Trust Email on for Google. > > Chris > > keycloak-q.png > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/2f0fd051/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 24501 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/2f0fd051/attachment-0001.png From mposolda at redhat.com Tue Sep 6 02:40:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Sep 2016 08:40:08 +0200 Subject: [keycloak-user] user credential and role pro grammatically In-Reply-To: References: Message-ID: <57CE64C8.3000807@redhat.com> You need to use separate endpoints for update credentials and separate endpoint for update roles. For example see our testsuite https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java Marek On 31/08/16 15:26, yassine yas wrote: > Hi, > I'm creating users programmatically from my java code,but the users > credential and roles are note "persisted" (I think), when the user try > to authenticate he get *Invalid username or password (*even if he is > visible in the admin console), If I define (from the admin console) a > passe Word for the user and use it he can access his account, but here > come the 2 problem, even if I give him the right (role) to use a > resource he gets forbidden. > here is the code that I use to define users credential and role : > > /CredentialRepresentation credential = new CredentialRepresentation();/ > /credential.setType(CredentialRepresentation.PASSWORD); / > /credential.setValue("123"); / > /user.setCredentials(Arrays.asList(credential)); > / > / user.setRealmRoles(Arrays.asList("guest")); > / > > Cordially > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/ada08909/attachment.html From abhi.raghav007 at gmail.com Tue Sep 6 02:46:12 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Tue, 6 Sep 2016 12:16:12 +0530 Subject: [keycloak-user] Invoke interceptor to modify object created by adatper after reading keycloak json file Message-ID: Hello, Is there anyway we can use keep/invoke some kind of interceptor once keycloak.json file has been read and object created by keycloak adapter(code) for web application adapter. Which class get initialized and create's object from installed JSON file? Do not want to keep client key and keystore password in JSON file instead can be pulled from somewhere else at run time and will inject into created object with custom code. Please do let me know if further information is required. Thanks , Abhishek Raghav -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/9814cfe5/attachment.html From jitendrachouhan03 at gmail.com Tue Sep 6 04:11:48 2016 From: jitendrachouhan03 at gmail.com (Jitendra Chouhan) Date: Tue, 6 Sep 2016 13:41:48 +0530 Subject: [keycloak-user] Invoke interceptor to modify object created by adatper after reading keycloak json file Message-ID: Hello, Is there anyway we can use keep/invoke some kind of interceptor once keycloak.json file has been read and object created by keycloak adapter(code) for web application adapter. Which class get initialized and create's object from installed JSON file? While referring SPI section in there keycloak documentation found there is Config class which has hold that data but could not get much idea to write custom implementation to inject data in object created by keycloak adapter. Do not want to keep client key and keystore password in JSON file instead can be pulled from somewhere else at run time and will inject into created object with custom code. Please do let me know if further information is required. Thanks & Regards, Jitendra Chouhan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/ccae9416/attachment.html From getjonrathbone at gmail.com Tue Sep 6 06:38:38 2016 From: getjonrathbone at gmail.com (Jonathan Rathbone) Date: Tue, 6 Sep 2016 11:38:38 +0100 Subject: [keycloak-user] Integrating with enterprise PKI e.g. Entrust.. Message-ID: <0BFDC0C8-E634-4924-A165-1D197EB31FFE@gmail.com> Hi there, hope you can help. I?ve searched the documentation, and nothing seems to jump out that clarifies this so? I have a set of web apps and services, all secured with Keycloak using OAuth and JWT, with Single-Sign-On. I have a potential customer who is looking for us to integrate our app suite with their enterprise PKI solution for IDP and SSO. Is there a way that Keycloak can enable this for us, so that we can keep our app architecture isolated from the customers specific security architecture, or will we have to produce a version of our apps and services that have a dedicated integration to the enterprise PKI solution?s services? Sorry if this is a bit of noob question! sincere thanks, Jon From gparis at universcine.com Tue Sep 6 08:00:49 2016 From: gparis at universcine.com (=?UTF-8?Q?Gr=c3=a9goire_Paris?=) Date: Tue, 6 Sep 2016 14:00:49 +0200 Subject: [keycloak-user] Exposing the applications API Message-ID: <4de52f21-f45b-41c3-3781-605feddf4887@universcine.com> Hello! I'm trying to get a REST equivalent of /auth/realms/{my-realm}/account/applications , is there one and if yes, where is it documented? I've looked for it in the admin REST api doc, without luck, but maybe it's a separate API? The ultimate goal would be to be able to list applications a user has access to, from a special client application named "Dashboard", which aims at helping employees move easily from one application to another. If you're interested in fake internet points, you can answer this on SO: http://stackoverflow.com/questions/39333592/account-applications-api Have a nice day, -- G.Paris From andyyar66 at gmail.com Tue Sep 6 08:43:15 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Tue, 6 Sep 2016 14:43:15 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: <57CE6008.8010006@redhat.com> References: <57CE6008.8010006@redhat.com> Message-ID: I've spent some time in Firefox's debugger and found out that the redirect occurs right after the window.postMessage() is called in the checkLoginFrame function. The demo project code seems to be in line with my code. Might try it's runtime behavior later. On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda wrote: > On 01/09/16 23:34, Andy Yar wrote: > > Hello, > I've created a template of a Angular based app using keycloak.js lib. > After a successful login the app/page periodically reloads itself. I guess > it's because of the iFrame session check being set to 5sec interval > (requesting url: /#state=&code=). > > That's strange... IFrame is supposed to just check the cookie, not to do > any reload. > > Maybe take a look at our angular examples and see if you do something > differently? See https://github.com/keycloak/ > keycloak/tree/master/examples/demo-template/angular-product-app . Note > the angular.bootstrap called after Keycloak authentication is fully > finished. > > Marek > > > This happens in latest Firefox and Edge. Chrome seems to handle these > reloads quietly. > > Is this intended? > > Thanks > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/7976f67a/attachment-0001.html From akaya at expedia.com Tue Sep 6 19:28:18 2016 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 6 Sep 2016 23:28:18 +0000 Subject: [keycloak-user] Keycloak 2.1.0 Random SQL Errors (Possible connection leaks) Message-ID: Hello, after upgrading to Keycloak 2.1.0 I have started to see that Keycloak is logging warnings like this: WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-224) SQL Error: 0, SQLState: null I am using MySQL Database. Another thing I noticed with this is that I listen to this JMX for metrics: jboss.as.expr:subsystem=datasources,data-source=MySQLDS,statistics=pool for the ActiveCount metric and I constantly see this being 18 despite having nearly no Keycloak usage. So it?s making me to think that there is a connection leak in Keycloak, because I should not see 18 active connections, when there is no load on Keycloak. Could you please have a look at this? I don?t really remember seeing this issue in Keycloak 2.0.0, so I?m just guessing it could be just 2.1.0 issue as well? Kind Regards, Sarp Kaya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/1f0349ef/attachment.html From rllavallee at hotmail.com Tue Sep 6 19:29:37 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Tue, 6 Sep 2016 23:29:37 +0000 Subject: [keycloak-user] Does key cloak have a user session timeout for inactivity? Message-ID: Does key cloak have a user session timeout for inactivity? If so how to change it? -Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160906/24bf0526/attachment.html From akaya at expedia.com Wed Sep 7 02:50:21 2016 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 7 Sep 2016 06:50:21 +0000 Subject: [keycloak-user] Does Keycloak have a URL that returns 200 response? Message-ID: <99230350-4EC7-4B11-B28E-A572EE307AF6@expedia.com> Hello, There used to be an old thread and seems like a jira ticket here: https://issues.jboss.org/browse/KEYCLOAK-1578 I don?t really see how this is not prioritized at all (given that if a Keycloak instance does not respond, it would be super useful to know that immediately, and build system on top of that). Anyway, I?m using Keycloak in AWS, and I have a load balancer that needs to know whether an instance is up or not. The problem is I could not actually find any endpoint from Keycloak that I could easily get 200 response, without passing any query parameters or any special headers. I know that I can write some SPI that could just return 200, but that won?t be the actual case, because I actually want something that?s integrated with the Keycloak login flow (such as the login page, if login page does not return a response, or does something unexpected continuously then it would make more sense) So I?d be really happy if anyone knows whether such URL exists for Keycloak and tell me that. Kind Regards, Sarp Kaya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/9b91d331/attachment.html From thomas.darimont at googlemail.com Wed Sep 7 03:15:12 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 7 Sep 2016 09:15:12 +0200 Subject: [keycloak-user] Does Keycloak have a URL that returns 200 response? In-Reply-To: <99230350-4EC7-4B11-B28E-A572EE307AF6@expedia.com> References: <99230350-4EC7-4B11-B28E-A572EE307AF6@expedia.com> Message-ID: Hello Sarp, you could use: https://keycloak-server/auth/version Cheers, Thomas 2016-09-07 8:50 GMT+02:00 Sarp Kaya : > Hello, > > > > There used to be an old thread and seems like a jira ticket here: > > https://issues.jboss.org/browse/KEYCLOAK-1578 > > > > I don?t really see how this is not prioritized at all (given that if a > Keycloak instance does not respond, it would be super useful to know that > immediately, and build system on top of that). > > > > Anyway, I?m using Keycloak in AWS, and I have a load balancer that needs > to know whether an instance is up or not. The problem is I could not > actually find any endpoint from Keycloak that I could easily get 200 > response, without passing any query parameters or any special headers. > > > > I know that I can write some SPI that could just return 200, but that > won?t be the actual case, because I actually want something that?s > integrated with the Keycloak login flow (such as the login page, if login > page does not return a response, or does something unexpected continuously > then it would make more sense) > > > > So I?d be really happy if anyone knows whether such URL exists for > Keycloak and tell me that. > > > > Kind Regards, > Sarp Kaya > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/041db588/attachment-0001.html From Edgar at info.nl Wed Sep 7 04:55:51 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 7 Sep 2016 08:55:51 +0000 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user Message-ID: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. I am guessing it is a permission issue on some REST endpoint in the admin interface or something? [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) From mposolda at redhat.com Wed Sep 7 05:24:04 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:24:04 +0200 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> Message-ID: <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> I guess you need to add "view-users" role as well? For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. Marek On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: > Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. > > I am guessing it is a permission issue on some REST endpoint in the admin interface or something? > > > [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header > at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) > at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) > at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) > at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Sep 7 05:28:03 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:28:03 +0200 Subject: [keycloak-user] Does key cloak have a user session timeout for inactivity? In-Reply-To: References: Message-ID: Yes, it's "Session Idle timeout" and it's 30 minutes by default. Hence if no token refresh or no SSO login with cookie happens within 30 minutes, userSession is cleared and user needs to re-login. Marek On 07/09/16 01:29, Richard Lavallee wrote: > > Does key cloak have a user session timeout for inactivity? > > > If so how to change it? > > > -Richard > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/ec9f0226/attachment.html From predmijat at gmail.com Wed Sep 7 05:37:55 2016 From: predmijat at gmail.com (Predrag Mijatovic) Date: Wed, 7 Sep 2016 11:37:55 +0200 Subject: [keycloak-user] Keycloak and HTTPS behind reverse proxy Message-ID: Hello, I need help with Keycloak over HTTPS...I've started Keycloak with "./standalone.sh -b 10.45.0.6". I have DNS name login.mysite.com which points to NGINX listening on a public IP. NGINX is set up as a reverse proxy: server { ssl on; listen 443; server_name login.mysite.com ; ssl_verify_client off; proxy_ssl_server_name on; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass http://10.45.0.6:8080 ; } } I can successfully open https://login.mysite.com/auth/ (green padlock and everything), but https://login.mysite.conf/auth/admin/master/console/ fails with "{{notification.header}} {{notification.message}} Loading...". Inspecting the web page I see that a lot of .js files are served over HTTP and the browser complains about mixed content. Reading the docs I figured that setting stuff on the side of reverse proxy is enough? Do I need to do anything else? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/0d1f294e/attachment-0001.html From mposolda at redhat.com Wed Sep 7 05:42:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:42:39 +0200 Subject: [keycloak-user] Keycloak 2.1.0 Random SQL Errors (Possible connection leaks) In-Reply-To: References: Message-ID: <2dbbb2b1-8aa5-37cf-ed59-4579e0f02fd6@redhat.com> Can you please create JIRA for it? Ideally also if you can add some details (eg. configuration of your KeycloakDS datasource, what Keycloak functionality you used. if number of connection is 18 from the beginning and then it's same for longer time or if it's 0 from the beginning and then it slowly increases etc.) Thanks, Marek On 07/09/16 01:28, Sarp Kaya wrote: > > Hello, after upgrading to Keycloak 2.1.0 I have started to see that > Keycloak is logging warnings like this: > > WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default > task-224) SQL Error: 0, SQLState: null > > I am using MySQL Database. > > Another thing I noticed with this is that I listen to this JMX for > metrics: > > jboss.as.expr:subsystem=datasources,data-source=MySQLDS,statistics=pool > > for the ActiveCount metric > > and I constantly see this being 18 despite having nearly no Keycloak > usage. So it?s making me to think that there is a connection leak in > Keycloak, because I should not see 18 active connections, when there > is no load on Keycloak. > > Could you please have a look at this? I don?t really remember seeing > this issue in Keycloak 2.0.0, so I?m just guessing it could be just > 2.1.0 issue as well? > > Kind Regards, > Sarp Kaya > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/5055883e/attachment.html From mposolda at redhat.com Wed Sep 7 05:44:22 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:44:22 +0200 Subject: [keycloak-user] Exposing the applications API In-Reply-To: <4de52f21-f45b-41c3-3781-605feddf4887@universcine.com> References: <4de52f21-f45b-41c3-3781-605feddf4887@universcine.com> Message-ID: <4bba7e2b-1cb7-417d-77bd-3f4c688d878e@redhat.com> Yes, it should be. If you go to some user in admin console and click "consents", you should see which admin REST endpoint was invoked (if you use Firebug in FF or similar extension) Marek On 06/09/16 14:00, Gr?goire Paris wrote: > Hello! > > I'm trying to get a REST equivalent of > /auth/realms/{my-realm}/account/applications , is there one and if yes, > where is it documented? I've looked for it in the admin REST api doc, > without luck, but maybe it's a separate API? > > The ultimate goal would be to be able to list applications a user has > access to, from a special client application named "Dashboard", which > aims at helping employees move easily from one application to another. > > If you're interested in fake internet points, you can answer this on SO: > http://stackoverflow.com/questions/39333592/account-applications-api > > Have a nice day, From mposolda at redhat.com Wed Sep 7 05:46:49 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:46:49 +0200 Subject: [keycloak-user] Keycloak and HTTPS behind reverse proxy In-Reply-To: References: Message-ID: We have some docs here: https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network.html (and subpages) Marek On 07/09/16 11:37, Predrag Mijatovic wrote: > Hello, > > I need help with Keycloak over HTTPS...I've started Keycloak with > "./standalone.sh -b 10.45.0.6". I have DNS name login.mysite.com > which points to > NGINX listening on a public IP. NGINX is set up as a reverse proxy: > > server { > ssl on; > listen 443; > server_name login.mysite.com ; > ssl_verify_client off; > proxy_ssl_server_name on; > > location / { > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto https; > proxy_pass http://10.45.0.6:8080; > } > } > > I can successfully open https://login.mysite.com/auth/ (green padlock and > everything), but > https://login.mysite.conf/auth/admin/master/console/ fails with > "{{notification.header}} {{notification.message}} Loading...". > Inspecting the > web page I see that a lot of .js files are served over HTTP and the > browser > complains about mixed content. > > Reading the docs I figured that setting stuff on the side of reverse > proxy is > enough? Do I need to do anything else? > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/d3522422/attachment-0001.html From mposolda at redhat.com Wed Sep 7 05:49:54 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Sep 2016 11:49:54 +0200 Subject: [keycloak-user] Invoke interceptor to modify object created by adatper after reading keycloak json file In-Reply-To: References: Message-ID: <7bf621c4-8b0a-8348-f0bc-0abfa2fca563@redhat.com> We have KeycloakConfigResolver, which is useful for the use-cases like multitenancy, but likely can be used for your use-case too, so you can modify the KeycloakDeployment programaticaly. See the example "multi-tenant" from keycloak-examples distribution. Marek On 06/09/16 10:11, Jitendra Chouhan wrote: > Hello, > > Is there anyway we can use keep/invoke some kind of interceptor once > keycloak.json file has been read and object created by keycloak > adapter(code) for web application adapter. Which class get initialized > and create's object from installed JSON file? > > While referring SPI section in there keycloak documentation found > there is Config class which has > hold that data but could not get much idea to write custom > implementation to inject data in object created by keycloak adapter. > > Do not want to keep client key and keystore password in JSON file > instead can be pulled from somewhere else at run time and will inject > into created object with custom code. > > Please do let me know if further information is required. > > Thanks & Regards, > Jitendra Chouhan > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/a59229db/attachment.html From imbacen at gmail.com Wed Sep 7 05:51:23 2016 From: imbacen at gmail.com (cen) Date: Wed, 7 Sep 2016 11:51:23 +0200 Subject: [keycloak-user] Keycloak and HTTPS behind reverse proxy In-Reply-To: References: Message-ID: <8d75920d-ffd6-6b6d-d72f-be4ed243d80a@gmail.com> Hi Just a few weeks ago I had to setup KC behind reverse proxy with TLS and this tutorial did it for me: http://mirocupak.com/configuring-wildfly-behind-a-reverse-proxy-with-tls/ I did have to disable HTTP redirect because it was causing problems (read the comments). Predrag Mijatovic je 07. 09. 2016 ob 11:37 napisal: > Hello, > > I need help with Keycloak over HTTPS...I've started Keycloak with > "./standalone.sh -b 10.45.0.6". I have DNS name login.mysite.com which points to > NGINX listening on a public IP. NGINX is set up as a reverse proxy: > > server { > ssl on; > listen 443; > server_name login.mysite.com ; > ssl_verify_client off; > proxy_ssl_server_name on; > > location / { > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto https; > proxy_pass http://10.45.0.6:8080 ; > } > } > > I can successfully open https://login.mysite.com/auth/ (green padlock and > everything), but https://login.mysite.conf/auth/admin/master/console/ fails with > "{{notification.header}} {{notification.message}} Loading...". Inspecting the > web page I see that a lot of .js files are served over HTTP and the browser > complains about mixed content. > > Reading the docs I figured that setting stuff on the side of reverse proxy is > enough? Do I need to do anything else? > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/88736edf/attachment.html From predmijat at gmail.com Wed Sep 7 06:17:26 2016 From: predmijat at gmail.com (Predrag Mijatovic) Date: Wed, 7 Sep 2016 12:17:26 +0200 Subject: [keycloak-user] Keycloak and HTTPS behind reverse proxy In-Reply-To: <8d75920d-ffd6-6b6d-d72f-be4ed243d80a@gmail.com> References: <8d75920d-ffd6-6b6d-d72f-be4ed243d80a@gmail.com> Message-ID: <9CFD3930-6F50-4D61-B833-95D4A5297159@gmail.com> I've managed to get it working, but I'm not sure what exactly was the issue. I reedited standalone.xml from scratch by following the docs, restarted Keycloak and HTTPS worked...I must have made some typos before. Sorry for the alarm and thanks! > On Sep 7, 2016, at 11:51 AM, cen wrote: > > Hi > > Just a few weeks ago I had to setup KC behind reverse proxy with TLS and this tutorial did it for me: http://mirocupak.com/configuring-wildfly-behind-a-reverse-proxy-with-tls/ > I did have to disable HTTP redirect because it was causing problems (read the comments). > > Predrag Mijatovic je 07. 09. 2016 ob 11:37 napisal: >> Hello, >> >> I need help with Keycloak over HTTPS...I've started Keycloak with >> "./standalone.sh -b 10.45.0.6". I have DNS name login.mysite.com which points to >> NGINX listening on a public IP. NGINX is set up as a reverse proxy: >> >> server { >> ssl on; >> listen 443; >> server_name login.mysite.com ; >> ssl_verify_client off; >> proxy_ssl_server_name on; >> >> location / { >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header Host $host; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto https; >> proxy_pass http://10.45.0.6:8080 ; >> } >> } >> >> I can successfully open https://login.mysite.com/auth/ (green padlock and >> everything), but https://login.mysite.conf/auth/admin/master/console/ fails with >> "{{notification.header}} {{notification.message}} Loading...". Inspecting the >> web page I see that a lot of .js files are served over HTTP and the browser >> complains about mixed content. >> >> Reading the docs I figured that setting stuff on the side of reverse proxy is >> enough? Do I need to do anything else? >> >> Thanks >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/6071c993/attachment.html From Edgar at info.nl Wed Sep 7 06:27:43 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 7 Sep 2016 10:27:43 +0000 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: Hi Marek, Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. Will try to find the endpoint in question and report back! cheers > On 07 Sep 2016, at 11:24, Marek Posolda wrote: > > I guess you need to add "view-users" role as well? > > For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. > > Marek > > On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >> >> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >> >> >> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sheishere48 at gmail.com Wed Sep 7 06:41:23 2016 From: sheishere48 at gmail.com (sheishere b) Date: Wed, 7 Sep 2016 16:11:23 +0530 Subject: [keycloak-user] session inactivity; ignoring auto refresh requests Message-ID: We have node js integrated with keycloak & keycloak is running as a service in jboss. There are many http requests being sent from browser to server in the background as part of auto refresh of some tables. So if user has opened browser & remains inactive; in the background many requests are made. Keycloak will never detect inactivity & hence session will never be invalidated after session inactivity timeout. Is there a way in keycloak to ignore such background requests from being considered for session alive scenarios? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/a5967fa4/attachment.html From gparis at universcine.com Wed Sep 7 06:49:39 2016 From: gparis at universcine.com (=?UTF-8?Q?Gr=c3=a9goire_Paris?=) Date: Wed, 7 Sep 2016 12:49:39 +0200 Subject: [keycloak-user] Exposing the applications API In-Reply-To: <4bba7e2b-1cb7-417d-77bd-3f4c688d878e@redhat.com> References: <4de52f21-f45b-41c3-3781-605feddf4887@universcine.com> <4bba7e2b-1cb7-417d-77bd-3f4c688d878e@redhat.com> Message-ID: Indeed, I found a consents endpoints that appears to return Json. The response is empty at the moment, I am going to look for the steps to have it return something. Thanks a lot! G.Paris Le 07/09/2016 ? 11:44, Marek Posolda a ?crit : > Yes, it should be. If you go to some user in admin console and click > "consents", you should see which admin REST endpoint was invoked (if > you use Firebug in FF or similar extension) > > Marek > > On 06/09/16 14:00, Gr?goire Paris wrote: >> Hello! >> >> I'm trying to get a REST equivalent of >> /auth/realms/{my-realm}/account/applications , is there one and if yes, >> where is it documented? I've looked for it in the admin REST api doc, >> without luck, but maybe it's a separate API? >> >> The ultimate goal would be to be able to list applications a user has >> access to, from a special client application named "Dashboard", which >> aims at helping employees move easily from one application to another. >> >> If you're interested in fake internet points, you can answer this on SO: >> http://stackoverflow.com/questions/39333592/account-applications-api >> >> Have a nice day, > > From Edgar at info.nl Wed Sep 7 07:33:23 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 7 Sep 2016 11:33:23 +0000 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: Hi Marek, It?s the brute force detection REST endpoint that is causing the issue. /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl gives a: ?Failed to load resource: the server responded with a status of 405 (Method Not Allowed)" > On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl wrote: > > Hi Marek, > > Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. > > Will try to find the endpoint in question and report back! > > cheers > >> On 07 Sep 2016, at 11:24, Marek Posolda wrote: >> >> I guess you need to add "view-users" role as well? >> >> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. >> >> Marek >> >> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >>> >>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >>> >>> >>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >>> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >>> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >>> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Sep 7 08:39:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:39:06 +0200 Subject: [keycloak-user] Force the display of Keycloak login page when using "authenticate by default" external OIDC IdP In-Reply-To: References: Message-ID: Not at the moment, but it will be possible in 2.2.0.CR1 which will allow you to set an empty value for kc_idp_hint which will override the default identity provider. On 29 August 2016 at 20:34, Gabriel Lavoie wrote: > Hi, > we are currently using Keycloak as a broker to do the SAML > authentication to an external service for us. Keycloak is configured to > authenticate the user with an external IdP (our application) that is set > with the "Authenticate by default" flag to ON. > > Is it possible to still force the display of the Keycloak login page, but > only for some scenarios? We would like to have system integration users > that don't exist in our application (not exposed to our customers), but > would still be usable to access the external service (with proper roles). > > Thanks, > > Gabriel > > -- > Gabriel Lavoie > glavoie at gmail.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/2b39cb11/attachment.html From sthorger at redhat.com Wed Sep 7 08:41:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:41:15 +0200 Subject: [keycloak-user] Bypass /identity page straight to linking to an Identity Provider? In-Reply-To: References: Message-ID: See https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/suggested.html On 30 August 2016 at 00:42, Chris Hairfield wrote: > Hello, > > We're building a mobile app with Keycloak pages loaded in webviews and > would like to link directly to the following: > http://localhost:8080/auth/realms/athlinks/account/ > federated-identity-update?action=add&provider_id= > google&stateChecker=T5kIjP9cZO3ObUCSM5P8i_O5YicSUcZlCu7aFK4y8P4 > > The problem is that stateChecker. We don't know how to obtain it. May we > obtain it via API? > > I created a beautiful picture to illustrate. You may think of the left > view as a native representation of the /auth/realms/athlinks/account/identity > page. Does anyone know of any way to jump straight to the authorization > page on the right? > > Thanks! > Chris > > [image: desired-ux.jpg] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/893de611/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: desired-ux.jpg Type: image/jpeg Size: 92006 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/893de611/attachment-0001.jpg From sthorger at redhat.com Wed Sep 7 08:44:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:44:46 +0200 Subject: [keycloak-user] Realm Config Recommendations In-Reply-To: References: Message-ID: If you don't mind having prospective students in LDAP as well you can have them created in LDAP when they register in Keycloak. This applies to users registering with social IdPs as well. Might even help your onboarding of students as you'd already have some details filled in. Otherwise you could use the admin endpoints to link the KC user to an LDAP user when the student is created in LDAP. On 30 August 2016 at 06:17, Adam Keily wrote: > Hi, > > > > I?m new to keycloak and we?re investigating using it within our > University. In the first instance it would be used as a registration point > for external users e.g. prospective students etc. They will either register > via the form or using social IdP?s in order to access various apps for > these types of users. > > > > We want to remain open to using Keycloak for our internal (AD / LDAP) > users to authenticate to these same apps as well as corporate applications. > > > > The tricky part comes where a prospective student (external identity) > enrols and becomes a regular student (LDAP user). We would like them to > continue to be recognised as a single identity and have their registered > identities merged / linked with their new internal id. > > > > Hoping someone might be able to provide some guidance on the best way to > go. There are a few ideas I?ve been testing. > > > > One is to have a single keycloak realm for user registration and configure > LDAP as a user federation source. However this would seem to rule out > linking the accounts? > > > > Another idea was to configure two realms (internal and external) and have > the internal realm act as an IdP for the external realm. > > > > Another option is to create three realms, internal, external and combined. > The combined realm is used for SSO for all apps and the internal and > external realms are configured to be IdP?s for the combined realm. I can?t > help but feel this is starting to get more complicated than is necessary. > > > > Any guidance or thoughts would be much appreciated. > > > > Regards > > Adam > > > > > > -- > > Adam Keily > > Risk & Security Services > > The University of Adelaide > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/f77ec382/attachment.html From sthorger at redhat.com Wed Sep 7 08:46:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:46:04 +0200 Subject: [keycloak-user] ClassNotFoundException when importing a resource server configuration JSON incl drools policy of 'photoz' example project In-Reply-To: References: Message-ID: Did you try the steps in KEYCLOAK-3279? That was caused by an issue with the users Maven repository. On 30 August 2016 at 08:41, FREIMUELLER Christian < Christian.FREIMUELLER at frequentis.com> wrote: > Dear all, > > first of all - thanks for your effort for Keycloak ? great product! > > I?m trying to do a POC for the authorization API in Keycloak and therefore > I downloaded from the project?s website the Demo distribution and tried to > follow the readme instructions on the ?photoz? example. > The import of the realm was successful, but when I tried to load the > resource server configuration JSON I received the following exception in > the log file: > > Caused by: java.lang.ClassNotFoundException: org.apache.commons.codec.binary.Base64 > from > [Module "org.drools:main" from local module loader @1476ceae (finder: > local module finder @1b4febf3 ( > roots: D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\keycloak\modules, > > D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\ > keycloak\modules\system\layers\keycloak, > D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\ > keycloak\modules\system\layers\base > ))] > > I was able to fix this issue by providing the following dependency entry > in the drools module description for the commons-codec module at > \keycloak\modules\system\add-ons\keycloak\org\drools\main\ > module.xml > After this I could successfully import the ?photoz-restful-api-authz-service.json? > finally. > > Could it be that this entry is also missing in the source code at > *https://github.com/keycloak/keycloak/tree/master/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/* > *module.xml* > > ? > > > > > > > > ** > > > > > > > > I also found a related JIRA ?*KEYCLOAK-3279* > Possible error with > Drools policies when running on Windows? entry but this was closed without > code fix, I think. > > Can you verify this finding? > > Thanks, > Christian > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/e49d5388/attachment.html From sthorger at redhat.com Wed Sep 7 08:49:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:49:03 +0200 Subject: [keycloak-user] Keycloak integrated with Google Apps In-Reply-To: References: Message-ID: https://support.google.com/a/answer/2463723?hl=en On 2 September 2016 at 18:17, Marcelo Barbosa wrote: > Hi Guys, > > I'm try integrate my Keycloak together Google Apps, but I get the same > error ever time and all documentation don't help me. Following my screen > shots in attached. If someone help me I appreciate any collaboration. > If fix this problem I create one post to help another Keycloak users. > > Cheers, > > Marcelo[image: Screen Shot 2016-09-02 at 11.11.35 PM.png][image: Screen > Shot 2016-09-02 at 11.12.33 PM.png] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/5aaa870d/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-02 at 11.12.33 PM.png Type: image/png Size: 52199 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/5aaa870d/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-02 at 11.11.35 PM.png Type: image/png Size: 117760 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/5aaa870d/attachment-0003.png From sthorger at redhat.com Wed Sep 7 08:51:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Sep 2016 14:51:59 +0200 Subject: [keycloak-user] SAML error for Google Apps In-Reply-To: References: Message-ID: https://support.google.com/a/answer/2463723?hl=en On 5 September 2016 at 20:17, Marcelo Barbosa wrote: > Hi all, > > I'm adjust my certificates and get another error in my > integration(Keycloak and Google Apps), If someone see this same error in > your environments ? > > Help |Sign out > > This service cannot be accessed because your login request contained > invalid audience information. Please log in and try again. > > We are unable to process your request at this time, please try again later. > Cheers,[image: Screen Shot 2016-09-06 at 1.08.07 AM.png] > > Marcelo > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/643e9386/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-09-06 at 1.08.07 AM.png Type: image/png Size: 59019 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/643e9386/attachment-0001.png From firemanxbr at fedoraproject.org Wed Sep 7 08:54:27 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Wed, 07 Sep 2016 12:54:27 +0000 Subject: [keycloak-user] Keycloak integrated with Google Apps In-Reply-To: References: Message-ID: Hi Stian, I'm trying integrate Keycloak a Google Apps domain since July this year, but I don't have sucess, in attached following my client json for check, because this part of SAML don't send correct to Google Apps: Element Description URI that identifies the intended audience which requires the value of ACS URI. Note: element value cannot be empty Required Value https://www.google.com/a//acs Example https://wwww.google.com/a/yourdomain.com/acs >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/9657a353/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: google-apps.json Type: application/json Size: 7359 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/9657a353/attachment.bin From andyyar66 at gmail.com Wed Sep 7 10:30:19 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Wed, 7 Sep 2016 16:30:19 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Hello, I've tried running https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app app on localhost against my Keycloak instance. The page reloading issue caused by iFrame checks was present too. The only significant change I made to the demo app was replacing the keycloak.json with mine. The difference is using a non-localhost URL: "auth-server-url": "http://:8080/sso". CORS comes to mind. On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: > I've spent some time in Firefox's debugger and found out that the redirect > occurs right after the window.postMessage() is called in the > checkLoginFrame function. > > The demo project code seems to be in line with my code. Might try it's > runtime behavior later. > > On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda wrote: > >> On 01/09/16 23:34, Andy Yar wrote: >> >> Hello, >> I've created a template of a Angular based app using keycloak.js lib. >> After a successful login the app/page periodically reloads itself. I guess >> it's because of the iFrame session check being set to 5sec interval >> (requesting url: /#state=&code=). >> >> That's strange... IFrame is supposed to just check the cookie, not to do >> any reload. >> >> Maybe take a look at our angular examples and see if you do something >> differently? See https://github.com/keycloak/ke >> ycloak/tree/master/examples/demo-template/angular-product-app . Note the >> angular.bootstrap called after Keycloak authentication is fully finished. >> >> Marek >> >> >> This happens in latest Firefox and Edge. Chrome seems to handle these >> reloads quietly. >> >> Is this intended? >> >> Thanks >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/7bc062e1/attachment.html From TBarcia at wfscorp.com Wed Sep 7 14:46:47 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Wed, 7 Sep 2016 18:46:47 +0000 Subject: [keycloak-user] CN= is not being sent when creating users in LDAP Message-ID: I have a user federation connected to Active Directory that works for authenticating users but I'm trying to create / modify LDAP users and it appears that I'm getting the error ENTRY_EXISTS because it's not filling the CN= attribute: Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00002071: UpdErr: DSID-0305038D, problem 6005 (ENTRY_EXISTS), data 0 In an attempt to get this working I've made the following changes to the federation: Changed Sync Registrations to ON Ensured RDN LDAP attribute set to cn Created a mapper called "fullname"; Mapper Type: "Full Name"; category "Attribute Mapper"; Type "Full Name"; LDAP Full Name Attribute: cn; read only OFF; write only: OFF Can anybody help me with what I missed? *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/82966b36/attachment-0001.html From saiprashanth173 at gmail.com Wed Sep 7 15:01:44 2016 From: saiprashanth173 at gmail.com (sai prashanth) Date: Thu, 8 Sep 2016 00:31:44 +0530 Subject: [keycloak-user] Fwd: Adding Shibboleth IdP to KeyCloak In-Reply-To: References: Message-ID: Hi, I am trying to add Shibboleth IdP to KeyCloak, but couldn't find any resource on how this could be done. I tried adding a new Identity Provider through KeyCloak admin console with following steps. 1. Login into KeyCloak's admin console. 2. Selecting required realm. 3. Selecting "SAML v2.0" from "Add Providers" dropdown in the "Identity providers" tab. 4. In create-Identity-Provider window, I used "Import External IDP configuration" by providing URL ( https:///idp/shibboleth ) in "Import from URL" field. But this didn't work. I shall be grateful if someone could provide some resources on how this can be achieved and guide me. Thanks, Regards, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/398f1ade/attachment.html From akaya at expedia.com Wed Sep 7 19:42:00 2016 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 7 Sep 2016 23:42:00 +0000 Subject: [keycloak-user] Does Keycloak have a URL that returns 200 response? In-Reply-To: References: <99230350-4EC7-4B11-B28E-A572EE307AF6@expedia.com> Message-ID: Hi Thomas, Thanks for the suggestion but that does not really run through any of the login flow (for instance it doesn?t execute to any of the database code or token/code generation). I?ve also tried /auth/realms/{realm-name} and same thing happens. Thanks, Sarp From: Thomas Darimont Date: Wednesday, September 7, 2016 at 5:15 PM To: Abdullah Sarp Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Does Keycloak have a URL that returns 200 response? Hello Sarp, you could use: https://keycloak-server/auth/version Cheers, Thomas 2016-09-07 8:50 GMT+02:00 Sarp Kaya >: Hello, There used to be an old thread and seems like a jira ticket here: https://issues.jboss.org/browse/KEYCLOAK-1578 I don?t really see how this is not prioritized at all (given that if a Keycloak instance does not respond, it would be super useful to know that immediately, and build system on top of that). Anyway, I?m using Keycloak in AWS, and I have a load balancer that needs to know whether an instance is up or not. The problem is I could not actually find any endpoint from Keycloak that I could easily get 200 response, without passing any query parameters or any special headers. I know that I can write some SPI that could just return 200, but that won?t be the actual case, because I actually want something that?s integrated with the Keycloak login flow (such as the login page, if login page does not return a response, or does something unexpected continuously then it would make more sense) So I?d be really happy if anyone knows whether such URL exists for Keycloak and tell me that. Kind Regards, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160907/3d124ed9/attachment.html From sthorger at redhat.com Thu Sep 8 01:39:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 07:39:23 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Did you add correct origins for your app in the Keycloak admin console? On 7 September 2016 at 16:30, Andy Yar wrote: > Hello, > I've tried running https://github.com/keycloak/ > keycloak/tree/master/examples/demo-template/angular2-product-app app on > localhost against my Keycloak instance. The page reloading issue caused by > iFrame checks was present too. > > The only significant change I made to the demo app was replacing the > keycloak.json with mine. The difference is using a non-localhost URL: > "auth-server-url": "http://:8080/sso". CORS comes to mind. > > > On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: > >> I've spent some time in Firefox's debugger and found out that the >> redirect occurs right after the window.postMessage() is called in the >> checkLoginFrame function. >> >> The demo project code seems to be in line with my code. Might try it's >> runtime behavior later. >> >> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >> wrote: >> >>> On 01/09/16 23:34, Andy Yar wrote: >>> >>> Hello, >>> I've created a template of a Angular based app using keycloak.js lib. >>> After a successful login the app/page periodically reloads itself. I guess >>> it's because of the iFrame session check being set to 5sec interval >>> (requesting url: /#state=&code=). >>> >>> That's strange... IFrame is supposed to just check the cookie, not to do >>> any reload. >>> >>> Maybe take a look at our angular examples and see if you do something >>> differently? See https://github.com/keycloak/ke >>> ycloak/tree/master/examples/demo-template/angular-product-app . Note >>> the angular.bootstrap called after Keycloak authentication is fully >>> finished. >>> >>> Marek >>> >>> >>> This happens in latest Firefox and Edge. Chrome seems to handle these >>> reloads quietly. >>> >>> Is this intended? >>> >>> Thanks >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/0c5d8d88/attachment-0001.html From sthorger at redhat.com Thu Sep 8 02:29:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 08:29:09 +0200 Subject: [keycloak-user] user logout In-Reply-To: References: Message-ID: What version? Did you by any chance rename the realm? We did have a bug in the past where renaming a realm wouldn't update the redirect uris for built-in clients like account. Check the value of the redirect-uri for the account client in the admin console. If the realm name isn't correct change it. Also, please upgrade to the latest release. On 31 August 2016 at 12:25, yassine yas wrote: > Hi, > when an authenticated user try to logout (using the sign out > from auth/realms/*{realName}*/account/) > I get this error : Invalid redirect uri > here is the uri of the page that shows the pb: > http://10.129.3.27/auth/realms/*{realName}*/protocol/ > openid-connect/logout?redirect_uri=http%3A%2F%2F10. > 129.3.27%2Fauth%2Frealms%2F*{realName}*%2Faccount%2F > (the *{realName}* is the same ) > how can I change the log out redirect uri > cordially > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/5668d471/attachment.html From sthorger at redhat.com Thu Sep 8 02:30:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 08:30:37 +0200 Subject: [keycloak-user] Keycloak with EZproxy In-Reply-To: References: Message-ID: Not sure what they mean about "authentication sequence identical to a standard Shibboleth Identity Provider", but Keycloak is pretty configurable so it should be possible to adapt the SAML configuration for the client to make it work with EZProxy. On 1 September 2016 at 17:47, Bill Kuntz wrote: > Has anyone successfully used Keycloak with OCLC's EZProxy? We have been > experimenting with Keycloak, and have been able to get it working with > other SPs, but not EZProxy. > > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO > systems if and only if that system uses an authentication sequence > identical to a standard Shibboleth Identity Provider (IDP)." > > Thanks, > Bill > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/6c0556dc/attachment.html From sthorger at redhat.com Thu Sep 8 02:32:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 08:32:13 +0200 Subject: [keycloak-user] Invoke interceptor to modify object created by adatper after reading keycloak json file In-Reply-To: References: Message-ID: Use a custom KeycloakConfigResolver and you get full control over the config. See the following for an example: https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/control/PathBasedKeycloakConfigResolver.java https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/webapp/WEB-INF/web.xml#L24 On 6 September 2016 at 08:46, abhishek raghav wrote: > Hello, > > Is there anyway we can use keep/invoke some kind of interceptor once > keycloak.json file has been read and object created by keycloak > adapter(code) for web application adapter. Which class get initialized and > create's object from installed JSON file? > > Do not want to keep client key and keystore password in JSON file instead > can be pulled from somewhere else at run time and will inject into created > object with custom code. > > Please do let me know if further information is required. > > Thanks , > Abhishek Raghav > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/6aa25f4c/attachment.html From sthorger at redhat.com Thu Sep 8 02:33:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 08:33:58 +0200 Subject: [keycloak-user] Integrating with enterprise PKI e.g. Entrust.. In-Reply-To: <0BFDC0C8-E634-4924-A165-1D197EB31FFE@gmail.com> References: <0BFDC0C8-E634-4924-A165-1D197EB31FFE@gmail.com> Message-ID: Can you elaborate a bit on exactly what you want? "integrate our app suite with their enterprise PKI solution for IDP and SSO" is a bit vague. On 6 September 2016 at 12:38, Jonathan Rathbone wrote: > > Hi there, > > hope you can help. I?ve searched the documentation, and nothing seems to > jump out that clarifies this so? > > I have a set of web apps and services, all secured with Keycloak using > OAuth and JWT, with Single-Sign-On. > > I have a potential customer who is looking for us to integrate our app > suite with their enterprise PKI solution for IDP and SSO. > > Is there a way that Keycloak can enable this for us, so that we can keep > our app architecture isolated from the customers specific security > architecture, or will we have to produce a version of our apps and services > that have a dedicated integration to the enterprise PKI solution?s services? > > Sorry if this is a bit of noob question! > > sincere thanks, > > Jon > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/335d1cba/attachment.html From sthorger at redhat.com Thu Sep 8 02:38:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 08:38:06 +0200 Subject: [keycloak-user] session inactivity; ignoring auto refresh requests In-Reply-To: References: Message-ID: As long as the token is refreshed Keycloak sees it as an active user. Simplest option would be to make your app stop doing the background requests after a while, which would result in in the session timing out. It could also trigger a logout of the user from the application itself. Alternatively we could potentially do something like having adding a proprietary option to the refresh request to prevent it being seen as "user activity", but I'm less keen on that since it'd be non-standard OIDC. On 7 September 2016 at 12:41, sheishere b wrote: > We have node js integrated with keycloak & keycloak is running as a > service in jboss. > There are many http requests being sent from browser to server in the > background as part of auto refresh of some tables. > So if user has opened browser & remains inactive; in the background many > requests are made. Keycloak will never detect inactivity & hence session > will never be invalidated after session inactivity timeout. > Is there a way in keycloak to ignore such background requests from being > considered for session alive scenarios? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/1a6d9df5/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 8 02:46:06 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 8 Sep 2016 12:16:06 +0530 Subject: [keycloak-user] Fwd: keycloak-2.1.0.Final On cluster In-Reply-To: References: Message-ID: https://developer.jboss.org/message/962625#962625 Hi I am trying to run keycloak-2.1.0.Final in Cluster mode on AWS, but AWS does not support multicast . For previous version of keycloak-1.5.0.Final it is working fine on cluster mode but new version of keycloak-2.1.0.Final is not working precisely on cluster mode, The setup of keycloak-1.5.0.Final is done by the different person and I am trying to replicate same setting on keycloak-2.1.0.FInal I have 2 AWS servers which is running behind the load balancer with S3 bucket, S3 bucket is use to setup a communication between both the servers after starting the keycloak I am thinking that is's working fine because my both the instances are running behind load balancer and s3 buckets are working fine but I am wrong it is not working fine, After changing the password I realise that it is not working fine because after logout some time I am able to login with new password and some time it accepts old one.First I think It is load balancer stickiness problem so I change it here are following problems with this when stickiness is enable or disable 1: load balancer stickiness is disable keycloak start without any error and when trying to login it gives error in LOG like "Invalid User" or "an error occurred please login aging through your application" 2: Load Banalcer stickiness is enable (Enable load balancer generated cookie stickiness) keyclaok start without any error and also open in browser with admin login , and when I am trying to change the password it does not reflect on both the servers because it does not update the cache of both server, so some time it gives access by new password and some time with old password . I dont wnat to use any alternet option for this so please help me for this *following are settings which I have made in the standalone-ha.xml file... and setting for s3 buckets are in bold* jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_ CLOSE_ON_EXIT=FALSE h2 sa sa ** *jdbc:mysql://keycloak-dev-mysql* * mysql* * TRANSACTION_READ_COMMITTED* * * * 10* * 20* * * * * * user* * password* * * * * org.mysql org.h2.jdbcx.JdbcDataSource false ** * * * * ** * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * * * * * ${jgroups.s3.bucket:}* * ${jgroups.s3.access_key:}* * ${jgroups.s3.secret_access_key:}* * * * * * * * * * * * * * false* * * * * * * * * * * * * * 16K* * * * * * * auth -- Thanks, Aman Jaiswal -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/7154be57/attachment-0001.html From sthorger at redhat.com Thu Sep 8 05:34:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 11:34:24 +0200 Subject: [keycloak-user] Fwd: keycloak-2.1.0.Final On cluster In-Reply-To: References: Message-ID: >From your description it sounds like you don't have working clustering setup at all. Your issue with non-sticky sessions is caused by the fact that the nodes don't have the same user sessions cache. The issue with sticky sessions and passwords is caused by the invalidation cache for realms not being shared. Look in your logs do the nodes see each other and join the same cluster? If you search the user forum there is a few threads around reliable setup of clustering on AWS. I can't remember the exact details myself and have never tried it either, so can't help you with the correct steps. On 8 September 2016 at 08:46, Aman Jaiswal wrote: > > https://developer.jboss.org/message/962625#962625 > > Hi > > I am trying to run keycloak-2.1.0.Final in Cluster mode on AWS, but AWS > does not support multicast . > > For previous version of keycloak-1.5.0.Final it is working fine on cluster > mode but new version of keycloak-2.1.0.Final is not working precisely on > cluster mode, > > The setup of keycloak-1.5.0.Final is done by the different person and I am > trying to replicate same setting on keycloak-2.1.0.FInal > > > > I have 2 AWS servers which is running behind the load balancer with S3 > bucket, S3 bucket is use to setup a communication between both the servers > > after starting the keycloak I am thinking that is's working fine because > my both the instances are running behind load balancer and s3 buckets are > > working fine but I am wrong it is not working fine, After changing the > password I realise that it is not working fine because after logout some > time > > I am able to login with new password and some time it accepts old > one.First I think It is load balancer stickiness problem so I change it > > > > here are following problems with this when stickiness is enable or disable > > 1: load balancer stickiness is disable > > keycloak start without any error and when trying to login it gives > error in LOG like "Invalid User" or "an error occurred please login aging > through your application" > > 2: Load Banalcer stickiness is enable (Enable load balancer generated > cookie stickiness) > > keyclaok start without any error and also open in browser with admin > login , and when I am trying to change the password it does not reflect on > both the servers > > because it does not update the cache of both server, so some time it > gives access by new password and some time with old password . > > > > I dont wnat to use any alternet option for this so please help me for this > > *following are settings which I have made in the standalone-ha.xml file... > and setting for s3 buckets are in bold* > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > skip-group-loading="true"/> > > relative-to="jboss.server.config.dir"/> > > > > > > relative-to="jboss.server.config.dir"/> > > > > > > > > > > skip-group-loading="true"/> > > relative-to="jboss.server.config.dir"/> > > > > > > relative-to="jboss.server.config.dir"/> > > > > > > > > > > > > > > > > > > relative-to="jboss.server.data.dir" path="audit-log.log"/> > > > > > > > > > > > > > > > > > > http-upgrade-enabled="true"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > path="server.log"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > pool-name="ExampleDS" enabled="true" use-java-context="true"> > > jdbc:h2:mem:te > st;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE > > h2 > > > > sa > > sa > > > > > > * pool-name="KeycloakDS" enabled="true" use-java-context="true">* > > *jdbc:mysql://keycloak-dev-mysql* > > * mysql* > > * > TRANSACTION_READ_COMMITTED* > > * * > > * 10* > > * 20* > > * * > > * * > > * user* > > * password* > > * * > > * * > > > > > > org.mysql > > > > > > org.h2.jd > bcx.JdbcDataSource > > > > > > > > > > > > false -property-replacement> > > > > > > jndi-name="java:jboss/ee/concurrency/context/default" > use-transaction-setup-provider="true"/> > > > > > > jndi-name="java:jboss/ee/concurrency/factory/default" > context-service="default"/> > > > > > > jndi-name="java:jboss/ee/concurrency/executor/default" > context-service="default" hung-task-threshold="60000" > keepalive-time="5000"/> > > > > > > jndi-name="java:jboss/ee/concurrency/scheduler/default" > context-service="default" hung-task-threshold="60000" > keepalive-time="3000"/> > > > > > > datasource="java:jboss/datasources/ExampleDS" > managed-executor-service="java:jboss/ee/concurrency/executor/default" > managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" > managed-thread-factory="java:jboss/ee/concurrency/factory/default"/> > > > > > > > > > > > > > > cache-ref="distributable" passivation-disabled-cache-ref="simple"/> > > > > > > > > > > > > derive-size="from-worker-pools" instance-acquisition-timeout="5" > instance-acquisition-timeout-unit="MINUTES"/> > > derive-size="from-cpu-count" instance-acquisition-timeout="5" > instance-acquisition-timeout-unit="MINUTES"/> > > > > > > > > > > aliases="passivating clustered"/> > > > > > > max-size="10000"/> > > > > > > default-data-store="default-file-store"> > > > > path="timer-service-data" relative-to="jboss.server.data.dir"/> > > > > > > thread-pool-name="default"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > owners="1"/> > > owners="1"/> > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > l1-lifespan="0" owners="2"> > > > > > > > > > > > > default-cache="dist" module="org.wildfly.clustering.ejb.infinispan"> > > > > l1-lifespan="0" owners="2"> > > > > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fail-on-warn="false"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ** > > * * > > * * > > ** > > * * > > ** > > * * > > * * > > * socket-binding="jgroups-udp-fd"/>* > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * socket-binding="jgroups-mping"/>* > > * * > > * socket-binding="jgroups-tcp-fd"/>* > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > * * > > ** > > * * > > * * > > * ${jgroups.s3.bucket:}* > > * ${jgroups.s3.access_key:}* > > * name="secret_access_key">${jgroups.s3.secret_access_key:}* > > * * > > * * > > * * > > * * > > * * > > * * > > * false* > > * * > > * * > > * * > > * * > > * * > > * * > > * 16K* > > * * > > * * > > * * > > > > > > > > > > > > > > > > nheritance="DEEP"/> > > > > > > > > > > > > > > > > > > connector="ajp"> > > > > > > > > > > > > > > > > > > > > > > connector-ref="default" security-realm="ApplicationRealm"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > value="useFirstPass"/> > > > > > > value="useFirstPass"/> > > > > > > > > cache-type="default"> > > > > > > > > > > cache-type="default"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > status-socket-binding="txn-status-manager"/> > > > > > > > > > > > > redirect-socket="https" /> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > header-value="WildFly/10"/> > > header-name="X-Powered-By" header-value="Undertow/1"/> > > > > > > > > auth > > > > > > > > > > > > > > > > > > > > > > > > > > > > default-interface="public" port-offset="${jboss.socket.bi > nding.port-offset:0}"> > > port="${jboss.management.http.port:9990}"/> > > port="${jboss.management.https.port:9993}"/> > > > > > > > > multicast-address="${jboss.default.multicast.address:230.0.0.4}" > multicast-port="45700"/> > > port="7600"/> > > port="57600"/> > > port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" > multicast-port="45688"/> > > port="54200"/> > > multicast-address="224.0.1.105" multicast-port="23364"/> > > > > > > > > > > > > > > > > > -- > Thanks, > Aman Jaiswal > > > > -- > Thanks, > Aman Jaiswal > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/e52500d6/attachment-0001.html From Marcin.Wieloch at sicpa.com Thu Sep 8 06:01:39 2016 From: Marcin.Wieloch at sicpa.com (Wieloch, Marcin) Date: Thu, 8 Sep 2016 10:01:39 +0000 Subject: [keycloak-user] One-time access token Message-ID: Hi, I am working on a system where we would like to enforce that for some particular resources the resource owner has to authorise each access to such a resource. In other words, we want the user to re-type in his username and password each time he executes a particular operation. In this context, does Keycloak provide something like 'one-time' access tokens? Or does it maybe support such a use case in yet another way? Best regards, Marcin The information in this email and any attachments is confidential and intended solely for the use of the individual(s) to whom it is addressed or otherwise directed. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The Company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/fbc48cce/attachment.html From Stefan.Kasala at posam.sk Thu Sep 8 07:05:34 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Thu, 8 Sep 2016 11:05:34 +0000 Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer In-Reply-To: References: Message-ID: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html. The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA ?tefan Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA ?tefan > wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/f28d2d61/attachment-0001.html From mposolda at redhat.com Thu Sep 8 08:04:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 8 Sep 2016 14:04:38 +0200 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: Hi Edgar, I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format. Feel free to create JIRA if you find steps to reproduce it from clean KC. Marek On 07/09/16 13:33, Edgar Vonk - Info.nl wrote: > Hi Marek, > > It?s the brute force detection REST endpoint that is causing the issue. > > /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl > > gives a: ?Failed to load resource: the server responded with a status of 405 (Method Not Allowed)" > > >> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl wrote: >> >> Hi Marek, >> >> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. >> >> Will try to find the endpoint in question and report back! >> >> cheers >> >>> On 07 Sep 2016, at 11:24, Marek Posolda wrote: >>> >>> I guess you need to add "view-users" role as well? >>> >>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. >>> >>> Marek >>> >>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >>>> >>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >>>> >>>> >>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >>>> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >>>> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From andyyar66 at gmail.com Thu Sep 8 08:07:54 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Thu, 8 Sep 2016 14:07:54 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Yes, I did - Web Origins: http://localhost:4200. Thats where my dev server runs. When I change the origin in the Keycloak admin console to something different I can't even log in due to CORS errors. So I guess this setting is correct. Setting a really short max SSO session TTL results in both cookie checks (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' validity and redirecting to the login page. My other observation, when I perform a SSO logout in Keycloak the app running in Chrome doesn't log me out after its quiet cookie check. In Firefox/Edge it detects the SSO logout correctly during the horrible cookie checking page reload. On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen wrote: > Did you add correct origins for your app in the Keycloak admin console? > > On 7 September 2016 at 16:30, Andy Yar wrote: > >> Hello, >> I've tried running https://github.com/keycloak/ke >> ycloak/tree/master/examples/demo-template/angular2-product-app app on >> localhost against my Keycloak instance. The page reloading issue caused by >> iFrame checks was present too. >> >> The only significant change I made to the demo app was replacing the >> keycloak.json with mine. The difference is using a non-localhost URL: >> "auth-server-url": "http://:8080/sso". CORS comes to mind. >> >> >> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: >> >>> I've spent some time in Firefox's debugger and found out that the >>> redirect occurs right after the window.postMessage() is called in the >>> checkLoginFrame function. >>> >>> The demo project code seems to be in line with my code. Might try it's >>> runtime behavior later. >>> >>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>> wrote: >>> >>>> On 01/09/16 23:34, Andy Yar wrote: >>>> >>>> Hello, >>>> I've created a template of a Angular based app using keycloak.js lib. >>>> After a successful login the app/page periodically reloads itself. I guess >>>> it's because of the iFrame session check being set to 5sec interval >>>> (requesting url: /#state=&code=). >>>> >>>> That's strange... IFrame is supposed to just check the cookie, not to >>>> do any reload. >>>> >>>> Maybe take a look at our angular examples and see if you do something >>>> differently? See https://github.com/keycloak/ke >>>> ycloak/tree/master/examples/demo-template/angular-product-app . Note >>>> the angular.bootstrap called after Keycloak authentication is fully >>>> finished. >>>> >>>> Marek >>>> >>>> >>>> This happens in latest Firefox and Edge. Chrome seems to handle these >>>> reloads quietly. >>>> >>>> Is this intended? >>>> >>>> Thanks >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/6254e1db/attachment.html From jan.blok at RIGD-Loxia.nl Thu Sep 8 08:39:56 2016 From: jan.blok at RIGD-Loxia.nl (Blok J (Jan) (RIGD-LOXIA)) Date: Thu, 8 Sep 2016 12:39:56 +0000 Subject: [keycloak-user] Roadmap: Support for fully encrypted SAML response? Message-ID: <163b0574f3ea4396b740d8abac5bb1fb@ex02.nl.hr.group> Hi, Couple of month ago I created story: https://issues.jboss.org/browse/KEYCLOAK-3103 asking support for fully encrypted SAML response (from Microsoft products). Is anything known roadmap wise? Regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/baeae1b8/attachment.html From h.benz at first8.nl Thu Sep 8 08:48:06 2016 From: h.benz at first8.nl (Hartmut Benz) Date: Thu, 8 Sep 2016 14:48:06 +0200 Subject: [keycloak-user] How to add a link to User Account Service page in keycloak-spring app Message-ID: Hi all, when migrating a spring application to use KeyCloak, what is the best way to add a link to User Account Service page of the current user? I had hoped to find something similar to the "/sso/logout" relative URI that the 'standard' configuration rewrites to an appropriate call to the KC server, but digging through the docs, the spring-adapter itself, demo project on github, and general googling have not provided an easy solution. Thanks in advance for your help and tips. Hartmut From sthorger at redhat.com Thu Sep 8 08:50:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Sep 2016 14:50:07 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Just spotted you're using the Angular2 example. I've got no clue about that one. It was community contributed and we've not had any experience with Angular2 ourselves. Please try if you're getting similar behavior with Angular 1 example. There should be no page reload on the cookie check. It's just a window postMessage and it doesn't do anything that should cause the page to reload. On 8 September 2016 at 14:07, Andy Yar wrote: > Yes, I did - Web Origins: http://localhost:4200. Thats where my dev > server runs. When I change the origin in the Keycloak admin console to > something different I can't even log in due to CORS errors. So I guess this > setting is correct. > > Setting a really short max SSO session TTL results in both cookie checks > (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' > validity and redirecting to the login page. > > My other observation, when I perform a SSO logout in Keycloak the app > running in Chrome doesn't log me out after its quiet cookie check. In > Firefox/Edge it detects the SSO logout correctly during the horrible cookie > checking page reload. > > On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen > wrote: > >> Did you add correct origins for your app in the Keycloak admin console? >> >> On 7 September 2016 at 16:30, Andy Yar wrote: >> >>> Hello, >>> I've tried running https://github.com/keycloak/ke >>> ycloak/tree/master/examples/demo-template/angular2-product-app app on >>> localhost against my Keycloak instance. The page reloading issue caused by >>> iFrame checks was present too. >>> >>> The only significant change I made to the demo app was replacing the >>> keycloak.json with mine. The difference is using a non-localhost URL: >>> "auth-server-url": "http://:8080/sso". CORS comes to mind. >>> >>> >>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: >>> >>>> I've spent some time in Firefox's debugger and found out that the >>>> redirect occurs right after the window.postMessage() is called in the >>>> checkLoginFrame function. >>>> >>>> The demo project code seems to be in line with my code. Might try it's >>>> runtime behavior later. >>>> >>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>> wrote: >>>> >>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>> >>>>> Hello, >>>>> I've created a template of a Angular based app using keycloak.js lib. >>>>> After a successful login the app/page periodically reloads itself. I guess >>>>> it's because of the iFrame session check being set to 5sec interval >>>>> (requesting url: /#state=&code=). >>>>> >>>>> That's strange... IFrame is supposed to just check the cookie, not to >>>>> do any reload. >>>>> >>>>> Maybe take a look at our angular examples and see if you do something >>>>> differently? See https://github.com/keycloak/ke >>>>> ycloak/tree/master/examples/demo-template/angular-product-app . Note >>>>> the angular.bootstrap called after Keycloak authentication is fully >>>>> finished. >>>>> >>>>> Marek >>>>> >>>>> >>>>> This happens in latest Firefox and Edge. Chrome seems to handle these >>>>> reloads quietly. >>>>> >>>>> Is this intended? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/fa3fdbf2/attachment.html From andyyar66 at gmail.com Thu Sep 8 09:48:00 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Thu, 8 Sep 2016 15:48:00 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Ok, will check the original AngularJS demo for that harmless window.postMessage(). Thanks for your effort! On Thu, Sep 8, 2016 at 2:50 PM, Stian Thorgersen wrote: > Just spotted you're using the Angular2 example. I've got no clue about > that one. It was community contributed and we've not had any experience > with Angular2 ourselves. > > Please try if you're getting similar behavior with Angular 1 example. > > There should be no page reload on the cookie check. It's just a window > postMessage and it doesn't do anything that should cause the page to reload. > > On 8 September 2016 at 14:07, Andy Yar wrote: > >> Yes, I did - Web Origins: http://localhost:4200. Thats where my dev >> server runs. When I change the origin in the Keycloak admin console to >> something different I can't even log in due to CORS errors. So I guess this >> setting is correct. >> >> Setting a really short max SSO session TTL results in both cookie checks >> (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' >> validity and redirecting to the login page. >> >> My other observation, when I perform a SSO logout in Keycloak the app >> running in Chrome doesn't log me out after its quiet cookie check. In >> Firefox/Edge it detects the SSO logout correctly during the horrible cookie >> checking page reload. >> >> On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen >> wrote: >> >>> Did you add correct origins for your app in the Keycloak admin console? >>> >>> On 7 September 2016 at 16:30, Andy Yar wrote: >>> >>>> Hello, >>>> I've tried running https://github.com/keycloak/ke >>>> ycloak/tree/master/examples/demo-template/angular2-product-app app on >>>> localhost against my Keycloak instance. The page reloading issue caused by >>>> iFrame checks was present too. >>>> >>>> The only significant change I made to the demo app was replacing the >>>> keycloak.json with mine. The difference is using a non-localhost URL: >>>> "auth-server-url": "http://:8080/sso". CORS comes to mind. >>>> >>>> >>>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: >>>> >>>>> I've spent some time in Firefox's debugger and found out that the >>>>> redirect occurs right after the window.postMessage() is called in the >>>>> checkLoginFrame function. >>>>> >>>>> The demo project code seems to be in line with my code. Might try it's >>>>> runtime behavior later. >>>>> >>>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>>> wrote: >>>>> >>>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>>> >>>>>> Hello, >>>>>> I've created a template of a Angular based app using keycloak.js lib. >>>>>> After a successful login the app/page periodically reloads itself. I guess >>>>>> it's because of the iFrame session check being set to 5sec interval >>>>>> (requesting url: /#state=&code=). >>>>>> >>>>>> That's strange... IFrame is supposed to just check the cookie, not to >>>>>> do any reload. >>>>>> >>>>>> Maybe take a look at our angular examples and see if you do something >>>>>> differently? See https://github.com/keycloak/ke >>>>>> ycloak/tree/master/examples/demo-template/angular-product-app . Note >>>>>> the angular.bootstrap called after Keycloak authentication is fully >>>>>> finished. >>>>>> >>>>>> Marek >>>>>> >>>>>> >>>>>> This happens in latest Firefox and Edge. Chrome seems to handle these >>>>>> reloads quietly. >>>>>> >>>>>> Is this intended? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/f787f719/attachment.html From psilva at redhat.com Thu Sep 8 10:01:35 2016 From: psilva at redhat.com (Pedro Igor) Date: Thu, 08 Sep 2016 11:01:35 -0300 Subject: [keycloak-user] Roadmap: Support for fully encrypted SAML response? In-Reply-To: <163b0574f3ea4396b740d8abac5bb1fb@ex02.nl.hr.group> References: <163b0574f3ea4396b740d8abac5bb1fb@ex02.nl.hr.group> Message-ID: <1473343295.2610.10.camel@redhat.com> Hi Jan, ? ? AFAIK, SAML adapters are able to handle SAML encrypted Response, Assertion or both. ? ? Can you update that JIRA with an example of SAML encrypted response ? Logs would also be helpful. Regards. Pedro Igor? On Thu, 2016-09-08 at 12:39 +0000, Blok J (Jan) (RIGD-LOXIA) wrote: > > > Hi, > ? > Couple of month ago I created story: > https://issues.jboss.org/browse/KEYCLOAK-3103 > asking support for fully encrypted SAML response (from Microsoft > products). > ? > Is anything known roadmap wise? > ? > Regards Jan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From firemanxbr at fedoraproject.org Thu Sep 8 10:29:40 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Thu, 08 Sep 2016 14:29:40 +0000 Subject: [keycloak-user] Keycloak integrated with Google Apps Message-ID: Hi all, I really would like create a documentation and study case using Keycloak totally integrated with Google Apps, but in two months using Keycloak I didn't have success. I think the major for the Keycloak project take I person with time and this resources for a complete testing the project. I sent some errors in another emails and don't receive any help, if someone help me will good, otherwise I will be forced to go to the simpleSAMLphp project that works seamlessly with AD and Google Apps. Cheers, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/964d4d3c/attachment.html From thomas.darimont at googlemail.com Thu Sep 8 11:20:20 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 8 Sep 2016 17:20:20 +0200 Subject: [keycloak-user] Example for decoding JWT Token in Shell Message-ID: Hello group, just found an interesting example for decoding a JWT token in the shell. Perhaps some of you might find that handy... see below. Cheers, Thomas KC_REALM=acme-test KC_USERNAME=tester KC_PASSWORD=test KC_CLIENT=app1 KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032 KC_URL="http://localhost:8081/auth" # Request Tokens for credentials KC_RESPONSE=$( \ curl -k -v \ -d "username=$KC_USERNAME" \ -d "password=$KC_PASSWORD" \ -d 'grant_type=password' \ -d "client_id=$KC_CLIENT" \ -d "client_secret=$KC_CLIENT_SECRET" \ "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \ | jq . ) KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) # one-liner to decode access token echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq . { "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", "exp": 1473348085, "nbf": 0, "iat": 1473347785, "iss": "http://localhost:8081/auth/realms/acme-test", "aud": "app1", "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", "typ": "Bearer", "azp": "app1", "auth_time": 0, "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", "acr": "1", "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", "allowed-origins": [], "resource_access": { "app-js-demo-client": { "roles": [ "user" ] }, "account": { "roles": [ "manage-account", "view-profile" ] } }, "name": "Theo Tester", "preferred_username": "tester", "given_name": "Theo", "family_name": "Tester", "email": "tom+tester at localhost" } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/2435eee6/attachment.html From thomas.darimont at googlemail.com Thu Sep 8 11:26:38 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 8 Sep 2016 17:26:38 +0200 Subject: [keycloak-user] Example for decoding JWT Token in Shell In-Reply-To: References: Message-ID: ... and here is a quick helper function for your shell: #Keycloak decode_jwt(){ echo -n $@ | cut -d "." -f 2 | base64 -d | jq . } alias jwtd=decode_jwt $ jwtd $KC_ACCESS_TOKEN { "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", "exp": 1473348085, "nbf": 0, "iat": 1473347785, "iss": "http://localhost:8081/auth/realms/acme-test", "aud": "app1", "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", "typ": "Bearer", "azp": "app1", "auth_time": 0, "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", "acr": "1", "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", "allowed-origins": [], "resource_access": { "app-js-demo-client": { "roles": [ "user" ] }, "account": { "roles": [ "manage-account", "view-profile" ] } }, "name": "Theo Tester", "preferred_username": "tester", "given_name": "Theo", "family_name": "Tester", "email": "tom+tester at localhost" } Cheers, Thomas 2016-09-08 17:20 GMT+02:00 Thomas Darimont : > Hello group, > > just found an interesting example for decoding a JWT token in the shell. > Perhaps some of you might find that handy... see below. > > Cheers, > Thomas > > KC_REALM=acme-test > KC_USERNAME=tester > KC_PASSWORD=test > KC_CLIENT=app1 > KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032 > KC_URL="http://localhost:8081/auth" > > # Request Tokens for credentials > KC_RESPONSE=$( \ > curl -k -v \ > -d "username=$KC_USERNAME" \ > -d "password=$KC_PASSWORD" \ > -d 'grant_type=password' \ > -d "client_id=$KC_CLIENT" \ > -d "client_secret=$KC_CLIENT_SECRET" \ > "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \ > | jq . > ) > > KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) > KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) > KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) > > # one-liner to decode access token > echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq . > > { > "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", > "exp": 1473348085, > "nbf": 0, > "iat": 1473347785, > "iss": "http://localhost:8081/auth/realms/acme-test", > "aud": "app1", > "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", > "typ": "Bearer", > "azp": "app1", > "auth_time": 0, > "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", > "acr": "1", > "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", > "allowed-origins": [], > "resource_access": { > "app-js-demo-client": { > "roles": [ > "user" > ] > }, > "account": { > "roles": [ > "manage-account", > "view-profile" > ] > } > }, > "name": "Theo Tester", > "preferred_username": "tester", > "given_name": "Theo", > "family_name": "Tester", > "email": "tom+tester at localhost" > } > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/8da52cdd/attachment-0001.html From getjonrathbone at gmail.com Thu Sep 8 11:27:00 2016 From: getjonrathbone at gmail.com (Jonathan Rathbone) Date: Thu, 8 Sep 2016 16:27:00 +0100 Subject: [keycloak-user] Integrating with enterprise PKI e.g. Entrust.. In-Reply-To: References: <0BFDC0C8-E634-4924-A165-1D197EB31FFE@gmail.com> Message-ID: <9C995302-B73C-40F3-838C-78B597AD0B0A@gmail.com> Hi there, Ok, the customer organisation has a corporate PKI infrastructure where instead of username/passwords users are issued certificates. These certificates are used as the credentials for logging in to web applications. I'd like to understand what I would need to do for Keycloak to accept this certificate from the browser as a credential, instead of password or OTP. Similar to the way it can accept a Kerberos ticket? Sincere thanks, Jon > On 8 Sep 2016, at 07:33, Stian Thorgersen wrote: > > Can you elaborate a bit on exactly what you want? "integrate our app suite with their enterprise PKI solution for IDP and SSO" is a bit vague. > >> On 6 September 2016 at 12:38, Jonathan Rathbone wrote: >> >> Hi there, >> >> hope you can help. I?ve searched the documentation, and nothing seems to jump out that clarifies this so? >> >> I have a set of web apps and services, all secured with Keycloak using OAuth and JWT, with Single-Sign-On. >> >> I have a potential customer who is looking for us to integrate our app suite with their enterprise PKI solution for IDP and SSO. >> >> Is there a way that Keycloak can enable this for us, so that we can keep our app architecture isolated from the customers specific security architecture, or will we have to produce a version of our apps and services that have a dedicated integration to the enterprise PKI solution?s services? >> >> Sorry if this is a bit of noob question! >> >> sincere thanks, >> >> Jon >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/55d57f96/attachment-0001.html From jblashka at redhat.com Thu Sep 8 12:36:05 2016 From: jblashka at redhat.com (Jared Blashka) Date: Thu, 8 Sep 2016 12:36:05 -0400 Subject: [keycloak-user] CDI Support within Authenticators and Providers? Message-ID: Is there a way to enable CDI support within custom Authenticator and Provider implementations? I added the weld subsystem into our standalone.xml and added a beans.xml into the keycloak-server-subsystem WEB-INF directory, but the weld subsystem still wasn't recognizing the keycloak-server.war deployment as CDI-enabled (though other wars deployed on JBoss were recognized without issues). I wanted to provide a default cache manager and annotate some of my authenticator/provider methods with @CacheResult to cache some fairly lengthy (but stable) data fetch operations. I could manually persist this data in an infinispan cache, but using the annotations would be cleaner Jared -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/a7b56d7c/attachment.html From srossillo at smartling.com Thu Sep 8 13:12:07 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 8 Sep 2016 13:12:07 -0400 Subject: [keycloak-user] How to add a link to User Account Service page in keycloak-spring app In-Reply-To: References: Message-ID: <20B9A9EF-A71E-48D2-937E-7FF76F497330@smartling.com> Hi, The account page for a user on Keycloak is ${keycloak_server_url}/auth/realms/${realm}/account You should have all the info you need to construct that from your client?s Keycloak configuration. Let us know if you need more help. Best, Scott Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Sep 8, 2016, at 8:48 AM, Hartmut Benz wrote: > > Hi all, > when migrating a spring application to use KeyCloak, what is the best > way to add a link to User Account Service page of the current user? > I had hoped to find something similar to the "/sso/logout" relative URI > that the 'standard' configuration rewrites to an appropriate call to the > KC server, but digging through the docs, the spring-adapter itself, demo > project on github, and general googling have not provided an easy solution. > > Thanks in advance for your help and tips. > Hartmut > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/028d4b84/attachment.html From bburke at redhat.com Thu Sep 8 13:26:44 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 8 Sep 2016 13:26:44 -0400 Subject: [keycloak-user] CDI Support within Authenticators and Providers? In-Reply-To: References: Message-ID: <43059ea7-57de-dd56-e0bb-97d6b343722e@redhat.com> We have a new deployer in master that will be out in 2.2. You can create a provider in any Java EE deployment WAR, EAR, JAR, etc. The only requirement is that the ProviderFactory must be a pojo. You should be able to hook into CDI then. On 9/8/16 12:36 PM, Jared Blashka wrote: > Is there a way to enable CDI support within custom Authenticator and > Provider implementations? > > I added the weld subsystem into our standalone.xml and added a > beans.xml into the keycloak-server-subsystem WEB-INF directory, but > the weld subsystem still wasn't recognizing the keycloak-server.war > deployment as CDI-enabled (though other wars deployed on JBoss were > recognized without issues). > > I wanted to provide a default cache manager and annotate some of my > authenticator/provider methods with @CacheResult to cache some fairly > lengthy (but stable) data fetch operations. > > I could manually persist this data in an infinispan cache, but using > the annotations would be cleaner > > Jared > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/c56beaf4/attachment.html From eric.matte at bionxinternational.com Thu Sep 8 14:30:34 2016 From: eric.matte at bionxinternational.com (Eric Matte) Date: Thu, 8 Sep 2016 18:30:34 +0000 Subject: [keycloak-user] Get user's roles from groups using POST Message-ID: Hi, I need to get all user roles from a specified user ID from all assigned groups for this particular user. I have searched into the API documentation and found no link that could returns me all roles of the authenticated user. Currently, I have the user id, the realm name, the client id, and an admin token. I need to send a POST method from my backend in order for it the properly set all the session's variables. http://www.keycloak.org/docs/rest-api/#_userrepresentation >From this link, UserRepresentation seems to have everything I need, but while checking the code on GitHub, the function for "GET /admin/realms/{realm}/users/{id}" only returns the few first variables (name, email, id, etc.). But, clientRoles, for instance, is not returned. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/a9041425/attachment.html From mailamitarora at gmail.com Thu Sep 8 17:04:31 2016 From: mailamitarora at gmail.com (Amit Arora) Date: Thu, 8 Sep 2016 17:04:31 -0400 Subject: [keycloak-user] help Message-ID: I need to know if I can update a particular user's totp using any rest service on keycloak , Can I pass the bearer access_token on the service along with totp / totpsecret to get totp updated/added for the owner of the access_token ? Please help me out. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160908/a4f50d77/attachment-0001.html From sthorger at redhat.com Fri Sep 9 02:49:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 08:49:05 +0200 Subject: [keycloak-user] One-time access token In-Reply-To: References: Message-ID: We are planning to add the ability for an application to require a user to re-authenticate. There's basically two parts to that. First the token needs to contain the time the user authenticated, secondly the application needs to be able to require user login screen to be displayed even if the user is already authenticated. Not sure if this is sufficient for your requirements though. I'd probably rewrite my requirements a bit if I was you and rather than having a one-time access token require a user to have re-authenticated within a short time (a few minutes maybe) for sensitive operations. On 8 September 2016 at 12:01, Wieloch, Marcin wrote: > Hi, > > I am working on a system where we would like to enforce that for some > particular resources > the resource owner has to authorise each access to such a resource. In > other words, we want > the user to re-type in his username and password each time he executes a > particular operation. > > In this context, does Keycloak provide something like 'one-time' access > tokens? > Or does it maybe support such a use case in yet another way? > > Best regards, > Marcin > > ------------------------------ > The information in this email and any attachments is confidential and > intended solely for the use of the individual(s) to whom it is addressed or > otherwise directed. Please note that any views or opinions presented in > this email are solely those of the author and do not necessarily represent > those of the Company. Finally, the recipient should check this email and > any attachments for the presence of viruses. The Company accepts no > liability for any damage caused by any virus transmitted by this email. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/63c645d8/attachment.html From sthorger at redhat.com Fri Sep 9 02:50:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 08:50:48 +0200 Subject: [keycloak-user] Example for decoding JWT Token in Shell In-Reply-To: References: Message-ID: I think that'll only work most of the time as tokens are base64 url encoded, not plain base64 encoded. Most of the time it works with standard base64 decoder, but once in a while those special characters that base64 url strips out gets in the way. On 8 September 2016 at 17:26, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > ... and here is a quick helper function for your shell: > > #Keycloak > decode_jwt(){ > echo -n $@ | cut -d "." -f 2 | base64 -d | jq . > } > alias jwtd=decode_jwt > > $ jwtd $KC_ACCESS_TOKEN > { > "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", > "exp": 1473348085, > "nbf": 0, > "iat": 1473347785, > "iss": "http://localhost:8081/auth/realms/acme-test", > "aud": "app1", > "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", > "typ": "Bearer", > "azp": "app1", > "auth_time": 0, > "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", > "acr": "1", > "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", > "allowed-origins": [], > "resource_access": { > "app-js-demo-client": { > "roles": [ > "user" > ] > }, > "account": { > "roles": [ > "manage-account", > "view-profile" > ] > } > }, > "name": "Theo Tester", > "preferred_username": "tester", > "given_name": "Theo", > "family_name": "Tester", > "email": "tom+tester at localhost" > } > > Cheers, > Thomas > > 2016-09-08 17:20 GMT+02:00 Thomas Darimont >: > >> Hello group, >> >> just found an interesting example for decoding a JWT token in the shell. >> Perhaps some of you might find that handy... see below. >> >> Cheers, >> Thomas >> >> KC_REALM=acme-test >> KC_USERNAME=tester >> KC_PASSWORD=test >> KC_CLIENT=app1 >> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032 >> KC_URL="http://localhost:8081/auth" >> >> # Request Tokens for credentials >> KC_RESPONSE=$( \ >> curl -k -v \ >> -d "username=$KC_USERNAME" \ >> -d "password=$KC_PASSWORD" \ >> -d 'grant_type=password' \ >> -d "client_id=$KC_CLIENT" \ >> -d "client_secret=$KC_CLIENT_SECRET" \ >> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \ >> | jq . >> ) >> >> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >> >> # one-liner to decode access token >> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq . >> >> { >> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", >> "exp": 1473348085, >> "nbf": 0, >> "iat": 1473347785, >> "iss": "http://localhost:8081/auth/realms/acme-test", >> "aud": "app1", >> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", >> "typ": "Bearer", >> "azp": "app1", >> "auth_time": 0, >> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", >> "acr": "1", >> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", >> "allowed-origins": [], >> "resource_access": { >> "app-js-demo-client": { >> "roles": [ >> "user" >> ] >> }, >> "account": { >> "roles": [ >> "manage-account", >> "view-profile" >> ] >> } >> }, >> "name": "Theo Tester", >> "preferred_username": "tester", >> "given_name": "Theo", >> "family_name": "Tester", >> "email": "tom+tester at localhost" >> } >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/f5918545/attachment.html From sthorger at redhat.com Fri Sep 9 03:07:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 09:07:39 +0200 Subject: [keycloak-user] Integrating with enterprise PKI e.g. Entrust.. In-Reply-To: <9C995302-B73C-40F3-838C-78B597AD0B0A@gmail.com> References: <0BFDC0C8-E634-4924-A165-1D197EB31FFE@gmail.com> <9C995302-B73C-40F3-838C-78B597AD0B0A@gmail.com> Message-ID: We don't currently support authenticating users via certificates, but we actually have a community contribution that's awaiting review: https://github.com/keycloak/keycloak/pull/3167 You could give this a spin and let us now if it works for you. We aim to include it in Keycloak 2.3. If you haven't built Keycloak from source before you can take a look at https://github.com/keycloak/keycloak/blob/master/README.md for help. On 8 September 2016 at 17:27, Jonathan Rathbone wrote: > Hi there, > > Ok, the customer organisation has a corporate PKI infrastructure where > instead of username/passwords users are issued certificates. These > certificates are used as the credentials for logging in to web applications. > > I'd like to understand what I would need to do for Keycloak to accept this > certificate from the browser as a credential, instead of password or OTP. > Similar to the way it can accept a Kerberos ticket? > > Sincere thanks, > > Jon > > > > > > On 8 Sep 2016, at 07:33, Stian Thorgersen wrote: > > Can you elaborate a bit on exactly what you want? "integrate our app > suite with their enterprise PKI solution for IDP and SSO" is a bit vague. > > On 6 September 2016 at 12:38, Jonathan Rathbone > wrote: > >> >> Hi there, >> >> hope you can help. I?ve searched the documentation, and nothing seems to >> jump out that clarifies this so? >> >> I have a set of web apps and services, all secured with Keycloak using >> OAuth and JWT, with Single-Sign-On. >> >> I have a potential customer who is looking for us to integrate our app >> suite with their enterprise PKI solution for IDP and SSO. >> >> Is there a way that Keycloak can enable this for us, so that we can keep >> our app architecture isolated from the customers specific security >> architecture, or will we have to produce a version of our apps and services >> that have a dedicated integration to the enterprise PKI solution?s services? >> >> Sorry if this is a bit of noob question! >> >> sincere thanks, >> >> Jon >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/02935478/attachment.html From mposolda at redhat.com Fri Sep 9 03:19:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 09:19:17 +0200 Subject: [keycloak-user] help In-Reply-To: References: Message-ID: <27dbcbd0-1d8a-ee20-56a9-2184bb200aca@redhat.com> Yep. You can take a look at our testsuite for inspiration : https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java Marek On 08/09/16 23:04, Amit Arora wrote: > I need to know if I can update a particular user's totp using any rest > service on keycloak , Can I pass the bearer access_token on the > service along with totp / totpsecret to get totp updated/added for the > owner of the access_token ? > > Please help me out. > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/358b771b/attachment-0001.html From mposolda at redhat.com Fri Sep 9 03:19:49 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 09:19:49 +0200 Subject: [keycloak-user] help In-Reply-To: <27dbcbd0-1d8a-ee20-56a9-2184bb200aca@redhat.com> References: <27dbcbd0-1d8a-ee20-56a9-2184bb200aca@redhat.com> Message-ID: <17de9d9f-dd5d-2522-84a4-f5d2e93d4d0f@redhat.com> or https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTotpTest.java On 09/09/16 09:19, Marek Posolda wrote: > Yep. You can take a look at our testsuite for inspiration : > https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java > > Marek > > On 08/09/16 23:04, Amit Arora wrote: >> I need to know if I can update a particular user's totp using any >> rest service on keycloak , Can I pass the bearer access_token on the >> service along with totp / totpsecret to get totp updated/added for >> the owner of the access_token ? >> >> Please help me out. >> >> Thanks >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/07984792/attachment.html From mposolda at redhat.com Fri Sep 9 03:21:50 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 09:21:50 +0200 Subject: [keycloak-user] Get user's roles from groups using POST In-Reply-To: References: Message-ID: Yep. You can take a look at our testsuite for inspiration : https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java . Especially see last test "roleMappings" Marek On 08/09/16 20:30, Eric Matte wrote: > > Hi, I need to get all user roles from a specified user ID from all > assigned groups for this particular user. > > I have searched into the API documentation and found no link that > could returns me all roles of the authenticated user. > > Currently, I have the user id, the realm name, the client id, and an > admin token. > > I need to send a POST method from my backend in order for it the > properly set all the session?s variables. > > http://www.keycloak.org/docs/rest-api/#_userrepresentation > > > From this link, UserRepresentation seems to have everything I need, > but while checking the code on GitHub, the function for ?*GET > /admin/realms/{realm}/users/{id}?* only returns the few first > variables (name, email, id, etc.). But, clientRoles, for instance, is > not returned. > > Thank you > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/5672733c/attachment.html From mposolda at redhat.com Fri Sep 9 03:27:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 09:27:23 +0200 Subject: [keycloak-user] Keycloak integrated with Google Apps In-Reply-To: References: Message-ID: Few years ago, I integrated picketlink SAML with Google-apps . The docs is here https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP . The docs may be outdated, but hopefully some points are still valid, especially for Google-apps domain setup (really not 100% sure). Note that Keycloak SAML implementation is based on Picketlink impl, so hopefully it should work. You're right that we didn't test it (at least I am not aware). If you or someone else from the community is able to successfully integrate Keycloak with 3rd party providers like Google Apps, Salesforce, Shiboleth etc, it will be cool if you can create the blog or wiki somewhere. We can then backport to our docs or at least link it from our blog, so other community people can see it. Marek On 08/09/16 16:29, Marcelo Barbosa wrote: > Hi all, > > I really would like create a documentation and study case using > Keycloak totally integrated with Google Apps, but in two months using > Keycloak I didn't have success. > I think the major for the Keycloak project take I person with time and > this resources for a complete testing the project. > I sent some errors in another emails and don't receive any help, if > someone help me will good, otherwise I will be forced to go to the > simpleSAMLphp project that works seamlessly with AD and Google Apps. > > Cheers, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/7990b631/attachment.html From postmaster at lists.jboss.org Fri Sep 9 03:33:26 2016 From: postmaster at lists.jboss.org (Post Office) Date: Fri, 9 Sep 2016 13:03:26 +0530 Subject: [keycloak-user] Delivery reports about your e-mail Message-ID: <201609090733.u897XRgG021771@lists01.dmz-a.mwc.hst.phx2.redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: text.scr Type: application/octet-stream Size: 28864 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/5289e769/attachment-0001.obj From thomas.darimont at googlemail.com Fri Sep 9 03:33:38 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 9 Sep 2016 09:33:38 +0200 Subject: [keycloak-user] One-time access token In-Reply-To: References: Message-ID: Hello, I think an application should also inspect the "acr" (Authentication Context Class Reference) and "amr" (Authentication Methods References) fields of the JWT Payload. This tell an application how a user authenticated at what "ISO/IEC 29115 Entity Authentication Assurance" level and which methods were used: (social login, username/password, certificate, OTP, etc.). acr OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string. amr OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings. See: http://openid.net/specs/openid-connect-core-1_0.html Cheers, Thomas 2016-09-09 8:49 GMT+02:00 Stian Thorgersen : > We are planning to add the ability for an application to require a user to > re-authenticate. There's basically two parts to that. First the token needs > to contain the time the user authenticated, secondly the application needs > to be able to require user login screen to be displayed even if the user is > already authenticated. > > Not sure if this is sufficient for your requirements though. I'd probably > rewrite my requirements a bit if I was you and rather than having a > one-time access token require a user to have re-authenticated within a > short time (a few minutes maybe) for sensitive operations. > > On 8 September 2016 at 12:01, Wieloch, Marcin > wrote: > >> Hi, >> >> I am working on a system where we would like to enforce that for some >> particular resources >> the resource owner has to authorise each access to such a resource. In >> other words, we want >> the user to re-type in his username and password each time he executes a >> particular operation. >> >> In this context, does Keycloak provide something like 'one-time' access >> tokens? >> Or does it maybe support such a use case in yet another way? >> >> Best regards, >> Marcin >> >> ------------------------------ >> The information in this email and any attachments is confidential and >> intended solely for the use of the individual(s) to whom it is addressed or >> otherwise directed. Please note that any views or opinions presented in >> this email are solely those of the author and do not necessarily represent >> those of the Company. Finally, the recipient should check this email and >> any attachments for the presence of viruses. The Company accepts no >> liability for any damage caused by any virus transmitted by this email. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/4ad7712b/attachment.html From thomas.darimont at googlemail.com Fri Sep 9 03:37:06 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 9 Sep 2016 09:37:06 +0200 Subject: [keycloak-user] Get user's roles from groups using POST In-Reply-To: References: Message-ID: Hello, with the changes from this PR: https://github.com/keycloak/keycloak/pull/3120 the realm roles and client roles would also be available with a single GET request. Cheers, Thomas 2016-09-09 9:21 GMT+02:00 Marek Posolda : > Yep. You can take a look at our testsuite for inspiration : > https://github.com/keycloak/keycloak/blob/master/testsuite/integration- > arquillian/tests/base/src/test/java/org/keycloak/ > testsuite/admin/UserTest.java . > > Especially see last test "roleMappings" > > Marek > > > On 08/09/16 20:30, Eric Matte wrote: > > Hi, I need to get all user roles from a specified user ID from all > assigned groups for this particular user. > > I have searched into the API documentation and found no link that could > returns me all roles of the authenticated user. > > > > Currently, I have the user id, the realm name, the client id, and an admin > token. > > I need to send a POST method from my backend in order for it the properly > set all the session?s variables. > > > > http://www.keycloak.org/docs/rest-api/#_userrepresentation > > From this link, UserRepresentation seems to have everything I need, but > while checking the code on GitHub, the function for ?*GET > /admin/realms/{realm}/users/{id}?* only returns the few first variables > (name, email, id, etc.). But, clientRoles, for instance, is not returned. > > > > Thank you > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/4abefe9c/attachment.html From mposolda at redhat.com Fri Sep 9 03:38:13 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 09:38:13 +0200 Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer In-Reply-To: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> References: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> Message-ID: <2f0c2818-27c7-26f6-035a-5da774916dee@redhat.com> This is set from the HTTP request url, so it looks that your Keycloak is seeing ""http://machine01.our.domain:8081/auth" as the request URL instead of "http://lb.our.domain/auth/admin/governance/console/config" . Maybe the set of |X-Forwarded-Host on your LB side? Marek |On 08/09/16 13:05, KASALA ?tefan wrote: > > Hello, > > Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache > httpd proxy in front of the server. We configured keycloak server > according to > https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html. > > > The configuration is still not complete/correct, probably I missed > something. When I access proxied url for either of our configured > realms I got unproxied auth-server-url: > > [localuser at machine01:~/keycloak]$ curl -s > http://lb.our.domain/auth/admin/governance/console/config | python -m > json.tool > > { > > "auth-server-url": "http://machine01.our.domain:8081/auth", > > "public-client": true, > > "realm": "governance", > > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "resource": "security-admin-console", > > "ssl-required": "external" > > } > > [localuser at machine01:~/keycloak]$ curl -s > http://lb.our.domain/auth/admin/master/console/config | python -m > json.tool > > { > > "auth-server-url": "http://machine01.our.domain:8081/auth", > > "public-client": true, > > "realm": "master", > > "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", > > "resource": "security-admin-console", > > "ssl-required": "external" > > } > > How can I configure it to return the proxied version? Thanks. > > Stefan. > > *From:*Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, June 28, 2016 3:51 PM > *To:* KASALA ?tefan > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via > loadbalancer > > Firstly, please upgrade to a more recent Keycloak version. Then refer > to > https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html > for details on how to setup a reverse proxy / load balancer in front > of Keycloak. > > On 27 June 2016 at 09:18, KASALA ?tefan > wrote: > > Hello, > > we have installed JBoss Overlord Rtgov 2.1.0 which is using > Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name > it with hostname app01. We have a load balancer under another > hostname lbapp in front of the deployed app. I am able to call the > rest interface of RtGov directly on machine app01 but not using > lbapp, I get 401 - Unauthorized from Keycloak. My guess is there > is some check against hostname in http request. Is there some > possibility to register aliases with the keycloak to enable calls > via load balancer? Thanks. > > Stefan Kasala > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------------------------------------------------ > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the original. > Any other use of the e-mail by you is prohibited. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/36f64f56/attachment-0001.html From sblanc at redhat.com Fri Sep 9 04:32:00 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 9 Sep 2016 10:32:00 +0200 Subject: [keycloak-user] Deploy theme as archive, how to declare in standalone.xml ? Message-ID: Hi, I'm trying to deploy my theme as a zip in a kc 2.1.0. I'm following https://keycloak.gitbooks.io/server-developer-guide/content/topics/themes.html I'm just confused on the last part : " You also need to register the module with Keycloak. This is done by editing standalone.xml, standalone-ha.xml, or domain.xml. See the Server Installation and Configuration Guide for more details on where the standalone.xml, standalone-ha.xml, or domain.xml file lives. Then and add the module to theme/module/modules. For example: ... org.example.mytheme " It's not really clear on where I need to add this, I tried inside the keycloak subsystem section but that does not work. Sebi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/6c4e380d/attachment.html From andyyar66 at gmail.com Fri Sep 9 04:41:01 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Fri, 9 Sep 2016 10:41:01 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: In my case the original AngularJS demo acts in the same way as the Angular2 one. On Thu, Sep 8, 2016 at 3:48 PM, Andy Yar wrote: > Ok, will check the original AngularJS demo for that harmless > window.postMessage(). > > Thanks for your effort! > > On Thu, Sep 8, 2016 at 2:50 PM, Stian Thorgersen > wrote: > >> Just spotted you're using the Angular2 example. I've got no clue about >> that one. It was community contributed and we've not had any experience >> with Angular2 ourselves. >> >> Please try if you're getting similar behavior with Angular 1 example. >> >> There should be no page reload on the cookie check. It's just a window >> postMessage and it doesn't do anything that should cause the page to reload. >> >> On 8 September 2016 at 14:07, Andy Yar wrote: >> >>> Yes, I did - Web Origins: http://localhost:4200. Thats where my dev >>> server runs. When I change the origin in the Keycloak admin console to >>> something different I can't even log in due to CORS errors. So I guess this >>> setting is correct. >>> >>> Setting a really short max SSO session TTL results in both cookie checks >>> (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' >>> validity and redirecting to the login page. >>> >>> My other observation, when I perform a SSO logout in Keycloak the app >>> running in Chrome doesn't log me out after its quiet cookie check. In >>> Firefox/Edge it detects the SSO logout correctly during the horrible cookie >>> checking page reload. >>> >>> On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen >>> wrote: >>> >>>> Did you add correct origins for your app in the Keycloak admin console? >>>> >>>> On 7 September 2016 at 16:30, Andy Yar wrote: >>>> >>>>> Hello, >>>>> I've tried running https://github.com/keycloak/ke >>>>> ycloak/tree/master/examples/demo-template/angular2-product-app app on >>>>> localhost against my Keycloak instance. The page reloading issue caused by >>>>> iFrame checks was present too. >>>>> >>>>> The only significant change I made to the demo app was replacing the >>>>> keycloak.json with mine. The difference is using a non-localhost URL: >>>>> "auth-server-url": "http://:8080/sso". CORS comes to mind. >>>>> >>>>> >>>>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: >>>>> >>>>>> I've spent some time in Firefox's debugger and found out that the >>>>>> redirect occurs right after the window.postMessage() is called in the >>>>>> checkLoginFrame function. >>>>>> >>>>>> The demo project code seems to be in line with my code. Might try >>>>>> it's runtime behavior later. >>>>>> >>>>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>>>> wrote: >>>>>> >>>>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>>>> >>>>>>> Hello, >>>>>>> I've created a template of a Angular based app using keycloak.js >>>>>>> lib. After a successful login the app/page periodically reloads itself. I >>>>>>> guess it's because of the iFrame session check being set to 5sec interval >>>>>>> (requesting url: /#state=&code=). >>>>>>> >>>>>>> That's strange... IFrame is supposed to just check the cookie, not >>>>>>> to do any reload. >>>>>>> >>>>>>> Maybe take a look at our angular examples and see if you do >>>>>>> something differently? See https://github.com/keycloak/ke >>>>>>> ycloak/tree/master/examples/demo-template/angular-product-app . >>>>>>> Note the angular.bootstrap called after Keycloak authentication is fully >>>>>>> finished. >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> >>>>>>> This happens in latest Firefox and Edge. Chrome seems to handle >>>>>>> these reloads quietly. >>>>>>> >>>>>>> Is this intended? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/43c788d6/attachment.html From thomas.darimont at googlemail.com Fri Sep 9 04:46:24 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 9 Sep 2016 10:46:24 +0200 Subject: [keycloak-user] Example for decoding JWT Token in Shell In-Reply-To: References: Message-ID: Hello Stian, you are right, some tokens might not be decoded correctly... The following works for me now: decode_base64_url() { local len=$((${#1} % 4)) local result="$1" if [ $len -eq 2 ]; then result="$1"'==' elif [ $len -eq 3 ]; then result="$1"'=' fi echo "$result" | tr '_-' '/+' | openssl enc -d -base64 } decode_jwt(){ decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq . } # Decode JWT header alias jwth="decode_jwt 1" # Decode JWT Payload alias jwtp="decode_jwt 2" Took the decode_base64_url function from https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh Cheers, Thomas 2016-09-09 8:50 GMT+02:00 Stian Thorgersen : > I think that'll only work most of the time as tokens are base64 url > encoded, not plain base64 encoded. Most of the time it works with > standard base64 decoder, but once in a while those special characters that > base64 url strips out gets in the way. > > On 8 September 2016 at 17:26, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> ... and here is a quick helper function for your shell: >> >> #Keycloak >> decode_jwt(){ >> echo -n $@ | cut -d "." -f 2 | base64 -d | jq . >> } >> alias jwtd=decode_jwt >> >> $ jwtd $KC_ACCESS_TOKEN >> { >> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", >> "exp": 1473348085, >> "nbf": 0, >> "iat": 1473347785, >> "iss": "http://localhost:8081/auth/realms/acme-test", >> "aud": "app1", >> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", >> "typ": "Bearer", >> "azp": "app1", >> "auth_time": 0, >> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", >> "acr": "1", >> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", >> "allowed-origins": [], >> "resource_access": { >> "app-js-demo-client": { >> "roles": [ >> "user" >> ] >> }, >> "account": { >> "roles": [ >> "manage-account", >> "view-profile" >> ] >> } >> }, >> "name": "Theo Tester", >> "preferred_username": "tester", >> "given_name": "Theo", >> "family_name": "Tester", >> "email": "tom+tester at localhost" >> } >> >> Cheers, >> Thomas >> >> 2016-09-08 17:20 GMT+02:00 Thomas Darimont > m>: >> >>> Hello group, >>> >>> just found an interesting example for decoding a JWT token in the shell. >>> Perhaps some of you might find that handy... see below. >>> >>> Cheers, >>> Thomas >>> >>> KC_REALM=acme-test >>> KC_USERNAME=tester >>> KC_PASSWORD=test >>> KC_CLIENT=app1 >>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032 >>> KC_URL="http://localhost:8081/auth" >>> >>> # Request Tokens for credentials >>> KC_RESPONSE=$( \ >>> curl -k -v \ >>> -d "username=$KC_USERNAME" \ >>> -d "password=$KC_PASSWORD" \ >>> -d 'grant_type=password' \ >>> -d "client_id=$KC_CLIENT" \ >>> -d "client_secret=$KC_CLIENT_SECRET" \ >>> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \ >>> | jq . >>> ) >>> >>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >>> >>> # one-liner to decode access token >>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq . >>> >>> { >>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", >>> "exp": 1473348085, >>> "nbf": 0, >>> "iat": 1473347785, >>> "iss": "http://localhost:8081/auth/realms/acme-test", >>> "aud": "app1", >>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", >>> "typ": "Bearer", >>> "azp": "app1", >>> "auth_time": 0, >>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", >>> "acr": "1", >>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", >>> "allowed-origins": [], >>> "resource_access": { >>> "app-js-demo-client": { >>> "roles": [ >>> "user" >>> ] >>> }, >>> "account": { >>> "roles": [ >>> "manage-account", >>> "view-profile" >>> ] >>> } >>> }, >>> "name": "Theo Tester", >>> "preferred_username": "tester", >>> "given_name": "Theo", >>> "family_name": "Tester", >>> "email": "tom+tester at localhost" >>> } >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/f17ebc66/attachment-0001.html From mposolda at redhat.com Fri Sep 9 04:49:48 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Sep 2016 10:49:48 +0200 Subject: [keycloak-user] Deploy theme as archive, how to declare in standalone.xml ? In-Reply-To: References: Message-ID: <8633e121-623e-6c44-54df-9a60e4693174@redhat.com> Hi, this changed between 2.2 and 2.1 . It seems you're looking for latest docs related to 2.2 but in 2.1 the stuff is different. See docs for 2.1 https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/themes.html . But you're right that docs can specify it should be put under subsystem . Also it is "theme/modules/module" , not "theme/module/modules" . Will fix it. Thanks, Marek On 09/09/16 10:32, Sebastien Blanc wrote: > Hi, > > I'm trying to deploy my theme as a zip in a kc 2.1.0. I'm following > https://keycloak.gitbooks.io/server-developer-guide/content/topics/themes.html > > I'm just confused on the last part : > " > > You also need to register the module with Keycloak. This is done by > editing |standalone.xml|, |standalone-ha.xml|, or |domain.xml|. See > the Server Installation and Configuration Guide > > for more details on where the |standalone.xml|, |standalone-ha.xml|, > or |domain.xml| file lives. > > Then and add the module to |theme/module/modules|. For example: > > | ... org.example.mytheme > | > " > > It's not really clear on where I need to add this, I tried inside the > keycloak subsystem section but that does not work. > > Sebi > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/c67c520e/attachment.html From sthorger at redhat.com Fri Sep 9 05:04:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 11:04:16 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Are you getting the same behavior from the admin console? It's Angular and uses keycloak.js. On 9 September 2016 at 10:41, Andy Yar wrote: > In my case the original AngularJS demo acts in the same way as the > Angular2 one. > > On Thu, Sep 8, 2016 at 3:48 PM, Andy Yar wrote: > >> Ok, will check the original AngularJS demo for that harmless >> window.postMessage(). >> >> Thanks for your effort! >> >> On Thu, Sep 8, 2016 at 2:50 PM, Stian Thorgersen >> wrote: >> >>> Just spotted you're using the Angular2 example. I've got no clue about >>> that one. It was community contributed and we've not had any experience >>> with Angular2 ourselves. >>> >>> Please try if you're getting similar behavior with Angular 1 example. >>> >>> There should be no page reload on the cookie check. It's just a window >>> postMessage and it doesn't do anything that should cause the page to reload. >>> >>> On 8 September 2016 at 14:07, Andy Yar wrote: >>> >>>> Yes, I did - Web Origins: http://localhost:4200. Thats where my dev >>>> server runs. When I change the origin in the Keycloak admin console to >>>> something different I can't even log in due to CORS errors. So I guess this >>>> setting is correct. >>>> >>>> Setting a really short max SSO session TTL results in both cookie >>>> checks (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' >>>> validity and redirecting to the login page. >>>> >>>> My other observation, when I perform a SSO logout in Keycloak the app >>>> running in Chrome doesn't log me out after its quiet cookie check. In >>>> Firefox/Edge it detects the SSO logout correctly during the horrible cookie >>>> checking page reload. >>>> >>>> On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen >>>> wrote: >>>> >>>>> Did you add correct origins for your app in the Keycloak admin console? >>>>> >>>>> On 7 September 2016 at 16:30, Andy Yar wrote: >>>>> >>>>>> Hello, >>>>>> I've tried running https://github.com/keycloak/ke >>>>>> ycloak/tree/master/examples/demo-template/angular2-product-app app >>>>>> on localhost against my Keycloak instance. The page reloading issue caused >>>>>> by iFrame checks was present too. >>>>>> >>>>>> The only significant change I made to the demo app was replacing the >>>>>> keycloak.json with mine. The difference is using a non-localhost URL: >>>>>> "auth-server-url": "http://:8080/sso". CORS comes to mind. >>>>>> >>>>>> >>>>>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar wrote: >>>>>> >>>>>>> I've spent some time in Firefox's debugger and found out that the >>>>>>> redirect occurs right after the window.postMessage() is called in the >>>>>>> checkLoginFrame function. >>>>>>> >>>>>>> The demo project code seems to be in line with my code. Might try >>>>>>> it's runtime behavior later. >>>>>>> >>>>>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>>>>> wrote: >>>>>>> >>>>>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> I've created a template of a Angular based app using keycloak.js >>>>>>>> lib. After a successful login the app/page periodically reloads itself. I >>>>>>>> guess it's because of the iFrame session check being set to 5sec interval >>>>>>>> (requesting url: /#state=&code=). >>>>>>>> >>>>>>>> That's strange... IFrame is supposed to just check the cookie, not >>>>>>>> to do any reload. >>>>>>>> >>>>>>>> Maybe take a look at our angular examples and see if you do >>>>>>>> something differently? See https://github.com/keycloak/ke >>>>>>>> ycloak/tree/master/examples/demo-template/angular-product-app . >>>>>>>> Note the angular.bootstrap called after Keycloak authentication is fully >>>>>>>> finished. >>>>>>>> >>>>>>>> Marek >>>>>>>> >>>>>>>> >>>>>>>> This happens in latest Firefox and Edge. Chrome seems to handle >>>>>>>> these reloads quietly. >>>>>>>> >>>>>>>> Is this intended? >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/2b5974ca/attachment.html From Stefan.Kasala at posam.sk Fri Sep 9 05:45:47 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Fri, 9 Sep 2016 09:45:47 +0000 Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer In-Reply-To: <2f0c2818-27c7-26f6-035a-5da774916dee@redhat.com> References: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> <2f0c2818-27c7-26f6-035a-5da774916dee@redhat.com> Message-ID: Hello, thanks for hints, I added request header dumps for keycloak server: curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool keycloak server log: 2016-09-09 11:38:40,825 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /admin/master/console/config 2016-09-09 11:38:40,826 INFO [io.undertow.request.dump] (default task-15) ----------------------------REQUEST--------------------------- URI=/auth/admin/master/console/config characterEncoding=null contentLength=-1 contentType=null header=Accept=*/* header=Connection=Keep-Alive header=X-Forwarded-For=10.231.79.183 header=X-Forwarded-Server=lb.our.domain header=User-Agent=curl/7.49.1 header=Host=machine01.our.domain:8081 header=X-Forwarded-Host=lb.our.domain locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.231.79.183:0 remoteHost=10.231.79.183 scheme=http host=machine01.our.domain:8081 serverPort=0 --------------------------RESPONSE-------------------------- contentLength=574 contentType=application/json header=Connection=keep-alive header=Cache-Control=no-cache header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Content-Type=application/json header=Content-Length=574 header=Date=Fri, 09 Sep 2016 09:38:40 GMT status=200 ============================================================== out: { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } Is it possible to configure keycloak / undertow to use X-Forwarded-Host header for absolute urls, or we have to forward original host to keycloak? Thanks Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Friday, September 9, 2016 9:38 AM To: KASALA ?tefan ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer This is set from the HTTP request url, so it looks that your Keycloak is seeing ""http://machine01.our.domain:8081/auth" as the request URL instead of "http://lb.our.domain/auth/admin/governance/console/config" . Maybe the set of X-Forwarded-Host on your LB side? Marek On 08/09/16 13:05, KASALA ?tefan wrote: Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html. The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA ?tefan Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA ?tefan > wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/94da23ac/attachment-0001.html From christopher.james.davies at gmail.com Fri Sep 9 06:35:58 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Fri, 09 Sep 2016 10:35:58 +0000 Subject: [keycloak-user] Example for decoding JWT Token in Shell In-Reply-To: References: Message-ID: A colleague wrote this when we were testing keycloak. Hope this helps: https://gist.github.com/rolandyoung/176dd310a6948e094be6 Chris On Fri, Sep 9, 2016 at 9:47 AM Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello Stian, > > you are right, some tokens might not be decoded correctly... > > The following works for me now: > > decode_base64_url() { > local len=$((${#1} % 4)) > local result="$1" > if [ $len -eq 2 ]; then result="$1"'==' > elif [ $len -eq 3 ]; then result="$1"'=' > fi > echo "$result" | tr '_-' '/+' | openssl enc -d -base64 > } > > decode_jwt(){ > decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq . > } > > # Decode JWT header > alias jwth="decode_jwt 1" > > # Decode JWT Payload > alias jwtp="decode_jwt 2" > > Took the decode_base64_url function from > https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh > > Cheers, > Thomas > > 2016-09-09 8:50 GMT+02:00 Stian Thorgersen : > >> I think that'll only work most of the time as tokens are base64 url >> encoded, not plain base64 encoded. Most of the time it works with >> standard base64 decoder, but once in a while those special characters that >> base64 url strips out gets in the way. >> >> On 8 September 2016 at 17:26, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> ... and here is a quick helper function for your shell: >>> >>> #Keycloak >>> decode_jwt(){ >>> echo -n $@ | cut -d "." -f 2 | base64 -d | jq . >>> } >>> alias jwtd=decode_jwt >>> >>> $ jwtd $KC_ACCESS_TOKEN >>> { >>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", >>> "exp": 1473348085, >>> "nbf": 0, >>> "iat": 1473347785, >>> "iss": "http://localhost:8081/auth/realms/acme-test", >>> "aud": "app1", >>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", >>> "typ": "Bearer", >>> "azp": "app1", >>> "auth_time": 0, >>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", >>> "acr": "1", >>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", >>> "allowed-origins": [], >>> "resource_access": { >>> "app-js-demo-client": { >>> "roles": [ >>> "user" >>> ] >>> }, >>> "account": { >>> "roles": [ >>> "manage-account", >>> "view-profile" >>> ] >>> } >>> }, >>> "name": "Theo Tester", >>> "preferred_username": "tester", >>> "given_name": "Theo", >>> "family_name": "Tester", >>> "email": "tom+tester at localhost" >>> } >>> >>> Cheers, >>> Thomas >>> >>> 2016-09-08 17:20 GMT+02:00 Thomas Darimont < >>> thomas.darimont at googlemail.com>: >>> >>>> Hello group, >>>> >>>> just found an interesting example for decoding a JWT token in the shell. >>>> Perhaps some of you might find that handy... see below. >>>> >>>> Cheers, >>>> Thomas >>>> >>>> KC_REALM=acme-test >>>> KC_USERNAME=tester >>>> KC_PASSWORD=test >>>> KC_CLIENT=app1 >>>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032 >>>> KC_URL="http://localhost:8081/auth" >>>> >>>> # Request Tokens for credentials >>>> KC_RESPONSE=$( \ >>>> curl -k -v \ >>>> -d "username=$KC_USERNAME" \ >>>> -d "password=$KC_PASSWORD" \ >>>> -d 'grant_type=password' \ >>>> -d "client_id=$KC_CLIENT" \ >>>> -d "client_secret=$KC_CLIENT_SECRET" \ >>>> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \ >>>> | jq . >>>> ) >>>> >>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) >>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token) >>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token) >>>> >>>> # one-liner to decode access token >>>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq . >>>> >>>> { >>>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd", >>>> "exp": 1473348085, >>>> "nbf": 0, >>>> "iat": 1473347785, >>>> "iss": "http://localhost:8081/auth/realms/acme-test", >>>> "aud": "app1", >>>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af", >>>> "typ": "Bearer", >>>> "azp": "app1", >>>> "auth_time": 0, >>>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b", >>>> "acr": "1", >>>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb", >>>> "allowed-origins": [], >>>> "resource_access": { >>>> "app-js-demo-client": { >>>> "roles": [ >>>> "user" >>>> ] >>>> }, >>>> "account": { >>>> "roles": [ >>>> "manage-account", >>>> "view-profile" >>>> ] >>>> } >>>> }, >>>> "name": "Theo Tester", >>>> "preferred_username": "tester", >>>> "given_name": "Theo", >>>> "family_name": "Tester", >>>> "email": "tom+tester at localhost" >>>> } >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/bba0808d/attachment.html From sthorger at redhat.com Fri Sep 9 09:39:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 15:39:00 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: By the way I just tried the angular product example here and it works just fine in Chrome and Firefox. On 9 September 2016 at 11:04, Stian Thorgersen wrote: > Are you getting the same behavior from the admin console? It's Angular and > uses keycloak.js. > > On 9 September 2016 at 10:41, Andy Yar wrote: > >> In my case the original AngularJS demo acts in the same way as the >> Angular2 one. >> >> On Thu, Sep 8, 2016 at 3:48 PM, Andy Yar wrote: >> >>> Ok, will check the original AngularJS demo for that harmless >>> window.postMessage(). >>> >>> Thanks for your effort! >>> >>> On Thu, Sep 8, 2016 at 2:50 PM, Stian Thorgersen >>> wrote: >>> >>>> Just spotted you're using the Angular2 example. I've got no clue about >>>> that one. It was community contributed and we've not had any experience >>>> with Angular2 ourselves. >>>> >>>> Please try if you're getting similar behavior with Angular 1 example. >>>> >>>> There should be no page reload on the cookie check. It's just a window >>>> postMessage and it doesn't do anything that should cause the page to reload. >>>> >>>> On 8 September 2016 at 14:07, Andy Yar wrote: >>>> >>>>> Yes, I did - Web Origins: http://localhost:4200. Thats where my dev >>>>> server runs. When I change the origin in the Keycloak admin console to >>>>> something different I can't even log in due to CORS errors. So I guess this >>>>> setting is correct. >>>>> >>>>> Setting a really short max SSO session TTL results in both cookie >>>>> checks (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' >>>>> validity and redirecting to the login page. >>>>> >>>>> My other observation, when I perform a SSO logout in Keycloak the app >>>>> running in Chrome doesn't log me out after its quiet cookie check. In >>>>> Firefox/Edge it detects the SSO logout correctly during the horrible cookie >>>>> checking page reload. >>>>> >>>>> On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> Did you add correct origins for your app in the Keycloak admin >>>>>> console? >>>>>> >>>>>> On 7 September 2016 at 16:30, Andy Yar wrote: >>>>>> >>>>>>> Hello, >>>>>>> I've tried running https://github.com/keycloak/ke >>>>>>> ycloak/tree/master/examples/demo-template/angular2-product-app app >>>>>>> on localhost against my Keycloak instance. The page reloading issue caused >>>>>>> by iFrame checks was present too. >>>>>>> >>>>>>> The only significant change I made to the demo app was replacing the >>>>>>> keycloak.json with mine. The difference is using a non-localhost URL: >>>>>>> "auth-server-url": "http://:8080/sso". CORS comes to >>>>>>> mind. >>>>>>> >>>>>>> >>>>>>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar >>>>>>> wrote: >>>>>>> >>>>>>>> I've spent some time in Firefox's debugger and found out that the >>>>>>>> redirect occurs right after the window.postMessage() is called in the >>>>>>>> checkLoginFrame function. >>>>>>>> >>>>>>>> The demo project code seems to be in line with my code. Might try >>>>>>>> it's runtime behavior later. >>>>>>>> >>>>>>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> I've created a template of a Angular based app using keycloak.js >>>>>>>>> lib. After a successful login the app/page periodically reloads itself. I >>>>>>>>> guess it's because of the iFrame session check being set to 5sec interval >>>>>>>>> (requesting url: /#state=&code=). >>>>>>>>> >>>>>>>>> That's strange... IFrame is supposed to just check the cookie, not >>>>>>>>> to do any reload. >>>>>>>>> >>>>>>>>> Maybe take a look at our angular examples and see if you do >>>>>>>>> something differently? See https://github.com/keycloak/ke >>>>>>>>> ycloak/tree/master/examples/demo-template/angular-product-app . >>>>>>>>> Note the angular.bootstrap called after Keycloak authentication is fully >>>>>>>>> finished. >>>>>>>>> >>>>>>>>> Marek >>>>>>>>> >>>>>>>>> >>>>>>>>> This happens in latest Firefox and Edge. Chrome seems to handle >>>>>>>>> these reloads quietly. >>>>>>>>> >>>>>>>>> Is this intended? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/a91be525/attachment-0001.html From andyyar66 at gmail.com Fri Sep 9 10:26:13 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Fri, 9 Sep 2016 16:26:13 +0200 Subject: [keycloak-user] keycloak.js - page reloads itself when logged in In-Reply-To: References: <57CE6008.8010006@redhat.com> Message-ID: Ok, so it must be related to my usage scenario. I don't use keycloak.js served from the Keycloak server but as a local node module instead. Then again I run my Angular app on localhost and I auth it against a Keycloak which runs on a dedicated server/domain. FYI my Keyclok admin console works normally - no refreshes. On Fri, Sep 9, 2016 at 3:39 PM, Stian Thorgersen wrote: > By the way I just tried the angular product example here and it works just > fine in Chrome and Firefox. > > On 9 September 2016 at 11:04, Stian Thorgersen > wrote: > >> Are you getting the same behavior from the admin console? It's Angular >> and uses keycloak.js. >> >> On 9 September 2016 at 10:41, Andy Yar wrote: >> >>> In my case the original AngularJS demo acts in the same way as the >>> Angular2 one. >>> >>> On Thu, Sep 8, 2016 at 3:48 PM, Andy Yar wrote: >>> >>>> Ok, will check the original AngularJS demo for that harmless >>>> window.postMessage(). >>>> >>>> Thanks for your effort! >>>> >>>> On Thu, Sep 8, 2016 at 2:50 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Just spotted you're using the Angular2 example. I've got no clue about >>>>> that one. It was community contributed and we've not had any experience >>>>> with Angular2 ourselves. >>>>> >>>>> Please try if you're getting similar behavior with Angular 1 example. >>>>> >>>>> There should be no page reload on the cookie check. It's just a window >>>>> postMessage and it doesn't do anything that should cause the page to reload. >>>>> >>>>> On 8 September 2016 at 14:07, Andy Yar wrote: >>>>> >>>>>> Yes, I did - Web Origins: http://localhost:4200. Thats where my dev >>>>>> server runs. When I change the origin in the Keycloak admin console to >>>>>> something different I can't even log in due to CORS errors. So I guess this >>>>>> setting is correct. >>>>>> >>>>>> Setting a really short max SSO session TTL results in both cookie >>>>>> checks (quiet Chrome and page reloading Firefox/Edge) detecting the tokens' >>>>>> validity and redirecting to the login page. >>>>>> >>>>>> My other observation, when I perform a SSO logout in Keycloak the app >>>>>> running in Chrome doesn't log me out after its quiet cookie check. In >>>>>> Firefox/Edge it detects the SSO logout correctly during the horrible cookie >>>>>> checking page reload. >>>>>> >>>>>> On Thu, Sep 8, 2016 at 7:39 AM, Stian Thorgersen >>>>> > wrote: >>>>>> >>>>>>> Did you add correct origins for your app in the Keycloak admin >>>>>>> console? >>>>>>> >>>>>>> On 7 September 2016 at 16:30, Andy Yar wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> I've tried running https://github.com/keycloak/ke >>>>>>>> ycloak/tree/master/examples/demo-template/angular2-product-app app >>>>>>>> on localhost against my Keycloak instance. The page reloading issue caused >>>>>>>> by iFrame checks was present too. >>>>>>>> >>>>>>>> The only significant change I made to the demo app was replacing >>>>>>>> the keycloak.json with mine. The difference is using a non-localhost URL: >>>>>>>> "auth-server-url": "http://:8080/sso". CORS comes to >>>>>>>> mind. >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Sep 6, 2016 at 2:43 PM, Andy Yar >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I've spent some time in Firefox's debugger and found out that the >>>>>>>>> redirect occurs right after the window.postMessage() is called in the >>>>>>>>> checkLoginFrame function. >>>>>>>>> >>>>>>>>> The demo project code seems to be in line with my code. Might try >>>>>>>>> it's runtime behavior later. >>>>>>>>> >>>>>>>>> On Tue, Sep 6, 2016 at 8:19 AM, Marek Posolda >>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> On 01/09/16 23:34, Andy Yar wrote: >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> I've created a template of a Angular based app using keycloak.js >>>>>>>>>> lib. After a successful login the app/page periodically reloads itself. I >>>>>>>>>> guess it's because of the iFrame session check being set to 5sec interval >>>>>>>>>> (requesting url: /#state=&code=). >>>>>>>>>> >>>>>>>>>> That's strange... IFrame is supposed to just check the cookie, >>>>>>>>>> not to do any reload. >>>>>>>>>> >>>>>>>>>> Maybe take a look at our angular examples and see if you do >>>>>>>>>> something differently? See https://github.com/keycloak/ke >>>>>>>>>> ycloak/tree/master/examples/demo-template/angular-product-app . >>>>>>>>>> Note the angular.bootstrap called after Keycloak authentication is fully >>>>>>>>>> finished. >>>>>>>>>> >>>>>>>>>> Marek >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This happens in latest Firefox and Edge. Chrome seems to handle >>>>>>>>>> these reloads quietly. >>>>>>>>>> >>>>>>>>>> Is this intended? >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/11768872/attachment.html From eric.matte at bionxinternational.com Fri Sep 9 11:33:35 2016 From: eric.matte at bionxinternational.com (Eric Matte) Date: Fri, 9 Sep 2016 15:33:35 +0000 Subject: [keycloak-user] Get user's roles from groups using POST Message-ID: What is specifically that GET request? Is there a way to just confirm user authentication on the backend with a POST/GET method? Something that would return the parsed token of the user for his current session. With the parsed token, the backend server could validate the user, but could also get directly all of the user?s roles. Eric From: Thomas Darimont [mailto:thomas.darimont at googlemail.com] Sent: September 9, 2016 3:37 AM To: Marek Posolda Cc: Eric Matte ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Get user's roles from groups using POST Hello, with the changes from this PR: https://github.com/keycloak/keycloak/pull/3120 the realm roles and client roles would also be available with a single GET request. Cheers, Thomas 2016-09-09 9:21 GMT+02:00 Marek Posolda >: Yep. You can take a look at our testsuite for inspiration : https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java . Especially see last test "roleMappings" Marek On 08/09/16 20:30, Eric Matte wrote: Hi, I need to get all user roles from a specified user ID from all assigned groups for this particular user. I have searched into the API documentation and found no link that could returns me all roles of the authenticated user. Currently, I have the user id, the realm name, the client id, and an admin token. I need to send a POST method from my backend in order for it the properly set all the session?s variables. http://www.keycloak.org/docs/rest-api/#_userrepresentation From this link, UserRepresentation seems to have everything I need, but while checking the code on GitHub, the function for ?GET /admin/realms/{realm}/users/{id}? only returns the few first variables (name, email, id, etc.). But, clientRoles, for instance, is not returned. Thank you _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/07520c88/attachment-0001.html From sthorger at redhat.com Fri Sep 9 14:17:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 9 Sep 2016 20:17:57 +0200 Subject: [keycloak-user] Keycloak 2.2.0.CR1 Released Message-ID: Keycloak 2.2.0.CR1 has just been released. The final release will follow next week if no major issues are reported. Few highlights of this release: - *OpenID Connect certification* - We've continued to work on our OpenID Connect implementation and we're now passing the basic, implicit, hybrid and config profiles. We'll get the dynamic profile sorted in the 2.3 release. - *Server config moved to standalone/domain.xml* - In the past some server configuration was done in keycloak-server.json and some in standalone/domain.xml. We've now moved all config to standalone/domain.xml and keycloak-server.json is now deprecated. This brings the option to use jboss-cli including offline scripts to automate configuration. - *Manual DB migration* - We've had automatic migration of the database for a long time, but we now have an option to have Keycloak write a SQL migration file instead of applying the changes directly. - *Fuse adapter download* - There is now a Fuse adapter download that makes it possible to install Keycloak support in Fuse without access to external Maven repository. - *Hot deployment of providers* - It's now possible to hot deploy custom providers from within a JEE deployment. We've not had the chance to write documentation around this yet and it could do with a bit more testing so consider it a preview feature. Take a look at the user-storage-jpa provider example though, it's great stuff! - *Identity Provider Authenticator* - In the past redirecting to identity providers was hardcoded in the Keycloak code, we've now refactored this into a new authenticator. - *Norwegian, Japanese and Lituanian translations* - Keycloak now comes with 11 translations. 10 of them contributed and maintained by our excellent community. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/8d9aa6d6/attachment.html From pires at littlebits.cc Sat Sep 10 05:24:18 2016 From: pires at littlebits.cc (Paulo Pires) Date: Sat, 10 Sep 2016 10:24:18 +0100 Subject: [keycloak-user] Keycloak 2.2.0.CR1 Released In-Reply-To: References: Message-ID: Amazing job! On Fri, Sep 9, 2016 at 7:17 PM, Stian Thorgersen wrote: > Keycloak 2.2.0.CR1 has just been released. The final release will follow > next week if no major issues are reported. Few highlights of this release: > > > - *OpenID Connect certification* - We've continued to work on our > OpenID Connect implementation and we're now passing the basic, implicit, > hybrid and config profiles. We'll get the dynamic profile sorted in the 2.3 > release. > - *Server config moved to standalone/domain.xml* - In the past some > server configuration was done in keycloak-server.json and some in > standalone/domain.xml. We've now moved all config to standalone/domain.xml > and keycloak-server.json is now deprecated. This brings the option to use > jboss-cli including offline scripts to automate configuration. > - *Manual DB migration* - We've had automatic migration of the > database for a long time, but we now have an option to have Keycloak write > a SQL migration file instead of applying the changes directly. > - *Fuse adapter download* - There is now a Fuse adapter download that > makes it possible to install Keycloak support in Fuse without access to > external Maven repository. > - *Hot deployment of providers* - It's now possible to hot deploy > custom providers from within a JEE deployment. We've not had the chance to > write documentation around this yet and it could do with a bit more testing > so consider it a preview feature. Take a look at the user-storage-jpa > provider example though, it's great stuff! > - *Identity Provider Authenticator* - In the past redirecting to > identity providers was hardcoded in the Keycloak code, we've now refactored > this into a new authenticator. > - *Norwegian, Japanese and Lituanian translations* - Keycloak now > comes with 11 translations. 10 of them contributed and maintained by our > excellent community. > > For the full list of issues resolved check out JIRA > and > to download the release go to the Keycloak homepage > . > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/11fe7d0b/attachment.html From firemanxbr at fedoraproject.org Sat Sep 10 05:38:39 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Sat, 10 Sep 2016 09:38:39 +0000 Subject: [keycloak-user] Keycloak integrated with Google Apps In-Reply-To: References: Message-ID: Hi Marek, Thank you, but I don't find where change my config or keycloak to adjust for Google Apps, because the paths and files too diferente. I think keycloak should offer the simple documentation or tip for adjust the SAML request I will sent from my keycloak clients. If you have another suggestions let me know. Cheers, Marcelo On Fri, Sep 9, 2016 at 2:27 PM Marek Posolda wrote: > Few years ago, I integrated picketlink SAML with Google-apps . The docs is > here > https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Google+Apps+as+SP > . > > The docs may be outdated, but hopefully some points are still valid, > especially for Google-apps domain setup (really not 100% sure). Note that > Keycloak SAML implementation is based on Picketlink impl, so hopefully it > should work. > > You're right that we didn't test it (at least I am not aware). If you or > someone else from the community is able to successfully integrate Keycloak > with 3rd party providers like Google Apps, Salesforce, Shiboleth etc, it > will be cool if you can create the blog or wiki somewhere. We can then > backport to our docs or at least link it from our blog, so other community > people can see it. > > Marek > > > On 08/09/16 16:29, Marcelo Barbosa wrote: > > Hi all, > > I really would like create a documentation and study case using Keycloak > totally integrated with Google Apps, but in two months using Keycloak I > didn't have success. > I think the major for the Keycloak project take I person with time and > this resources for a complete testing the project. > I sent some errors in another emails and don't receive any help, if > someone help me will good, otherwise I will be forced to go to the > simpleSAMLphp project that works seamlessly with AD and Google Apps. > > Cheers, > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/23491863/attachment.html From keycloaklist at ulise.de Sat Sep 10 07:27:37 2016 From: keycloaklist at ulise.de (Uli SE) Date: Sat, 10 Sep 2016 13:27:37 +0200 Subject: [keycloak-user] Single transaction OTP Message-ID: Hi, is it possible ( done in a sample ) to secure a single transaction using keycloaks OTP fearture? I currently use angularjs/wildfly with keycloak sso. Many Thanks, Uli -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/17e2fae0/attachment-0001.html From keycloaklist at ulise.de Sat Sep 10 07:28:20 2016 From: keycloaklist at ulise.de (Uli SE) Date: Sat, 10 Sep 2016 13:28:20 +0200 Subject: [keycloak-user] bearer token payload Message-ID: Hi, Can I add fields from keycloak profile to the bearer token to get them in a Wildfly-based webservice? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/6db40c31/attachment.html From bburke at redhat.com Sat Sep 10 07:30:25 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 10 Sep 2016 07:30:25 -0400 Subject: [keycloak-user] bearer token payload In-Reply-To: References: Message-ID: Yes. See mappers under you client int he admin console. On 9/10/16 7:28 AM, Uli SE wrote: > > Hi, > > Can I add fields from keycloak profile to the bearer token to get them > in a Wildfly-based webservice? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/500550c9/attachment.html From bburke at redhat.com Sat Sep 10 07:31:08 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 10 Sep 2016 07:31:08 -0400 Subject: [keycloak-user] Single transaction OTP In-Reply-To: References: Message-ID: You mean a one-use token? We don't support that. On 9/10/16 7:27 AM, Uli SE wrote: > > Hi, > > is it possible ( done in a sample ) to secure a single transaction > using keycloaks OTP fearture? > > I currently use angularjs/wildfly with keycloak sso. > > Many Thanks, > > Uli > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/c1433396/attachment.html From keycloaklist at ulise.de Sat Sep 10 07:33:34 2016 From: keycloaklist at ulise.de (Uli SE) Date: Sat, 10 Sep 2016 13:33:34 +0200 Subject: [keycloak-user] Vote for web-based forum Message-ID: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> Hi, I?m voting for to change this exchange into some kind of a web-based forum. It?s really hard do search for "already asked questions" and to track my threads in this kind of mailing list. Cheers, Uli From bburke at redhat.com Sat Sep 10 07:40:58 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 10 Sep 2016 07:40:58 -0400 Subject: [keycloak-user] Vote for web-based forum In-Reply-To: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> References: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> Message-ID: <1b26fad9-a600-5065-af48-ac57088046e8@redhat.com> Too bad :) On 9/10/16 7:33 AM, Uli SE wrote: > Hi, > > I?m voting for to change this exchange into some kind of a web-based forum. > > It?s really hard do search for "already asked questions" and to track my > threads in this kind of mailing list. > > Cheers, > > Uli > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From traviskds at gmail.com Sat Sep 10 07:44:27 2016 From: traviskds at gmail.com (Travis De Silva) Date: Sat, 10 Sep 2016 11:44:27 +0000 Subject: [keycloak-user] Vote for web-based forum In-Reply-To: <1b26fad9-a600-5065-af48-ac57088046e8@redhat.com> References: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> <1b26fad9-a600-5065-af48-ac57088046e8@redhat.com> Message-ID: +1 But if you have been following Bill over the years, you will know that he is passionate about the mailing list and dislikes fourms. But I do agree that there is so much valuable info in the mailing list and if its was a forum would be great. On Sat, 10 Sep 2016 at 21:41 Bill Burke wrote: > Too bad :) > > > On 9/10/16 7:33 AM, Uli SE wrote: > > Hi, > > > > I?m voting for to change this exchange into some kind of a web-based > forum. > > > > It?s really hard do search for "already asked questions" and to track my > > threads in this kind of mailing list. > > > > Cheers, > > > > Uli > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/7699f1b7/attachment.html From firemanxbr at fedoraproject.org Sat Sep 10 08:47:43 2016 From: firemanxbr at fedoraproject.org (Marcelo Barbosa) Date: Sat, 10 Sep 2016 12:47:43 +0000 Subject: [keycloak-user] Vote for web-based forum In-Reply-To: References: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> <1b26fad9-a600-5065-af48-ac57088046e8@redhat.com> Message-ID: -1 Web forum is old stack, please try use Google: site: http://lists.jboss.org/pipermail/keycloak-dev/ your-word-query Cheers, Marcelo On Sat, Sep 10, 2016, 6:44 PM Travis De Silva wrote: > +1 > > But if you have been following Bill over the years, you will know that he > is passionate about the mailing list and dislikes fourms. But I do agree > that there is so much valuable info in the mailing list and if its was a > forum would be great. > > > On Sat, 10 Sep 2016 at 21:41 Bill Burke wrote: > >> Too bad :) >> >> >> On 9/10/16 7:33 AM, Uli SE wrote: >> > Hi, >> > >> > I?m voting for to change this exchange into some kind of a web-based >> forum. >> > >> > It?s really hard do search for "already asked questions" and to track my >> > threads in this kind of mailing list. >> > >> > Cheers, >> > >> > Uli >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/7d1dfa3f/attachment.html From aman.jaiswal at arvindinternet.com Sat Sep 10 09:43:24 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Sat, 10 Sep 2016 19:13:24 +0530 Subject: [keycloak-user] Keycloak-2.1.0.Final Cluster mode on AWS Message-ID: Hi Can any one tell me how to setup a keycloak-2.1.0Final Cluster mode on AWS and node server's are running behind the load balancer ? I am trying to do the same but not succeed here is the link where you find details. https://developer.jboss.org/thread/272224 -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160910/782fc04d/attachment-0001.html From bburke at redhat.com Sun Sep 11 14:15:52 2016 From: bburke at redhat.com (Bill Burke) Date: Sun, 11 Sep 2016 14:15:52 -0400 Subject: [keycloak-user] Single transaction OTP In-Reply-To: <09a85536-6394-a3b3-eb4c-e9da10cb8d3c@ulise.de> References: <09a85536-6394-a3b3-eb4c-e9da10cb8d3c@ulise.de> Message-ID: Are you familiar with SSO protocols? The client (application) requests a token (OIDC) or assertion (SAML). The token/assertion is built specifically for the client and can contain information about the user, i.e. role/group mappings. Clients can force that the user has to log in again, that's about it... You'll have to be more specific of what you're looking for. On 9/11/16 6:42 AM, Uli Schulze-Eyssing wrote: > > Not really a one-use-token, but a second factor (like TOTP) for > specific transactions (eg. oder confirmation). > > > Am 10.09.2016 um 13:31 schrieb Bill Burke: >> >> You mean a one-use token? We don't support that. >> >> >> On 9/10/16 7:27 AM, Uli SE wrote: >>> >>> Hi, >>> >>> is it possible ( done in a sample ) to secure a single transaction >>> using keycloaks OTP fearture? >>> >>> I currently use angularjs/wildfly with keycloak sso. >>> >>> Many Thanks, >>> >>> Uli >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160911/a1341be3/attachment.html From smccollum at westmont.edu Sun Sep 11 18:23:47 2016 From: smccollum at westmont.edu (Sam McCollum) Date: Sun, 11 Sep 2016 15:23:47 -0700 Subject: [keycloak-user] Help using Keycloak for Mobile apps Message-ID: Hi All, I'm working on a project with some fellow students and we are attempting to use Keycloak to manage the authentication and authorization for our java backend running on Wildfly. We've managed to retrieve a token which we believe to be an offline token by opening the following URL on the mobile client and intercepting a custom URL schema: http://keycloak.cs.westmont.ed u/auth/realms/Westmont/protocol/openid-connect/auth?redirect _uri=app.test://login&response_type=code&client_id=TestApp&s cope=offline_access We hope that this doesn't bother you, but we are really struggling to figure out how to request the access token from the refresh token using the REST API as we haven't found any documentation or tutorials covering this use case. We are also hoping to open source our efforts at building a library for mobile apps to use with Keycloak. Please let us know if there is anything else you need to understand from us. Thanks in advance, Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160911/3d390c44/attachment.html From sthorger at redhat.com Mon Sep 12 02:39:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Sep 2016 08:39:22 +0200 Subject: [keycloak-user] Help using Keycloak for Mobile apps In-Reply-To: References: Message-ID: It's all standard OAuth2 stuff so there's plenty of material on Google that describes how to do this. That doesn't return a token it returns an authorization code. Take a look at: https://tools.ietf.org/html/rfc6749#section-3.1 That'll show you how to get the tokens. Then: https://tools.ietf.org/html/rfc6749#section-6 Will show you how to refresh the token. On 12 September 2016 at 00:23, Sam McCollum wrote: > Hi All, > > I'm working on a project with some fellow students and we are attempting > to use Keycloak to manage the authentication and authorization for our java > backend running on Wildfly. We've managed to retrieve a token which we > believe to be an offline token by opening the following URL on the mobile > client and intercepting a custom URL schema: > http://keycloak.cs.westmont.edu/auth/realms/Westmont/protoco > l/openid-connect/auth?redirect_uri=app.test://login&response > _type=code&client_id=TestApp&scope=offline_access > > We hope that this doesn't bother you, but we are really struggling to > figure out how to request the access token from the refresh token using the > REST API as we haven't found any documentation or tutorials covering this > use case. > > We are also hoping to open source our efforts at building a library for > mobile apps to use with Keycloak. > > Please let us know if there is anything else you need to understand from > us. > > Thanks in advance, > > Sam > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/0de3f418/attachment.html From sthorger at redhat.com Mon Sep 12 02:52:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Sep 2016 08:52:47 +0200 Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer In-Reply-To: References: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> <2f0c2818-27c7-26f6-035a-5da774916dee@redhat.com> Message-ID: Have you set proxy-address-forwarding=true? I thought that was supposed to look at X-Forwarded-Host. On 9 September 2016 at 11:45, KASALA ?tefan wrote: > Hello, > > thanks for hints, I added request header dumps for keycloak server: > > > > curl -s http://lb.our.domain/auth/admin/master/console/config | python -m > json.tool > > keycloak server log: > > 2016-09-09 11:38:40,825 DEBUG > [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) > RESTEASY002315: PathInfo: /admin/master/console/config > > 2016-09-09 11:38:40,826 INFO > [io.undertow.request.dump] (default task-15) > > ---------------------------- > REQUEST--------------------------- > > URI=/auth/admin/master/ > console/config > > characterEncoding=null > > contentLength=-1 > > contentType=null > > header=Accept=*/* > > header=Connection=Keep-Alive > > header=X-Forwarded-For=10.231. > 79.183 > > header=X-Forwarded-Server=lb. > our.domain > > header=User-Agent=curl/7.49.1 > > header=Host=machine01.our. > domain:8081 > > header=X-Forwarded-Host=lb. > our.domain > > locale=[] > > method=GET > > protocol=HTTP/1.1 > > queryString= > > remoteAddr=10.231.79.183:0 > > remoteHost=10.231.79.183 > > scheme=http > > > host=machine01.our.domain:8081 > > serverPort=0 > > -------------------------- > RESPONSE-------------------------- > > contentLength=574 > > contentType=application/json > > header=Connection=keep-alive > > header=Cache-Control=no-cache > > header=X-Powered-By=Undertow/1 > > header=Server=WildFly/10 > > header=Content-Type= > application/json > > header=Content-Length=574 > > header=Date=Fri, 09 Sep 2016 > 09:38:40 GMT > > status=200 > > ============================== > ================================ > > out: > > { > > "auth-server-url": " > http://machine01.our.domain:8081/auth", > > "public-client": true, > > "realm": "master", > > "realm-public-key": " > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/ > n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/ > bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE > 1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUF > lc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdF > oCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv > 4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", > > "resource": "security-admin-console", > > "ssl-required": "external" > > } > > > > Is it possible to configure keycloak / undertow to use X-Forwarded-Host > header for absolute urls, or we have to forward original host to keycloak? > > Thanks > > > > Stefan > > > > *From:* Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Friday, September 9, 2016 9:38 AM > *To:* KASALA ?tefan ; > keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via > loadbalancer > > > > This is set from the HTTP request url, so it looks that your Keycloak is > seeing ""http://machine01.our.domain:8081/auth" > as the request URL instead of " > http://lb.our.domain/auth/admin/governance/console/config" . Maybe the > set of X-Forwarded-Host on your LB side? > > Marek > > On 08/09/16 13:05, KASALA ?tefan wrote: > > Hello, > > Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache > httpd proxy in front of the server. We configured keycloak server according > to https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html. > > > > The configuration is still not complete/correct, probably I missed > something. When I access proxied url for either of our configured realms I > got unproxied auth-server-url: > > [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/ > admin/governance/console/config | python -m json.tool > > { > > "auth-server-url": "http://machine01.our.domain:8081/auth" > , > > "public-client": true, > > "realm": "governance", > > "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD > CBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1 > tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfP > LPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "resource": "security-admin-console", > > "ssl-required": "external" > > } > > > > [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/ > admin/master/console/config | python -m json.tool > > { > > "auth-server-url": "http://machine01.our.domain:8081/auth" > , > > "public-client": true, > > "realm": "master", > > "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ > 8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRy > QeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z1 > 2pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91H > k7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/ > XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/ > fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", > > "resource": "security-admin-console", > > "ssl-required": "external" > > } > > > > How can I configure it to return the proxied version? Thanks. > > Stefan. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Tuesday, June 28, 2016 3:51 PM > *To:* KASALA ?tefan > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Getting 401 if trying to access app via > loadbalancer > > > > Firstly, please upgrade to a more recent Keycloak version. Then refer to > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html for details on > how to setup a reverse proxy / load balancer in front of Keycloak. > > > > On 27 June 2016 at 09:18, KASALA ?tefan wrote: > > Hello, > > we have installed JBoss Overlord Rtgov 2.1.0 which is using > Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with > hostname app01. We have a load balancer under another hostname lbapp in > front of the deployed app. I am able to call the rest interface of RtGov > directly on machine app01 but not using lbapp, I get 401 - Unauthorized > from Keycloak. My guess is there is some check against hostname in http > request. Is there some possibility to register aliases with the keycloak to > enable calls via load balancer? Thanks. > > Stefan Kasala > > > ------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? > alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom > pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto > e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in error, > please notify the sender immediately and delete the original. Any other use > of the e-mail by you is prohibited. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? > alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom > pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto > e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in error, > please notify the sender immediately and delete the original. Any other use > of the e-mail by you is prohibited. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? > alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom > pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto > e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in error, > please notify the sender immediately and delete the original. Any other use > of the e-mail by you is prohibited. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/e3b76836/attachment-0001.html From Stefan.Kasala at posam.sk Mon Sep 12 02:55:43 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Mon, 12 Sep 2016 06:55:43 +0000 Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer In-Reply-To: References: <5aa71214e04e41a9babc330b2467f6f3@posam.sk> <2f0c2818-27c7-26f6-035a-5da774916dee@redhat.com> Message-ID: <370cb5e941394f309ca3eae3f9f1a628@posam.sk> Hello, Yes, my standalone.xml ? undertow part: SK From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Monday, September 12, 2016 8:53 AM To: KASALA ?tefan Cc: Marek Posolda ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Have you set proxy-address-forwarding=true? I thought that was supposed to look at X-Forwarded-Host. On 9 September 2016 at 11:45, KASALA ?tefan > wrote: Hello, thanks for hints, I added request header dumps for keycloak server: curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool keycloak server log: 2016-09-09 11:38:40,825 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /admin/master/console/config 2016-09-09 11:38:40,826 INFO [io.undertow.request.dump] (default task-15) ----------------------------REQUEST--------------------------- URI=/auth/admin/master/console/config characterEncoding=null contentLength=-1 contentType=null header=Accept=*/* header=Connection=Keep-Alive header=X-Forwarded-For=10.231.79.183 header=X-Forwarded-Server=lb.our.domain header=User-Agent=curl/7.49.1 header=Host=machine01.our.domain:8081 header=X-Forwarded-Host=lb.our.domain locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.231.79.183:0 remoteHost=10.231.79.183 scheme=http host=machine01.our.domain:8081 serverPort=0 --------------------------RESPONSE-------------------------- contentLength=574 contentType=application/json header=Connection=keep-alive header=Cache-Control=no-cache header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Content-Type=application/json header=Content-Length=574 header=Date=Fri, 09 Sep 2016 09:38:40 GMT status=200 ============================================================== out: { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } Is it possible to configure keycloak / undertow to use X-Forwarded-Host header for absolute urls, or we have to forward original host to keycloak? Thanks Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Friday, September 9, 2016 9:38 AM To: KASALA ?tefan >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer This is set from the HTTP request url, so it looks that your Keycloak is seeing ""http://machine01.our.domain:8081/auth" as the request URL instead of "http://lb.our.domain/auth/admin/governance/console/config" . Maybe the set of X-Forwarded-Host on your LB side? Marek On 08/09/16 13:05, KASALA ?tefan wrote: Hello, Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache httpd proxy in front of the server. We configured keycloak server according to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html. The configuration is still not complete/correct, probably I missed something. When I access proxied url for either of our configured realms I got unproxied auth-server-url: [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/governance/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "governance", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } [localuser at machine01:~/keycloak]$ curl -s http://lb.our.domain/auth/admin/master/console/config | python -m json.tool { "auth-server-url": "http://machine01.our.domain:8081/auth", "public-client": true, "realm": "master", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB", "resource": "security-admin-console", "ssl-required": "external" } How can I configure it to return the proxied version? Thanks. Stefan. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, June 28, 2016 3:51 PM To: KASALA ?tefan Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Getting 401 if trying to access app via loadbalancer Firstly, please upgrade to a more recent Keycloak version. Then refer to https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html for details on how to setup a reverse proxy / load balancer in front of Keycloak. On 27 June 2016 at 09:18, KASALA ?tefan > wrote: Hello, we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks. Stefan Kasala ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/3ea1505a/attachment-0001.html From sthorger at redhat.com Mon Sep 12 03:00:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Sep 2016 09:00:10 +0200 Subject: [keycloak-user] Vote for web-based forum In-Reply-To: References: <6f12c42e-edca-d034-9535-3fb84a1353e7@ulise.de> <1b26fad9-a600-5065-af48-ac57088046e8@redhat.com> Message-ID: Nice, that's so obvious that I'm embarrassed I didn't think of it. Will add it to the website, hopefully that'll help others as well. https://issues.jboss.org/browse/KEYCLOAK-3559 On 10 September 2016 at 14:47, Marcelo Barbosa wrote: > -1 > > Web forum is old stack, please try use Google: > > site: http://lists.jboss.org/pipermail/keycloak-dev/ your-word-query > > Cheers, > > Marcelo > > On Sat, Sep 10, 2016, 6:44 PM Travis De Silva wrote: > >> +1 >> >> But if you have been following Bill over the years, you will know that he >> is passionate about the mailing list and dislikes fourms. But I do agree >> that there is so much valuable info in the mailing list and if its was a >> forum would be great. >> >> >> On Sat, 10 Sep 2016 at 21:41 Bill Burke wrote: >> >>> Too bad :) >>> >>> >>> On 9/10/16 7:33 AM, Uli SE wrote: >>> > Hi, >>> > >>> > I?m voting for to change this exchange into some kind of a web-based >>> forum. >>> > >>> > It?s really hard do search for "already asked questions" and to track >>> my >>> > threads in this kind of mailing list. >>> > >>> > Cheers, >>> > >>> > Uli >>> > >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/49e8e167/attachment.html From kiranpatil at arvindinternet.com Mon Sep 12 03:12:55 2016 From: kiranpatil at arvindinternet.com (Kiran patil) Date: Mon, 12 Sep 2016 12:42:55 +0530 Subject: [keycloak-user] Social login - need help In-Reply-To: References: Message-ID: Kiran P +91 9964558157 On Mon, Sep 12, 2016 at 12:39 PM, Kiran patil wrote: > Hi All, > > > I am implementing social login and facing following issues. > > 1. Getting *invalid_redirect_uri *for *http://example.com > . *Please suggest what should be the *Base URL* and Valid > Redirect URIs so that I can redirect to my login success page on > successful login. > > 2. If I don't specify any *Post Login Flow *getting error and it is > redirecting to */forbidden *. I need to redirect to my app on *First > Broker Login* and also successful login for existing user. > > Please help me modify the settings to solve the above issues. > > > > > Kiran P > +91 9964558157 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/1515be9a/attachment.html From sthorger at redhat.com Mon Sep 12 03:50:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Sep 2016 09:50:58 +0200 Subject: [keycloak-user] Social login - need help In-Reply-To: References: Message-ID: If you get a invalid_redirect_uri error from Keycloak you haven't configured the correct redirect uri for your app in Keycloak. If you're getting it in the social network then you have configured the correct URI there. On 12 September 2016 at 09:12, Kiran patil wrote: > > > Kiran P > +91 9964558157 > > On Mon, Sep 12, 2016 at 12:39 PM, Kiran patil < > kiranpatil at arvindinternet.com> wrote: > >> Hi All, >> >> >> I am implementing social login and facing following issues. >> >> 1. Getting *invalid_redirect_uri *for *http://example.com >> . *Please suggest what should be the *Base URL* and Valid >> Redirect URIs so that I can redirect to my login success page on >> successful login. >> >> 2. If I don't specify any *Post Login Flow *getting error and it is >> redirecting to */forbidden *. I need to redirect to my app on *First >> Broker Login* and also successful login for existing user. >> >> Please help me modify the settings to solve the above issues. >> >> >> >> >> Kiran P >> +91 9964558157 >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/f285efe4/attachment.html From aman.jaiswal at arvindinternet.com Mon Sep 12 04:04:57 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Mon, 12 Sep 2016 13:34:57 +0530 Subject: [keycloak-user] Keycloak-2.1.0.Final Cluster mode on AWS In-Reply-To: References: Message-ID: Hi Team, Is any update On Sat, Sep 10, 2016 at 7:13 PM, Aman Jaiswal < aman.jaiswal at arvindinternet.com> wrote: > Hi > > Can any one tell me how to setup a keycloak-2.1.0Final Cluster mode on > AWS and node server's are running behind the load balancer ? > > > > I am trying to do the same but not succeed here is the link where you find > details. > > > https://developer.jboss.org/thread/272224 > > > > -- > Thanks, > Aman Jaiswal > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/4b85e3dd/attachment.html From kiranpatil at arvindinternet.com Mon Sep 12 05:31:15 2016 From: kiranpatil at arvindinternet.com (Kiran patil) Date: Mon, 12 Sep 2016 15:01:15 +0530 Subject: [keycloak-user] Social login - need help In-Reply-To: References: Message-ID: Thanks Stian, I am specifying *https://www.google.co.in *as Valid Redirect URI for *security-admin-console *client. Is it wrong ? Kiran P +91 9964558157 On Mon, Sep 12, 2016 at 1:20 PM, Stian Thorgersen wrote: > If you get a invalid_redirect_uri error from Keycloak you haven't > configured the correct redirect uri for your app in Keycloak. If you're > getting it in the social network then you have configured the correct URI > there. > > On 12 September 2016 at 09:12, Kiran patil > wrote: > >> >> >> Kiran P >> +91 9964558157 >> >> On Mon, Sep 12, 2016 at 12:39 PM, Kiran patil < >> kiranpatil at arvindinternet.com> wrote: >> >>> Hi All, >>> >>> >>> I am implementing social login and facing following issues. >>> >>> 1. Getting *invalid_redirect_uri *for *http://example.com >>> . *Please suggest what should be the *Base URL* and Valid >>> Redirect URIs so that I can redirect to my login success page on >>> successful login. >>> >>> 2. If I don't specify any *Post Login Flow *getting error and it is >>> redirecting to */forbidden *. I need to redirect to my app on *First >>> Broker Login* and also successful login for existing user. >>> >>> Please help me modify the settings to solve the above issues. >>> >>> >>> >>> >>> Kiran P >>> +91 9964558157 >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/76458584/attachment-0001.html From sthorger at redhat.com Mon Sep 12 09:22:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Sep 2016 15:22:50 +0200 Subject: [keycloak-user] Social login - need help In-Reply-To: References: Message-ID: Yes. Got no clue why you are adding google as a redirect uri for a client in Keycloak also got no clue why you're editing security-admin-console client in the first place. #1 Get login to your client working with username/password #2 Add social login - In this step you shouldn't touch the clients, only add an identity provider. The docs should explain both steps. On 12 September 2016 at 11:31, Kiran patil wrote: > Thanks Stian, > > I am specifying *https://www.google.co.in *as > Valid Redirect URI for *security-admin-console *client. Is it wrong ? > > Kiran P > +91 9964558157 > > On Mon, Sep 12, 2016 at 1:20 PM, Stian Thorgersen > wrote: > >> If you get a invalid_redirect_uri error from Keycloak you haven't >> configured the correct redirect uri for your app in Keycloak. If you're >> getting it in the social network then you have configured the correct URI >> there. >> >> On 12 September 2016 at 09:12, Kiran patil > > wrote: >> >>> >>> >>> Kiran P >>> +91 9964558157 >>> >>> On Mon, Sep 12, 2016 at 12:39 PM, Kiran patil < >>> kiranpatil at arvindinternet.com> wrote: >>> >>>> Hi All, >>>> >>>> >>>> I am implementing social login and facing following issues. >>>> >>>> 1. Getting *invalid_redirect_uri *for *http://example.com >>>> . *Please suggest what should be the *Base URL* >>>> and Valid Redirect URIs so that I can redirect to my login success >>>> page on successful login. >>>> >>>> 2. If I don't specify any *Post Login Flow *getting error and it is >>>> redirecting to */forbidden *. I need to redirect to my app on *First >>>> Broker Login* and also successful login for existing user. >>>> >>>> Please help me modify the settings to solve the above issues. >>>> >>>> >>>> >>>> >>>> Kiran P >>>> +91 9964558157 >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/820aaa64/attachment.html From niko at n-k.de Mon Sep 12 11:03:31 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Mon, 12 Sep 2016 17:03:31 +0200 Subject: [keycloak-user] Struggling with roles via groups Message-ID: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> Hi, currently I?m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. This is my scenario: Role ?admin?, which is a composite role and has from client ?realm-management? the roles ?impersonation, manage-users, view-users? assigned. Group ?admins?, which the role ?admin? is assigned to. If I assign the ?admin" role to a user in ?myRealm?, the user is able to get a list of all users via HTTP REST call ?/auth/admin/realms/myRealm/users? If I now remove this role from the user and let it join the group ?admins?, the user should have also the ?impersonation, manage-users, view-users? client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. What am I missing? Am I doing something wrong? Or is Keycloak not evaluating the roles correctly? Any help is appreciated! regards, - Niko From jsightle at redhat.com Mon Sep 12 11:17:24 2016 From: jsightle at redhat.com (Jess Sightler) Date: Mon, 12 Sep 2016 11:17:24 -0400 Subject: [keycloak-user] IP Address based default user Message-ID: <97da3065-998b-b7d6-79f7-e6747f9ed7d1@redhat.com> Is there a builtin authenticator that can provide a default user account based upon some criteria? For example, could we provide a default user if the client is connecting to localhost? From niko at n-k.de Mon Sep 12 11:23:43 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Mon, 12 Sep 2016 17:23:43 +0200 Subject: [keycloak-user] Struggling with roles via groups In-Reply-To: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> References: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> Message-ID: Sorry, forgot the version... I?m using 2.1.0.Final > Am 12.09.2016 um 17:03 schrieb Niko K?bler : > > Hi, > > currently I?m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. > This is my scenario: > > Role ?admin?, which is a composite role and has from client ?realm-management? the roles ?impersonation, manage-users, view-users? assigned. > Group ?admins?, which the role ?admin? is assigned to. > > If I assign the ?admin" role to a user in ?myRealm?, the user is able to get a list of all users via HTTP REST call ?/auth/admin/realms/myRealm/users? > If I now remove this role from the user and let it join the group ?admins?, the user should have also the ?impersonation, manage-users, view-users? client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. > > What am I missing? > Am I doing something wrong? > Or is Keycloak not evaluating the roles correctly? > > Any help is appreciated! > > regards, > - Niko > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From lganga14 at gmail.com Mon Sep 12 11:58:10 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Mon, 12 Sep 2016 21:28:10 +0530 Subject: [keycloak-user] Need help in resolving error with authorizing our app using Keycloak Message-ID: Hi, We have a web application which uses keycloak as its authentication server. Currently, we have enabled keycloak only at our client side which is an angular code. We would like to enable the keycloak security for our rest services as well. So we did the following, 1. Created a new client in our realm for backend services with access type "bearer-only". 2. Configured keycloak adapter in wildfly where our backend rest services are deployed. 3. Added keycloak.json file of backend services client. 4. Logged into our application through our angular client and got the token. 5. Tried accessing the backend rest api with the access token sent as part of header as below. Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJiMjc0ZTY3My0yOTg1LT QwNmEtOWE0YS1... Getting* 403 Forbidden access* error while invoking the rest service even though the user has the required roles set. Please help us in resolving the issue. Regards, Ganga Lakshmanasamy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/8b1e7b27/attachment.html From sphillips at jefferies.com Mon Sep 12 13:31:53 2016 From: sphillips at jefferies.com (Sarah Phillips) Date: Mon, 12 Sep 2016 17:31:53 +0000 Subject: [keycloak-user] No redirect to original URL after going to identity provider Message-ID: <0FF6C550D9F65349B0D7DE7715A22E6A04DA29DB@EXLHOEUDAG31.ad.jefco.com> I have a keycloak 1.9.8 install that I am trying to reconfigure. I have a client that tries to authenticate requests to https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/* I have a saml 2.0 identity provider configured against pingfederate. The redirect URI is http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/broker/pingfederate_saml/endpoint When I enter https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/login.jsp into a web browser I end up at http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/broker/pingfederate_saml/endpoint which is not what I intend - I would like to be validated and then redirected back to the original location. Is there another step to redirect the browser back to the original URL? I am picking up this task from a colleague who moved on. I have tried reading the server-administration-guide but it does not seem to be helping with this problem. How do I diagnose the issue? What settings do I need to check? There are also a couple of ldap providers set up under User Federation. I don't know whether they are needed - I think they were previously used to authenticate against ldap but the users are looking for silent/pass-through authentication. Actually, while I'm here, will SAML 2.0 even support Integrated Windows Authentication that I am supposed to be implementing, or must I use Kerberos to achieve that? Many thanks, Sarah Jefferies archives and monitors outgoing and incoming e-mail. The contents of this email, including any attachments, are confidential to the ordinary user of the email address to which it was addressed. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. This email may be produced at the request of regulators or in connection with civil litigation. Jefferies accepts no liability for any errors or omissions arising as a result of transmission. Use by other than intended recipients is prohibited. In the United Kingdom, Jefferies operates as Jefferies International Limited; registered in England: no. 1978621; registered office: Vintners Place, 68 Upper Thames Street, London EC4V 3BJ. Jefferies International Limited is authorized and regulated by the Financial Conduct Authority. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160912/aff06908/attachment-0001.html From mposolda at redhat.com Mon Sep 12 22:55:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Sep 2016 04:55:23 +0200 Subject: [keycloak-user] Struggling with roles via groups In-Reply-To: References: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> Message-ID: <1326efd9-449d-1af1-f4d7-c1813ea64038@redhat.com> You're right, the group roles are not picked correctly by admin REST at this moment. AFAIK This is going to be fixed soon in Keycloak master and will be in Keycloak 2.3. The admin REST will always rely on the roles from the token, which includes transitive role memberships retrieved via groups too. Marek On 12/09/16 17:23, Niko K?bler wrote: > Sorry, forgot the version... > I?m using 2.1.0.Final > >> Am 12.09.2016 um 17:03 schrieb Niko K?bler : >> >> Hi, >> >> currently I?m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. >> This is my scenario: >> >> Role ?admin?, which is a composite role and has from client ?realm-management? the roles ?impersonation, manage-users, view-users? assigned. >> Group ?admins?, which the role ?admin? is assigned to. >> >> If I assign the ?admin" role to a user in ?myRealm?, the user is able to get a list of all users via HTTP REST call ?/auth/admin/realms/myRealm/users? >> If I now remove this role from the user and let it join the group ?admins?, the user should have also the ?impersonation, manage-users, view-users? client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. >> >> What am I missing? >> Am I doing something wrong? >> Or is Keycloak not evaluating the roles correctly? >> >> Any help is appreciated! >> >> regards, >> - Niko >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Sep 12 22:59:47 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Sep 2016 04:59:47 +0200 Subject: [keycloak-user] Need help in resolving error with authorizing our app using Keycloak In-Reply-To: References: Message-ID: <251c7ec7-6995-e4e1-72c0-6b63bf6fa7d1@redhat.com> You can take a look at our demo examples, which contains the scenario like this. The possible tips: - Try to see what roles accessToken really contains on your angular side and if it really contains the requested roles. Maybe you're missing "scope" for roles? - If roles are in accessToken, then doublecheck if they are correctly mapped on your backend rest service side to the JEE roles. For example see adapter option "use-resource-role-mappings" Marek On 12/09/16 17:58, Ganga Lakshmanasamy wrote: > Hi, > > We have a web application which uses keycloak as its authentication > server. Currently, we have enabled keycloak only at our client side > which is an angular code. We would like to enable the keycloak > security for our rest services as well. So we did the following, > 1. Created a new client in our realm for backend services with access > type "bearer-only". > 2. Configured keycloak adapter in wildfly where our backend rest > services are deployed. > 3. Added keycloak.json file of backend services client. > 4. Logged into our application through our angular client and got the > token. > 5. Tried accessing the backend rest api with the access token sent as > part of header as below. > Authorization: Bearer > eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJiMjc0ZTY3My0yOTg1LTQwNmEtOWE0YS1... > > Getting*403 Forbidden access* error while invoking the rest service > even though the user has the required roles set. Please help us in > resolving the issue. > > Regards, > Ganga Lakshmanasamy > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/c4279151/attachment.html From mposolda at redhat.com Mon Sep 12 23:01:36 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Sep 2016 05:01:36 +0200 Subject: [keycloak-user] Keycloak-2.1.0.Final Cluster mode on AWS In-Reply-To: References: Message-ID: The Keycloak team didn't try to test AWS until now. However you can browse some earlier discussions on keycloak-dev or keycloak-user mailing lists, where you hopefully find some possible tips what should be done for Keycloak cluster on AWS. Marek On 12/09/16 10:04, Aman Jaiswal wrote: > Hi Team, > > Is any update > > On Sat, Sep 10, 2016 at 7:13 PM, Aman Jaiswal > > wrote: > > Hi > > Can any one tell me how to setup a keycloak-2.1.0Final Cluster > mode on AWS and node server's are running behind the load balancer ? > > I am trying to do the same but not succeed here is the link where > you find details. > > > https://developer.jboss.org/thread/272224 > > > > > -- > Thanks, > Aman Jaiswal > > > > > -- > Thanks, > Aman Jaiswal > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/b00b07ad/attachment.html From niko at n-k.de Tue Sep 13 01:46:08 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Tue, 13 Sep 2016 07:46:08 +0200 Subject: [keycloak-user] Struggling with roles via groups In-Reply-To: <1326efd9-449d-1af1-f4d7-c1813ea64038@redhat.com> References: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> <1326efd9-449d-1af1-f4d7-c1813ea64038@redhat.com> Message-ID: Marek, thanks for the answer! :-) So I?ll wait until 2.3 and have a look if it?s fixed there. - Niko > Am 13.09.2016 um 04:55 schrieb Marek Posolda : > > You're right, the group roles are not picked correctly by admin REST at this moment. > > AFAIK This is going to be fixed soon in Keycloak master and will be in Keycloak 2.3. The admin REST will always rely on the roles from the token, which includes transitive role memberships retrieved via groups too. > > Marek > > On 12/09/16 17:23, Niko K?bler wrote: >> Sorry, forgot the version... >> I?m using 2.1.0.Final >> >>> Am 12.09.2016 um 17:03 schrieb Niko K?bler : >>> >>> Hi, >>> >>> currently I?m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to. >>> This is my scenario: >>> >>> Role ?admin?, which is a composite role and has from client ?realm-management? the roles ?impersonation, manage-users, view-users? assigned. >>> Group ?admins?, which the role ?admin? is assigned to. >>> >>> If I assign the ?admin" role to a user in ?myRealm?, the user is able to get a list of all users via HTTP REST call ?/auth/admin/realms/myRealm/users? >>> If I now remove this role from the user and let it join the group ?admins?, the user should have also the ?impersonation, manage-users, view-users? client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned. >>> >>> What am I missing? >>> Am I doing something wrong? >>> Or is Keycloak not evaluating the roles correctly? >>> >>> Any help is appreciated! >>> >>> regards, >>> - Niko >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From andyyar66 at gmail.com Tue Sep 13 02:48:11 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Tue, 13 Sep 2016 08:48:11 +0200 Subject: [keycloak-user] Restrict user's access to a subset of realm's clients Message-ID: Hello, I'm wondering, is there a way how to restrict certain clients in a realm for a given user? Of course, I can map roles to user and check them in each application. However, it seems like it might be easier to perform directly on Keycloak side. What is the correct way how to achieve that? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/6ced8be7/attachment.html From mposolda at redhat.com Tue Sep 13 03:27:25 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Sep 2016 09:27:25 +0200 Subject: [keycloak-user] Restrict user's access to a subset of realm's clients In-Reply-To: References: Message-ID: Look at the "scope" tab for particular client in admin console. You need to uncheck "Full scope allowed" and then select requested scopes. The resulting roles in the token are the intersection of user's roles + client's scoped roles. Marek On 13/09/16 08:48, Andy Yar wrote: > Hello, > I'm wondering, is there a way how to restrict certain clients in a > realm for a given user? > > Of course, I can map roles to user and check them in each application. > However, it seems like it might be easier to perform directly on > Keycloak side. > > What is the correct way how to achieve that? > > Thanks in advance. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/c8817ce8/attachment-0001.html From sthorger at redhat.com Tue Sep 13 03:41:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Sep 2016 09:41:14 +0200 Subject: [keycloak-user] Added search to website Message-ID: I've added a search option to the website. It uses a custom Google search to make it easy to search on the website, documentation, blog and mailing lists. http://www.keycloak.org/search.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/23822d5f/attachment.html From sthorger at redhat.com Tue Sep 13 05:01:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Sep 2016 11:01:05 +0200 Subject: [keycloak-user] IP Address based default user In-Reply-To: <97da3065-998b-b7d6-79f7-e6747f9ed7d1@redhat.com> References: <97da3065-998b-b7d6-79f7-e6747f9ed7d1@redhat.com> Message-ID: No there isn't anything like that. Sounds like a potential hackers heaven as well. Assuming you've got the idea from WildFly. WildFly can do that by writing to a local file to make sure the user is indeed on the local machine. That doens't work in a web based flow unless you can find a way to "share" a file between the Keycloak server and the browser. On 12 September 2016 at 17:17, Jess Sightler wrote: > Is there a builtin authenticator that can provide a default user account > based upon some criteria? For example, could we provide a default user > if the client is connecting to localhost? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/80093825/attachment.html From sthorger at redhat.com Tue Sep 13 05:15:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Sep 2016 11:15:08 +0200 Subject: [keycloak-user] Keycloak-2.1.0.Final Cluster mode on AWS In-Reply-To: References: Message-ID: You should be able to find what you need here: http://www.keycloak.org/search.html?q=aws On 12 September 2016 at 10:04, Aman Jaiswal wrote: > Hi Team, > > Is any update > > On Sat, Sep 10, 2016 at 7:13 PM, Aman Jaiswal < > aman.jaiswal at arvindinternet.com> wrote: > >> Hi >> >> Can any one tell me how to setup a keycloak-2.1.0Final Cluster mode on >> AWS and node server's are running behind the load balancer ? >> >> >> >> I am trying to do the same but not succeed here is the link where you >> find details. >> >> >> https://developer.jboss.org/thread/272224 >> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > > > -- > Thanks, > Aman Jaiswal > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/a89b273c/attachment.html From sthorger at redhat.com Tue Sep 13 05:15:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Sep 2016 11:15:57 +0200 Subject: [keycloak-user] Struggling with roles via groups In-Reply-To: <1326efd9-449d-1af1-f4d7-c1813ea64038@redhat.com> References: <47E1C67E-27FF-451E-A067-BE3FC66C983C@n-k.de> <1326efd9-449d-1af1-f4d7-c1813ea64038@redhat.com> Message-ID: https://issues.jboss.org/browse/KEYCLOAK-2964 On 13 September 2016 at 04:55, Marek Posolda wrote: > You're right, the group roles are not picked correctly by admin REST at > this moment. > > AFAIK This is going to be fixed soon in Keycloak master and will be in > Keycloak 2.3. The admin REST will always rely on the roles from the > token, which includes transitive role memberships retrieved via groups too. > > Marek > > On 12/09/16 17:23, Niko K?bler wrote: > > Sorry, forgot the version... > > I?m using 2.1.0.Final > > > >> Am 12.09.2016 um 17:03 schrieb Niko K?bler : > >> > >> Hi, > >> > >> currently I?m struggling a bit with roles assigned directly to a user > and indirectly via a group the user belongs to. > >> This is my scenario: > >> > >> Role ?admin?, which is a composite role and has from client > ?realm-management? the roles ?impersonation, manage-users, view-users? > assigned. > >> Group ?admins?, which the role ?admin? is assigned to. > >> > >> If I assign the ?admin" role to a user in ?myRealm?, the user is able > to get a list of all users via HTTP REST call ?/auth/admin/realms/myRealm/ > users? > >> If I now remove this role from the user and let it join the group > ?admins?, the user should have also the ?impersonation, manage-users, > view-users? client roles - as far as I understand it correctly. The decoded > access token also contains all the roles. But when the user now is calling > the above mentioned HTTP REST call, a 403 Forbidden response is returned. > >> > >> What am I missing? > >> Am I doing something wrong? > >> Or is Keycloak not evaluating the roles correctly? > >> > >> Any help is appreciated! > >> > >> regards, > >> - Niko > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/d2f5f0e2/attachment.html From sthorger at redhat.com Tue Sep 13 05:19:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Sep 2016 11:19:05 +0200 Subject: [keycloak-user] No redirect to original URL after going to identity provider In-Reply-To: <0FF6C550D9F65349B0D7DE7715A22E6A04DA29DB@EXLHOEUDAG31.ad.jefco.com> References: <0FF6C550D9F65349B0D7DE7715A22E6A04DA29DB@EXLHOEUDAG31.ad.jefco.com> Message-ID: Assuming https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/login.jsp is the login screen for your SAML identity provider it's correct that should redirect back to http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/ broker/pingfederate_saml/endpoint. At that point Keycloak should authenticate the user and redirect to your client. Is your browser stuck on http://lvpalgomi1d.ln.jefco. com:8180/auth/realms/Algomi/broker/pingfederate_saml/endpoint? What is it displaying? Are there any errors in the log? Is login working with username/password directly in Keycloak? On 12 September 2016 at 19:31, Sarah Phillips wrote: > I have a keycloak 1.9.8 install that I am trying to reconfigure. > > > > I have a client that tries to authenticate requests to > https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/* > > > > I have a saml 2.0 identity provider configured against pingfederate. The > redirect URI is http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/ > broker/pingfederate_saml/endpoint > > > > When I enter https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/login.jsp > into a web browser I end up at http://lvpalgomi1d.ln.jefco. > com:8180/auth/realms/Algomi/broker/pingfederate_saml/endpoint which is > not what I intend ? I would like to be validated and then redirected back > to the original location. > > > > Is there another step to redirect the browser back to the original URL? > > > > I am picking up this task from a colleague who moved on. I have tried > reading the server-administration-guide but it does not seem to be helping > with this problem. > > > > How do I diagnose the issue? What settings do I need to check? > > > > There are also a couple of ldap providers set up under User Federation. I > don?t know whether they are needed ? I think they were previously used to > authenticate against ldap but the users are looking for silent/pass-through > authentication. > > > > Actually, while I?m here, will SAML 2.0 even support Integrated Windows > Authentication that I am supposed to be implementing, or must I use > Kerberos to achieve that? > > > > Many thanks, > > Sarah > > Jefferies archives and monitors outgoing and incoming e-mail. The contents > of this email, including any attachments, are confidential to the ordinary > user of the email address to which it was addressed. If you are not the > addressee of this email you may not copy, forward, disclose or otherwise > use it or any part of it in any form whatsoever. This email may be produced > at the request of regulators or in connection with civil litigation. > Jefferies accepts no liability for any errors or omissions arising as a > result of transmission. Use by other than intended recipients is > prohibited. In the United Kingdom, Jefferies operates as Jefferies > International Limited; registered in England: no. 1978621; registered > office: Vintners Place, 68 Upper Thames Street, London EC4V 3BJ. Jefferies > International Limited is authorized and regulated by the Financial Conduct > Authority. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/435800fe/attachment-0001.html From eric.matte at bionxinternational.com Tue Sep 13 10:38:37 2016 From: eric.matte at bionxinternational.com (Eric Matte) Date: Tue, 13 Sep 2016 14:38:37 +0000 Subject: [keycloak-user] Webpage reloading twice In-Reply-To: References: Message-ID: Hi, We are using the Javascript Adapter from Keycloak for our client authentication. However, when accessing a webpage, we receive the information twice. Here are the request logs received from the client to the server: 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services HTTP/1.1" 200 - 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services?prompt=none HTTP/1.1" 200 - The client is calling a second GET request for a reason that I don't know. Can you explain? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/c18b970b/attachment.html From jsightle at redhat.com Tue Sep 13 10:48:59 2016 From: jsightle at redhat.com (Jess Sightler) Date: Tue, 13 Sep 2016 10:48:59 -0400 Subject: [keycloak-user] IP Address based default user In-Reply-To: References: <97da3065-998b-b7d6-79f7-e6747f9ed7d1@redhat.com> Message-ID: Well, this be insecurity by design. :) Basically we would like to turn off security completely in some cases for local installations, but this brings a lot of deployment related considerations (multiple descriptors, conditional logic around the logged in user, etc). An authenticator that is essentially just a bypass would accomplish the same thing without the additional complexity. It would be similar to a default "unauthenticatedIdentity", except with a default role as well. On 09/13/2016 05:01 AM, Stian Thorgersen wrote: > No there isn't anything like that. Sounds like a potential hackers > heaven as well. > > Assuming you've got the idea from WildFly. WildFly can do that by > writing to a local file to make sure the user is indeed on the local > machine. That doens't work in a web based flow unless you can find a > way to "share" a file between the Keycloak server and the browser. > > On 12 September 2016 at 17:17, Jess Sightler > wrote: > > Is there a builtin authenticator that can provide a default user > account > based upon some criteria? For example, could we provide a default user > if the client is connecting to localhost? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/aa4f762e/attachment.html From tmcginnis at glatfelters.com Tue Sep 13 10:50:50 2016 From: tmcginnis at glatfelters.com (Timothy I. McGinnis) Date: Tue, 13 Sep 2016 14:50:50 +0000 Subject: [keycloak-user] Cannot get SPNEGO authentication working Message-ID: <44d18d488df84279be911c3a99485246@gig-ex13mbx1.ajga.com> Hello, I am trying to set up SPNEGO authentication through Keycloak. I have installed Keycloak on a windows server, configured a client as shown below and set up the realm in jboss. But I consistently receive the error message GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag). I am using IE 11, and the url for the web app is https://gig-jboss-dev.ajga.com:8443/CBN [cid:image001.png at 01D20DA5.5995CC40] JBoss web app configuration in standalone.xml ====================================================== master CBN true (key from keycloak) http://gig-msnet-dev.ajga.com:8080/auth EXTERNAL Log file from keycloak server ======================================================== 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false principal is HTTP/gig-msnet-dev.ajga.com at AJGA.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is HTTP/gig-msnet-dev.ajga.com at AJGA.COM 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use keytab 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit Succeeded 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) 2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-19) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70) at org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209) at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549) at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160) at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127) ... 60 more 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: Entering logout 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: logged out Subject ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this communication, including all attachments, is legally protected information, confidential or proprietary information, or a trade secret intended solely for the use of the intended recipient. The information may also be subject to legal privilege. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply Fax or e-mail stating the communication was "received in error" and delete or destroy all copies of this communication, including all attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/b43b652f/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 54426 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160913/b43b652f/attachment-0001.png From bburke at redhat.com Tue Sep 13 16:21:08 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 13 Sep 2016 16:21:08 -0400 Subject: [keycloak-user] WARNING: breaking User API backward compatibility Message-ID: FYI: Starting in 2.3, there will be a number of user SPIs and APIs that will be refactored or deprecated. UserModel, UserFederationProvider, UserCredentialModel, PasswordHashProvider, and UserFederationManager are being refactored. UserFederationProvider is also being @Deprecated. Code will break, and you'll have to figure out how to start using the new UserStorageProvider SPI, or update UserFederationProvider implementation. You'll start seeing changes pop up in master over the next few weeks. Regards, Bill From bruno at abstractj.org Tue Sep 13 16:52:13 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 13 Sep 2016 17:52:13 -0300 Subject: [keycloak-user] Cannot get SPNEGO authentication working In-Reply-To: <44d18d488df84279be911c3a99485246@gig-ex13mbx1.ajga.com> References: <44d18d488df84279be911c3a99485246@gig-ex13mbx1.ajga.com> Message-ID: <20160913205213.GC6881@abstractj.org> Hi Timothy, I found something related to your issue here[1]. There's also some old discussion about it[2]. If that does not help, please provide more details about your setup like: JDK, Keycloak and Windows version. [1] - http://stackoverflow.com/questions/2973355/defective-token-deteced-error-ntlm-not-kerberos-with-kerberos-spring-securit [2] - https://issues.jboss.org/browse/KEYCLOAK-828 On 2016-09-13, Timothy I. McGinnis wrote: > Hello, > > I am trying to set up SPNEGO authentication through Keycloak. I have installed Keycloak on a windows server, configured a client as shown below and set up the realm in jboss. But I consistently receive the error message GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag). I am using IE 11, and the url for the web app is https://gig-jboss-dev.ajga.com:8443/CBN > > [cid:image001.png at 01D20DA5.5995CC40] > JBoss web app configuration in standalone.xml ====================================================== > > > > master > CBN > true > (key from keycloak) > http://gig-msnet-dev.ajga.com:8080/auth > EXTERNAL > > > > Log file from keycloak server ======================================================== > > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false principal is HTTP/gig-msnet-dev.ajga.com at AJGA.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is HTTP/gig-msnet-dev.ajga.com at AJGA.COM > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use keytab > 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit Succeeded > 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) > 2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-19) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70) > at org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209) > at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549) > at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) > at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) > at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160) > at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) > at sun.security.jgss.GSSHeader.(GSSHeader.java:97) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127) > ... 60 more > > 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: Entering logout > 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: logged out Subject > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > Confidentiality Notice: The information contained in this communication, including all attachments, is legally protected information, confidential or proprietary information, or a trade secret intended solely for the use of the intended recipient. The information may also be subject to legal privilege. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply Fax or e-mail stating the communication was "received in error" and delete or destroy all copies of this communication, including all attachments. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Tue Sep 13 17:08:38 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 13 Sep 2016 18:08:38 -0300 Subject: [keycloak-user] Webpage reloading twice In-Reply-To: References: Message-ID: <20160913210838.GD6881@abstractj.org> Hi Erik, could you provide the steps to reproduce or some code? On 2016-09-13, Eric Matte wrote: > Hi, > > We are using the Javascript Adapter from Keycloak for our client authentication. > However, when accessing a webpage, we receive the information twice. > > Here are the request logs received from the client to the server: > > 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services HTTP/1.1" 200 - > 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services?prompt=none HTTP/1.1" 200 - > > The client is calling a second GET request for a reason that I don't know. Can you explain? > > Thank you > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From tmcginnis at glatfelters.com Tue Sep 13 17:09:36 2016 From: tmcginnis at glatfelters.com (Timothy I. McGinnis) Date: Tue, 13 Sep 2016 21:09:36 +0000 Subject: [keycloak-user] Cannot get SPNEGO authentication working In-Reply-To: <20160913205213.GC6881@abstractj.org> References: <44d18d488df84279be911c3a99485246@gig-ex13mbx1.ajga.com> <20160913205213.GC6881@abstractj.org> Message-ID: Thanks Bruno. Neither of these really helped. I've been doing a lot more research and now I believe the problem is my browser is sending back a NTLM token instead of the Kerberos ticket. When I run it with fiddler I see the 401 response from keycloak with the WWW-Authenticate: Negotiate header. The next request then sends the Authorization: Negotiate TIRMTVNT..... I believe this is the NTLM token since it starts with TIRM. We are using JDK 1.8u31, windows 2012 on the keycloak server, and windows 2008 R2 on the AD server and keycloak 2.0.0 Final -----Original Message----- From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: Tuesday, September 13, 2016 4:52 PM To: Timothy I. McGinnis Cc: 'keycloak-user at lists.jboss.org' Subject: Re: [keycloak-user] Cannot get SPNEGO authentication working Hi Timothy, I found something related to your issue here[1]. There's also some old discussion about it[2]. If that does not help, please provide more details about your setup like: JDK, Keycloak and Windows version. [1] - https://urldefense.proofpoint.com/v2/url?u=http-3A__stackoverflow.com_questions_2973355_defective-2Dtoken-2Ddeteced-2Derror-2Dntlm-2Dnot-2Dkerberos-2Dwith-2Dkerberos-2Dspring-2Dsecurit&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZiju-02UIvJXbEjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7mlIk55kxRF6sKlYgSx4xVC2ovkEJKqekpFqJxzoE&s=fq8VqoGgw37Tl8AjUaTqTy913k0DCJnispjX2h4Uy1o&e= [2] - https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D828&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZiju-02UIvJXbEjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7mlIk55kxRF6sKlYgSx4xVC2ovkEJKqekpFqJxzoE&s=Drh2m9s0oJtl6IkeqkONpYGUmNYaWWry4eHQG4bALlw&e= On 2016-09-13, Timothy I. McGinnis wrote: > Hello, > > I am trying to set up SPNEGO authentication through Keycloak. I have > installed Keycloak on a windows server, configured a client as shown > below and set up the realm in jboss. But I consistently receive the > error message GSSException: Defective token detected (Mechanism level: > GSSHeader did not find the right tag). I am using IE 11, and the url > for the web app is > https://urldefense.proofpoint.com/v2/url?u=https-3A__gig-2Djboss-2Ddev > .ajga.com-3A8443_CBN&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZiju-02UIvJXb > EjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7mlIk55kxRF6sK > lYgSx4xVC2ovkEJKqekpFqJxzoE&s=0kT5k5hHs-h4uTXTxTND_ucBvdIZ7qXVSEiIxFcl > bZQ&e= > > [cid:image001.png at 01D20DA5.5995CC40] > JBoss web app configuration in standalone.xml > ====================================================== > > > > master > CBN > true > (key from keycloak) > https://urldefense.proofpoint.com/v2/url?u=http-3A__gig-2Dmsnet-2Ddev.ajga.com-3A8080_auth&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZiju-02UIvJXbEjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7mlIk55kxRF6sKlYgSx4xVC2ovkEJKqekpFqJxzoE&s=sXN4eHtJ1UdmTccZ8eDrU6ZWdK9oZpvdxzndNqsAYoQ&e= > EXTERNAL > > > > Log file from keycloak server > ======================================================== > > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is > true storeKey true useTicketCache false useKeyTab true doNotPrompt > true ticketCache is null isInitiator false KeyTab is > c:\temp\keycloak.keytab refreshKrb5Config is false principal is > HTTP/gig-msnet-dev.ajga.com at AJGA.COM tryFirstPass is false > useFirstPass is false storePass is false clearPass is false > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is > HTTP/gig-msnet-dev.ajga.com at AJGA.COM > 2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use > keytab > 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit > Succeeded > 2016-09-13 10:47:31,807 INFO [stdout] (default task-19) > 2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-19) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70) > at org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209) > at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549) > at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) > at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) > at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160) > at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) > at sun.security.jgss.GSSHeader.(GSSHeader.java:97) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127) > ... 60 more > > 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: Entering logout > 2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: logged out Subject > > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > Confidentiality Notice: The information contained in this communication, including all attachments, is legally protected information, confidential or proprietary information, or a trade secret intended solely for the use of the intended recipient. The information may also be subject to legal privilege. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply Fax or e-mail stating the communication was "received in error" and delete or destroy all copies of this communication, including all attachments. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZi > ju-02UIvJXbEjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7ml > Ik55kxRF6sKlYgSx4xVC2ovkEJKqekpFqJxzoE&s=WeKzK_B2KaMi7P2yHJVMRGoh9OULb > hct7V2SgvfOcvo&e= -- abstractj PGP: 0x84DC9914 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Confidentiality Notice: The information contained in this communication, including all attachments, is legally protected information, confidential or proprietary information, or a trade secret intended solely for the use of the intended recipient. The information may also be subject to legal privilege. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply Fax or e-mail stating the communication was "received in error" and delete or destroy all copies of this communication, including all attachments. From andy.stebbing at adelaide.edu.au Wed Sep 14 02:52:37 2016 From: andy.stebbing at adelaide.edu.au (Andy Stebbing) Date: Wed, 14 Sep 2016 06:52:37 +0000 Subject: [keycloak-user] OpenID Connect Clients and Roles Message-ID: <63AAB40440E1504E9FE1925114858CD05ABABDB0@mailmb14.ad.adelaide.edu.au> Hi, ? I'm fairly new to OpenID Connect and Keycloak (using version 2.2.0-CR1 and RedHat SSO v7), I've managed to get a client working with a realm within Keycloak. I've configured the client in the realm using a shared key and have configured my remote client accordingly. It works fine for authentication and I'm getting the standard claims back. But I don't know how to get the roles associated with the user to come through. I can see in the endpoint OpenID connect configuration on the server that the following claims are supported: "claim_types_supported": [ ??????? "normal" ??? ], ??? "claims_parameter_supported": false, ??? "claims_supported": [ ??????? "sub", ??????? "iss", ??????? "auth_time", ??????? "name", ??????? "given_name", ??????? "family_name", ??????? "preferred_username", ??????? "email" ??? ] Does this mean that it's not possible to get the roles from the userinfo call? Or if it is possible, how do I configure it to be supported? Any help is very much appreciated ! Thanks andy From fmontadamt at gmail.com Wed Sep 14 03:10:30 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Wed, 14 Sep 2016 00:10:30 -0700 Subject: [keycloak-user] Property 'databaseSchema' needs to be specified in the configuration Message-ID: Hi team we are running Keycloak 2.1.0-Final version using mongo DB but it is not working, we are getting the error below ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-3) Failed to make identity provider oauth callback: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration we have the correct configuration listed on the documentation, but it is not working https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/mongo.html We also see that other person got the same error, http://lists.jboss.org/pipermail/keycloak-user/2016-May/006007.html This is our keycloak-server.json configuration { "providers": [ "classpath:${jboss.home.dir}/providers/*" ], "admin": { "realm": "master" }, "eventsStore": { "provider": "mongo", "mongo": { "exclude-events": [ "REFRESH_TOKEN" ] } }, "realm": { "provider": "mongo" }, "user": { "provider": "mongo" }, "userCache": { "default" : { "enabled": true } }, "userSessionPersister": { "provider": "mongo" }, "authorizationPersister": { "provider": "mongo" }, "timer": { "provider": "basic" }, "theme": { "staticMaxAge": 2592000, "cacheTemplates": true, "cacheThemes": true, "folder": { "dir": "${jboss.home.dir}/themes" } }, "scheduled": { "interval": 900 }, "connectionsHttpClient": { "default": {} }, "connectionsMongo": { "default": { "host": "10.0.22.56", "port": "27017", "db": "ondbook", "user": "appUser", "password" : "password", "connectionsPerHost": 100, "databaseSchema": "update", "schema": "2.1.0.Final" } }, "realmCache": { "default" : { "enabled": true } }, "connectionsInfinispan": { "provider": "default", "default": { "cacheContainer" : "java:comp/env/infinispan/Keycloak" } } } Other problem is that we do not know why the logs is showing JPA connection when we config Mongo Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:132) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:62) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:50) Could someone help us Thanks Francisco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/3a3bb889/attachment.html From Edgar at info.nl Wed Sep 14 03:41:30 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 14 Sep 2016 07:41:30 +0000 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: Hi Marek, Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue. We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ?Configure - User Federation? menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation? cheers Edgar > On 08 Sep 2016, at 14:04, Marek Posolda wrote: > > Hi Edgar, > > I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format. > > Feel free to create JIRA if you find steps to reproduce it from clean KC. > > Marek > > On 07/09/16 13:33, Edgar Vonk - Info.nl wrote: >> Hi Marek, >> >> It?s the brute force detection REST endpoint that is causing the issue. >> >> /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl >> >> gives a: ?Failed to load resource: the server responded with a status of 405 (Method Not Allowed)" >> >> >>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl wrote: >>> >>> Hi Marek, >>> >>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. >>> >>> Will try to find the endpoint in question and report back! >>> >>> cheers >>> >>>> On 07 Sep 2016, at 11:24, Marek Posolda wrote: >>>> >>>> I guess you need to add "view-users" role as well? >>>> >>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. >>>> >>>> Marek >>>> >>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >>>>> >>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >>>>> >>>>> >>>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >>>>> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >>>>> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>>> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>>> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From tinjoy_6 at yahoo.com Wed Sep 14 04:02:01 2016 From: tinjoy_6 at yahoo.com (Tin) Date: Wed, 14 Sep 2016 16:02:01 +0800 Subject: [keycloak-user] How to programatically detect if a user is temporarily disabled or locked Message-ID: Hi, I need to display in my java application if a user is locked or temporarily disabled. I am using keycloak-admin-client. Your help is very much appreciated. I have searched the internet but there is no clear explanation on how to do this. Thanks! From mposolda at redhat.com Wed Sep 14 04:20:43 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 14 Sep 2016 10:20:43 +0200 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: It seems that for view/update UserFederation, we currently require permissions to "view-users" or "manage-users" . This looks like a bug as admin, who is able just to manage users, shouldn't be allowed to manage user federation providers. It seems this should either be "view-realm" or "manage-realm" or separate dedicated roles for user federation providers. Could you please create JIRA? Thanks, Marek On 14/09/16 09:41, Edgar Vonk - Info.nl wrote: > Hi Marek, > > Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue. > > We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ?Configure - User Federation? menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation? > > cheers > > Edgar > > >> On 08 Sep 2016, at 14:04, Marek Posolda wrote: >> >> Hi Edgar, >> >> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format. >> >> Feel free to create JIRA if you find steps to reproduce it from clean KC. >> >> Marek >> >> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote: >>> Hi Marek, >>> >>> It?s the brute force detection REST endpoint that is causing the issue. >>> >>> /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl >>> >>> gives a: ?Failed to load resource: the server responded with a status of 405 (Method Not Allowed)" >>> >>> >>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl wrote: >>>> >>>> Hi Marek, >>>> >>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. >>>> >>>> Will try to find the endpoint in question and report back! >>>> >>>> cheers >>>> >>>>> On 07 Sep 2016, at 11:24, Marek Posolda wrote: >>>>> >>>>> I guess you need to add "view-users" role as well? >>>>> >>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. >>>>> >>>>> Marek >>>>> >>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >>>>>> >>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >>>>>> >>>>>> >>>>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >>>>>> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >>>>>> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>>>> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>>>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From aman.jaiswal at arvindinternet.com Wed Sep 14 04:42:53 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 14:12:53 +0530 Subject: [keycloak-user] Error in parsing Message-ID: Hi I am getting following error while starting a server ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) at org.jboss.as.server.ServerService.boot(ServerService.java:356) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[133,5] Message: Unexpected element '{urn:jboss:domain:batch:1.0}subsystem' at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108) at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) ... 3 more -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/6caa7437/attachment.html From fmontadamt at gmail.com Wed Sep 14 04:58:56 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Wed, 14 Sep 2016 01:58:56 -0700 Subject: [keycloak-user] Property 'databaseSchema' needs to be specified in the configuration Message-ID: Hi Dean we are running Keycloak 2.1.0-Final version using mongo DB but it is not working, we are getting the error below ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-3) Failed to make identity provider oauth callback: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration we have the correct configuration listed on the documentation, but it is not working https://keycloak.gitbooks.io/server-installation-and- configuration/content/v/2.1/topics/mongo.html We also see that other person got the same error, http://lists.jboss.org/pipermail/keycloak-user/2016-May/006007.html This is our keycloak-server.json configuration { "providers": [ "classpath:${jboss.home.dir}/providers/*" ], "admin": { "realm": "master" }, "eventsStore": { "provider": "mongo", "mongo": { "exclude-events": [ "REFRESH_TOKEN" ] } }, "realm": { "provider": "mongo" }, "user": { "provider": "mongo" }, "userCache": { "default" : { "enabled": true } }, "userSessionPersister": { "provider": "mongo" }, "authorizationPersister": { "provider": "mongo" }, "timer": { "provider": "basic" }, "theme": { "staticMaxAge": 2592000, "cacheTemplates": true, "cacheThemes": true, "folder": { "dir": "${jboss.home.dir}/themes" } }, "scheduled": { "interval": 900 }, "connectionsHttpClient": { "default": {} }, "connectionsMongo": { "default": { "host": "10.0.22.56", "port": "27017", "db": "ondbook", "user": "appUser", "password" : "password", "connectionsPerHost": 100, "databaseSchema": "update", "schema": "2.1.0.Final" } }, "realmCache": { "default" : { "enabled": true } }, "connectionsInfinispan": { "provider": "default", "default": { "cacheContainer" : "java:comp/env/infinispan/Keycloak" } } } Other problem is that we do not know why the logs is showing JPA connection when we config Mongo Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa ctory.lazyInit(DefaultJpaConnectionProviderFactory.java:132) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create( DefaultJpaConnectionProviderFactory.java:62) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create( DefaultJpaConnectionProviderFactory.java:50) Could you help us Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/aab04bd4/attachment-0001.html From imbacen at gmail.com Wed Sep 14 05:30:22 2016 From: imbacen at gmail.com (cen) Date: Wed, 14 Sep 2016 11:30:22 +0200 Subject: [keycloak-user] Configuring KC adapter through ENV/programatically Message-ID: Hi We have a Java REST microservice which is configured as a whole through environment variables and deployed in Docker. We can't provide production keycloak.json at Docker build time because then it becomes a specific container for a specific deployment. We want to keep the container unconfigured and neutral, ready to be deployed with any Keycloak server. At the moment we have an additional step in production deployment that copies the correct keycloak.json into a running Docker container and restarts it. Ideally though, we would like to provide keycloak.json through an environment variable or load it dynamically from etcd/zookeeper/similar. is it possible to somehow configure the Keycloak adapter at runtime? Best regards, cen From aman.jaiswal at arvindinternet.com Wed Sep 14 05:42:00 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 15:12:00 +0530 Subject: [keycloak-user] Current event not START_ELEMENT error in keycloak-2.1.0.Final Message-ID: Hi I am trying to rum keycloak-2.1.0.Final and getting following error please help me to solve this... /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --debug --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_key=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 -Djgroups.management.address=$ip ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final JAVA: java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= Listening for transport dt_socket at address: 8787 09:33:56,270 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 09:33:56,530 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 09:33:56,626 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting 09:33:57,251 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) at org.jboss.as.server.ServerService.boot(ServerService.java:356) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Current event not START_ELEMENT at com.ctc.wstx.sr.BasicStreamReader.getAttributeValue(BasicStreamReader.java:625) at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.getAttributeValue(XMLExtendedStreamReaderImpl.java:240) at org.jboss.as.controller.parsing.ParseUtils.invalidAttributeValue(ParseUtils.java:150) at org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:119) at org.jboss.as.server.parsing.StandaloneXml$DefaultExtensionHandler.parseExtensions(StandaloneXml.java:126) at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:218) at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) ... 3 more 09:33:57,253 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 09:33:57,302 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested. 09:33:57,336 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 12ms ubuntu at ip-10-1-6-128:~$ emacs keycloak/keycloak-2.1.0.Final/standalone/configuration/standalone-ha.xmlubuntu at ip-10-1-6-128 :~$ /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --debug --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_key=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 -Djgroups.management.address=$ip ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final JAVA: java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= Listening for transport dt_socket at address: 8787 09:33:56,270 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 09:33:56,530 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 09:33:56,626 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting 09:33:57,251 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) at org.jboss.as.server.ServerService.boot(ServerService.java:356) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Current event not START_ELEMENT at com.ctc.wstx.sr.BasicStreamReader.getAttributeValue(BasicStreamReader.java:625) at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.getAttributeValue(XMLExtendedStreamReaderImpl.java:240) at org.jboss.as.controller.parsing.ParseUtils.invalidAttributeValue(ParseUtils.java:150) at org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:119) at org.jboss.as.server.parsing.StandaloneXml$DefaultExtensionHandler.parseExtensions(StandaloneXml.java:126) at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:218) at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) ... 3 more 09:33:57,253 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 09:33:57,302 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested. 09:33:57,336 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 12ms ubuntu at ip-10-1-6-128:~$ emacs keycloak/keycloak-2.1.0.Final/standalone/configuration/standalone-ha.xmlubuntu at ip-10-1-6-128 :~$ -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/be62323e/attachment-0001.html From sthorger at redhat.com Wed Sep 14 06:04:42 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 12:04:42 +0200 Subject: [keycloak-user] Current event not START_ELEMENT error in keycloak-2.1.0.Final In-Reply-To: References: Message-ID: There's something wrong in your standalone-ha.xml file. Looks like it might not even be valid XML. I'd suggest start with the provided standalone-ha.xml then apply your changes one by one to identify where the problem lies. On 14 September 2016 at 11:42, Aman Jaiswal wrote: > Hi > > I am trying to rum keycloak-2.1.0.Final and getting following error please > help me to solve this... > > > /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --debug > --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true > -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev > -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_ > key=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 > -Djgroups.management.address=$ip > > ========================================================================= > > > > JBoss Bootstrap Environment > > > > JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final > > > > JAVA: java > > > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > > > > ========================================================================= > > > > Listening for transport dt_socket at address: 8787 > > 09:33:56,270 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > > 09:33:56,530 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > > 09:33:56,626 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting > > 09:33:57,251 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: org.jboss.as.controller. > persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to > parse configuration > > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) > > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.lang.IllegalStateException: Current event not > START_ELEMENT > > at com.ctc.wstx.sr.BasicStreamReader.getAttributeValue( > BasicStreamReader.java:625) > > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.getAttributeValue( > XMLExtendedStreamReaderImpl.java:240) > > at org.jboss.as.controller.parsing.ParseUtils.invalidAttributeValue( > ParseUtils.java:150) > > at org.jboss.as.controller.parsing.ExtensionXml. > parseExtensions(ExtensionXml.java:119) > > at org.jboss.as.server.parsing.StandaloneXml$DefaultExtensionHandler. > parseExtensions(StandaloneXml.java:126) > > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement( > StandaloneXml_4.java:218) > > at org.jboss.as.server.parsing.StandaloneXml_4.readElement( > StandaloneXml_4.java:141) > > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:103) > > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:49) > > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > > at org.jboss.staxmapper.XMLMapperImpl.parseDocument( > XMLMapperImpl.java:69) > > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) > > ... 3 more > > > > 09:33:57,253 FATAL [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > See previous messages for details. > > 09:33:57,302 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested. > > 09:33:57,336 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 12ms > > ubuntu at ip-10-1-6-128:~$ emacs keycloak/keycloak-2.1.0.Final/ > standalone/configuration/standalone-ha.xmlubuntu at ip-10-1-6-128:~$ > > > /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --debug > --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true > -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev > -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_ > key=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 > -Djgroups.management.address=$ip > ========================================================================= > > JBoss Bootstrap Environment > > JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final > > JAVA: java > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > > ========================================================================= > > Listening for transport dt_socket at address: 8787 > 09:33:56,270 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > 09:33:56,530 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > 09:33:56,626 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting > 09:33:57,251 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: org.jboss.as.controller. > persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to > parse configuration > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.IllegalStateException: Current event not > START_ELEMENT > at com.ctc.wstx.sr.BasicStreamReader.getAttributeValue( > BasicStreamReader.java:625) > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.getAttributeValue( > XMLExtendedStreamReaderImpl.java:240) > at org.jboss.as.controller.parsing.ParseUtils.invalidAttributeValue( > ParseUtils.java:150) > at org.jboss.as.controller.parsing.ExtensionXml. > parseExtensions(ExtensionXml.java:119) > at org.jboss.as.server.parsing.StandaloneXml$DefaultExtensionHandler. > parseExtensions(StandaloneXml.java:126) > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement( > StandaloneXml_4.java:218) > at org.jboss.as.server.parsing.StandaloneXml_4.readElement( > StandaloneXml_4.java:141) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:103) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:49) > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) > ... 3 more > > 09:33:57,253 FATAL [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > See previous messages for details. > 09:33:57,302 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested. > 09:33:57,336 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 12ms > ubuntu at ip-10-1-6-128:~$ emacs keycloak/keycloak-2.1.0.Final/ > standalone/configuration/standalone-ha.xmlubuntu at ip-10-1-6-128:~$ > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/3a6351f7/attachment-0001.html From Edgar at info.nl Wed Sep 14 06:24:41 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 14 Sep 2016 10:24:41 +0000 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> Message-ID: <8157E3FC-1066-4D09-BBFF-F9481F0E63A9@info.nl> Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576 > On 14 Sep 2016, at 10:20, Marek Posolda wrote: > > It seems that for view/update UserFederation, we currently require permissions to "view-users" or "manage-users" . This looks like a bug as admin, who is able just to manage users, shouldn't be allowed to manage user federation providers. It seems this should either be "view-realm" or "manage-realm" or separate dedicated roles for user federation providers. > > Could you please create JIRA? > > Thanks, > Marek > > On 14/09/16 09:41, Edgar Vonk - Info.nl wrote: >> Hi Marek, >> >> Very sorry, this was our fault. We were using an outdated and customized version of the users.js file from Keycloak in our theme and this was causing the issue. >> >> We do now see a somewhat related issue in that our user admin accounts (with the manage-users realm-management role) now also see the ?Configure - User Federation? menu item and are actually able to change some (but not all) settings in our user federation (and can even delete them I think). Maybe any ideas on how to make sure these users no longer get access to Configure - User Federation? >> >> cheers >> >> Edgar >> >> >>> On 08 Sep 2016, at 14:04, Marek Posolda wrote: >>> >>> Hi Edgar, >>> >>> I was trying to reproduce, but wasn't able. The expected format to invoke this endpoint should be /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users /{userId} so I understand why it fails. But I am not seeing anything in admin console UI, which invokes it from this format. >>> >>> Feel free to create JIRA if you find steps to reproduce it from clean KC. >>> >>> Marek >>> >>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote: >>>> Hi Marek, >>>> >>>> It?s the brute force detection REST endpoint that is causing the issue. >>>> >>>> /auth/admin/realms/our-custom-realm/attack-detection/brute-force/users?username=edgar at info.nl >>>> >>>> gives a: ?Failed to load resource: the server responded with a status of 405 (Method Not Allowed)" >>>> >>>> >>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl wrote: >>>>> >>>>> Hi Marek, >>>>> >>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did also add the view-users role. However the issue remains unfortunately. >>>>> >>>>> Will try to find the endpoint in question and report back! >>>>> >>>>> cheers >>>>> >>>>>> On 07 Sep 2016, at 11:24, Marek Posolda wrote: >>>>>> >>>>>> I guess you need to add "view-users" role as well? >>>>>> >>>>>> For tracking, you can try to enable FF plugin like Firebug (or similar in Chrome) and see what REST endpoint exactly returns 405 and what role it requires. >>>>>> >>>>>> Marek >>>>>> >>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: >>>>>>> Using a specific user admin account that is part of our Keycloak customers realm (not the master realm) with permissions to edit users only (manage-users realm-management role) whenever I click on a user in the Keycloak admin interface (Manage - Users) I get a "Error! An unexpected server error has occurred? with the stacktrace below in the logs. All actions do seem to work properly however. It also happens when I create a user, but also there the user is created just fine it seems. >>>>>>> >>>>>>> I am guessing it is a permission issue on some REST endpoint in the admin interface or something? >>>>>>> >>>>>>> >>>>>>> [0m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: RESTEASY003650: No resource method found for GET, return 405 with Allow header >>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:377) >>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:116) >>>>>>> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) >>>>>>> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >>>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>>>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >>>>>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>>>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>>>>> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>>>>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > From sthorger at redhat.com Wed Sep 14 07:16:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:16:25 +0200 Subject: [keycloak-user] "Error! An unexpected server error has occurred" in Keycloak admin interface when retrieving a user In-Reply-To: <8157E3FC-1066-4D09-BBFF-F9481F0E63A9@info.nl> References: <053AA247-6589-4A18-94CC-F95CDA61704B@info.nl> <675274f4-5732-b94b-5f06-65c05080618f@redhat.com> <8157E3FC-1066-4D09-BBFF-F9481F0E63A9@info.nl> Message-ID: I changed that to an enhancement request as it's not a bug. It was intended to use view/manage-users role, but that can be questioned. On 14 September 2016 at 12:24, Edgar Vonk - Info.nl wrote: > Ok, thanks! I created https://issues.jboss.org/browse/KEYCLOAK-3576 > > > On 14 Sep 2016, at 10:20, Marek Posolda wrote: > > > > It seems that for view/update UserFederation, we currently require > permissions to "view-users" or "manage-users" . This looks like a bug as > admin, who is able just to manage users, shouldn't be allowed to manage > user federation providers. It seems this should either be "view-realm" or > "manage-realm" or separate dedicated roles for user federation providers. > > > > Could you please create JIRA? > > > > Thanks, > > Marek > > > > On 14/09/16 09:41, Edgar Vonk - Info.nl wrote: > >> Hi Marek, > >> > >> Very sorry, this was our fault. We were using an outdated and > customized version of the users.js file from Keycloak in our theme and this > was causing the issue. > >> > >> We do now see a somewhat related issue in that our user admin accounts > (with the manage-users realm-management role) now also see the ?Configure - > User Federation? menu item and are actually able to change some (but not > all) settings in our user federation (and can even delete them I think). > Maybe any ideas on how to make sure these users no longer get access to > Configure - User Federation? > >> > >> cheers > >> > >> Edgar > >> > >> > >>> On 08 Sep 2016, at 14:04, Marek Posolda wrote: > >>> > >>> Hi Edgar, > >>> > >>> I was trying to reproduce, but wasn't able. The expected format to > invoke this endpoint should be /auth/admin/realms/our-custom- > realm/attack-detection/brute-force/users /{userId} so I understand why it > fails. But I am not seeing anything in admin console UI, which invokes it > from this format. > >>> > >>> Feel free to create JIRA if you find steps to reproduce it from clean > KC. > >>> > >>> Marek > >>> > >>> On 07/09/16 13:33, Edgar Vonk - Info.nl wrote: > >>>> Hi Marek, > >>>> > >>>> It?s the brute force detection REST endpoint that is causing the > issue. > >>>> > >>>> /auth/admin/realms/our-custom-realm/attack-detection/brute- > force/users?username=edgar at info.nl > >>>> > >>>> gives a: ?Failed to load resource: the server responded with a status > of 405 (Method Not Allowed)" > >>>> > >>>> > >>>>> On 07 Sep 2016, at 12:27, Edgar Vonk - Info.nl > wrote: > >>>>> > >>>>> Hi Marek, > >>>>> > >>>>> Thanks for the quick reply. Sorry, forgot to mention that: I did > also add the view-users role. However the issue remains unfortunately. > >>>>> > >>>>> Will try to find the endpoint in question and report back! > >>>>> > >>>>> cheers > >>>>> > >>>>>> On 07 Sep 2016, at 11:24, Marek Posolda > wrote: > >>>>>> > >>>>>> I guess you need to add "view-users" role as well? > >>>>>> > >>>>>> For tracking, you can try to enable FF plugin like Firebug (or > similar in Chrome) and see what REST endpoint exactly returns 405 and what > role it requires. > >>>>>> > >>>>>> Marek > >>>>>> > >>>>>> On 07/09/16 10:55, Edgar Vonk - Info.nl wrote: > >>>>>>> Using a specific user admin account that is part of our Keycloak > customers realm (not the master realm) with permissions to edit users only > (manage-users realm-management role) whenever I click on a user in the > Keycloak admin interface (Manage - Users) I get a "Error! An unexpected > server error has occurred? with the stacktrace below in the logs. All > actions do seem to work properly however. It also happens when I create a > user, but also there the user is created just fine it seems. > >>>>>>> > >>>>>>> I am guessing it is a permission issue on some REST endpoint in > the admin interface or something? > >>>>>>> > >>>>>>> > >>>>>>> [0m [31m08:14:06,715 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-40) RESTEASY002010: Failed to execute: javax.ws.rs.NotAllowedException: > RESTEASY003650: No resource method found for GET, return 405 with Allow > header > >>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match( > SegmentNode.java:377) > >>>>>>> at org.jboss.resteasy.core.registry.SegmentNode.match( > SegmentNode.java:116) > >>>>>>> at org.jboss.resteasy.core.registry.RootNode.match( > RootNode.java:43) > >>>>>>> at org.jboss.resteasy.core.LocatorRegistry. > getResourceInvoker(LocatorRegistry.java:79) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:129) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:133) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:133) > >>>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > >>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > >>>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > >>>>>>> at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > >>>>>>> at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > >>>>>>> at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > >>>>>>> at javax.servlet.http.HttpServlet.service( > HttpServlet.java:790) > >>>>>>> at io.undertow.servlet.handlers. > ServletHandler.handleRequest(ServletHandler.java:85) > >>>>>>> at io.undertow.servlet.handlers. > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > >>>>>>> at org.keycloak.services.filters. > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter. > java:90) > >>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > >>>>>>> at io.undertow.servlet.handlers. > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > >>>>>>> at io.undertow.servlet.handlers. > FilterHandler.handleRequest(FilterHandler.java:84) > >>>>>>> at io.undertow.servlet.handlers.security. > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler. > java:62) > >>>>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) > >>>>>>> at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) > >>>>>>> at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > >>>>>>> at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) > >>>>>>> at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) > >>>>>>> at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > >>>>>>> at io.undertow.security.handlers. > AbstractConfidentialityHandler.handleRequest( > AbstractConfidentialityHandler.java:46) > >>>>>>> at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) > >>>>>>> at io.undertow.security.handlers. > AuthenticationMechanismsHandler.handleRequest( > AuthenticationMechanismsHandler.java:60) > >>>>>>> at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) > >>>>>>> at io.undertow.security.handlers. > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler. > java:50) > >>>>>>> at io.undertow.security.handlers. > AbstractSecurityContextAssociationHandler.handleRequest( > AbstractSecurityContextAssociationHandler.java:43) > >>>>>>> at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > >>>>>>> at org.wildfly.extension.undertow.security.jacc. > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > >>>>>>> at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > >>>>>>> at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) > >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. > dispatchRequest(ServletInitialHandler.java:263) > >>>>>>> at io.undertow.servlet.handlers. > ServletInitialHandler.access$000(ServletInitialHandler.java:81) > >>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1. > handleRequest(ServletInitialHandler.java:174) > >>>>>>> at io.undertow.server.Connectors. > executeRootHandler(Connectors.java:202) > >>>>>>> at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > >>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > >>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > >>>>>>> at java.lang.Thread.run(Thread.java:745) > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> keycloak-user mailing list > >>>>>>> keycloak-user at lists.jboss.org > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/76d11f0a/attachment-0001.html From sthorger at redhat.com Wed Sep 14 07:19:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:19:41 +0200 Subject: [keycloak-user] Error in parsing In-Reply-To: References: Message-ID: Please don't repeat the same question. See my answer to your other email about the same issue. On 14 September 2016 at 10:42, Aman Jaiswal wrote: > Hi > I am getting following error while starting a server > > ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught > exception during boot: org.jboss.as.controller.persistence. > ConfigurationPersistenceException: WFLYCTL0085: Failed to parse > configuration > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.xml.stream.XMLStreamException: ParseError at > [row,col]:[133,5] > Message: Unexpected element '{urn:jboss:domain:batch:1.0}subsystem' > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:108) > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny( > XMLExtendedStreamReaderImpl.java:69) > at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile( > StandaloneXml_4.java:546) > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement( > StandaloneXml_4.java:242) > at org.jboss.as.server.parsing.StandaloneXml_4.readElement( > StandaloneXml_4.java:141) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:103) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:49) > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) > ... 3 more > > > -- > Thanks, > Aman Jaiswal > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/38a155b1/attachment.html From sthorger at redhat.com Wed Sep 14 07:23:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:23:31 +0200 Subject: [keycloak-user] Property 'databaseSchema' needs to be specified in the configuration In-Reply-To: References: Message-ID: I think this is already fixed in 2.2.0.CR1. Can you try that instead? On 14 September 2016 at 10:58, Francisco Montada wrote: > Hi Dean > we are running Keycloak 2.1.0-Final version using mongo DB but it is not > working, we are getting the error below > > ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default > task-3) Failed to make identity provider oauth callback: > java.lang.RuntimeException: Property 'databaseSchema' needs to be specified > in the configuration > > we have the correct configuration listed on the documentation, but it is > not working > https://keycloak.gitbooks.io/server-installation-and-configu > ration/content/v/2.1/topics/mongo.html > > We also see that other person got the same error, > http://lists.jboss.org/pipermail/keycloak-user/2016-May/006007.html > > > This is our keycloak-server.json configuration > > { > > "providers": [ > > "classpath:${jboss.home.dir}/providers/*" > > ], > > > "admin": { > > "realm": "master" > > }, > > > "eventsStore": { > > "provider": "mongo", > > "mongo": { > > "exclude-events": [ "REFRESH_TOKEN" ] > > } > > }, > > > "realm": { > > "provider": "mongo" > > }, > > > "user": { > > "provider": "mongo" > > }, > > > "userCache": { > > "default" : { > > "enabled": true > > } > > }, > > > "userSessionPersister": { > > "provider": "mongo" > > }, > > > "authorizationPersister": { > > "provider": "mongo" > > }, > > > "timer": { > > "provider": "basic" > > }, > > > "theme": { > > "staticMaxAge": 2592000, > > "cacheTemplates": true, > > "cacheThemes": true, > > "folder": { > > "dir": "${jboss.home.dir}/themes" > > } > > }, > > > "scheduled": { > > "interval": 900 > > }, > > > "connectionsHttpClient": { > > "default": {} > > }, > > > "connectionsMongo": { > > "default": { > > "host": "10.0.22.56", > > "port": "27017", > > "db": "ondbook", > > "user": "appUser", > > "password" : "password", > > "connectionsPerHost": 100, > > "databaseSchema": "update", > > "schema": "2.1.0.Final" > > } > > }, > > > "realmCache": { > > "default" : { > > "enabled": true > > } > > }, > > > "connectionsInfinispan": { > > "provider": "default", > > "default": { > > "cacheContainer" : "java:comp/env/infinispan/Keycloak" > > } > > } > > } > > > Other problem is that we do not know why the logs is showing JPA > connection when we config Mongo > > > Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to > be specified in the configuration > > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac > tory.lazyInit(DefaultJpaConnectionProviderFactory.java:132) > > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac > tory.create(DefaultJpaConnectionProviderFactory.java:62) > > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac > tory.create(DefaultJpaConnectionProviderFactory.java:50) > > > Could you help us > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/e62b249c/attachment.html From sthorger at redhat.com Wed Sep 14 07:24:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:24:50 +0200 Subject: [keycloak-user] IP Address based default user In-Reply-To: References: <97da3065-998b-b7d6-79f7-e6747f9ed7d1@redhat.com> Message-ID: Well... No chance we'll add that out of the box ;) Simple to implement yourself though, see https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html On 13 September 2016 at 16:48, Jess Sightler wrote: > Well, this be insecurity by design. :) Basically we would like to turn off > security completely in some cases for local installations, but this brings > a lot of deployment related considerations (multiple descriptors, > conditional logic around the logged in user, etc). > > An authenticator that is essentially just a bypass would accomplish the > same thing without the additional complexity. It would be similar to a > default "unauthenticatedIdentity", except with a default role as well. > > On 09/13/2016 05:01 AM, Stian Thorgersen wrote: > > No there isn't anything like that. Sounds like a potential hackers heaven > as well. > > Assuming you've got the idea from WildFly. WildFly can do that by writing > to a local file to make sure the user is indeed on the local machine. That > doens't work in a web based flow unless you can find a way to "share" a > file between the Keycloak server and the browser. > > On 12 September 2016 at 17:17, Jess Sightler wrote: > >> Is there a builtin authenticator that can provide a default user account >> based upon some criteria? For example, could we provide a default user >> if the client is connecting to localhost? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/9303667a/attachment-0001.html From sthorger at redhat.com Wed Sep 14 07:28:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:28:18 +0200 Subject: [keycloak-user] Webpage reloading twice In-Reply-To: <20160913210838.GD6881@abstractj.org> References: <20160913210838.GD6881@abstractj.org> Message-ID: It's standard OIDC stuff. The way it works is: * user visits app (first page view) * app is redirected to Keycloak login page * user is redirected back to app page (second page view) Further the javascript adapter assumes the app is a single-page app so it doesn't store the tokens so the above flow is repeated for each request even if the user is already authenticated. You can bypass that if you want by manually storing the tokens in html5 storage and init the javascript adapter with it (see the docs for that). Be aware that's a slight security risk as you're storing the tokens which could potentially be leaked. On 13 September 2016 at 23:08, Bruno Oliveira wrote: > Hi Erik, could you provide the steps to reproduce or some code? > > On 2016-09-13, Eric Matte wrote: > > Hi, > > > > We are using the Javascript Adapter from Keycloak for our client > authentication. > > However, when accessing a webpage, we receive the information twice. > > > > Here are the request logs received from the client to the server: > > > > 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services HTTP/1.1" 200 - > > 127.0.0.1 - - [13/Sep/2016 10:23:10] "GET /f/services?prompt=none > HTTP/1.1" 200 - > > > > The client is calling a second GET request for a reason that I don't > know. Can you explain? > > > > Thank you > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/21848019/attachment.html From sthorger at redhat.com Wed Sep 14 07:30:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:30:47 +0200 Subject: [keycloak-user] Configuring KC adapter through ENV/programatically In-Reply-To: References: Message-ID: What adapter? Java adapters has support to write your own config loader (see multi-tenancy example). For JavaScript adapter make your web server dynamically create the keycloak.json. On 14 September 2016 at 11:30, cen wrote: > Hi > > We have a Java REST microservice which is configured as a whole through > environment variables and deployed in Docker. > > We can't provide production keycloak.json at Docker build time because > then it becomes a specific container for a specific deployment. We want > to keep the container unconfigured and neutral, ready to be deployed > with any Keycloak server. > > At the moment we have an additional step in production deployment that > copies the correct keycloak.json into a running Docker container and > restarts it. > > Ideally though, we would like to provide keycloak.json through an > environment variable or load it dynamically from etcd/zookeeper/similar. > > is it possible to somehow configure the Keycloak adapter at runtime? > > > Best regards, cen > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/2ad7da6a/attachment.html From sthorger at redhat.com Wed Sep 14 07:56:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 13:56:53 +0200 Subject: [keycloak-user] OpenID Connect Clients and Roles In-Reply-To: <63AAB40440E1504E9FE1925114858CD05ABABDB0@mailmb14.ad.adelaide.edu.au> References: <63AAB40440E1504E9FE1925114858CD05ABABDB0@mailmb14.ad.adelaide.edu.au> Message-ID: Roles are a Keycloak specific extension and are not shown in the OpenID Connect configuration. They are available in the access token. On 14 September 2016 at 08:52, Andy Stebbing wrote: > Hi, > I'm fairly new to OpenID Connect and Keycloak (using version 2.2.0-CR1 > and RedHat SSO v7), I've managed to get a client working with a realm > within Keycloak. I've configured the client in the realm using a shared key > and have configured my remote client accordingly. It works fine for > authentication and I'm getting the standard claims back. But I don't know > how to get the roles associated with the user to come through. I can see in > the endpoint OpenID connect configuration on the server that the following > claims are supported: > > "claim_types_supported": [ > "normal" > ], > "claims_parameter_supported": false, > "claims_supported": [ > "sub", > "iss", > "auth_time", > "name", > "given_name", > "family_name", > "preferred_username", > "email" > ] > > Does this mean that it's not possible to get the roles from the userinfo > call? Or if it is possible, how do I configure it to be supported? > > Any help is very much appreciated ! > > Thanks > andy > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/f8c03245/attachment.html From aman.jaiswal at arvindinternet.com Wed Sep 14 08:18:23 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 17:48:23 +0530 Subject: [keycloak-user] About standalone-ha.xml Message-ID: Hi Can You please tell me what is the changes are required in standalone.xml or standalone-ha.xml file and what does that means , is there is any document's for that so I can batter understand it. -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/e9b642ec/attachment.html From keycloaklist at ulise.de Wed Sep 14 08:27:08 2016 From: keycloaklist at ulise.de (Uli SE) Date: Wed, 14 Sep 2016 14:27:08 +0200 Subject: [keycloak-user] Fwd: Re: bearer token payload In-Reply-To: <35ca73d5-bd64-6c8c-f0bc-a74940d51dfe@ulise.de> References: <35ca73d5-bd64-6c8c-f0bc-a74940d51dfe@ulise.de> Message-ID: <16361f39-98f2-bd5a-9961-e31f93154ab2@ulise.de> Sorry, not sent to list. Yes, but the mappers are gone, if I chose bearer-only as Access Type. Any other hint? Cheers, Uli Am 10.09.2016 um 13:30 schrieb Bill Burke: > > Yes. See mappers under you client int he admin console. > > > On 9/10/16 7:28 AM, Uli SE wrote: >> >> Hi, >> >> Can I add fields from keycloak profile to the bearer token to get >> them in a Wildfly-based webservice? >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/0f8d81c6/attachment.html From sthorger at redhat.com Wed Sep 14 08:29:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 14:29:52 +0200 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: With all respect, this is the third thread you are starting on the same issue. Please stick to the original thread. On 14 September 2016 at 14:18, Aman Jaiswal wrote: > Hi > > Can You please tell me what is the changes are required in standalone.xml > or standalone-ha.xml file and what does that means , is there is any > document's for that so I can batter understand it. > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/a9876d27/attachment-0001.html From aman.jaiswal at arvindinternet.com Wed Sep 14 08:32:10 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 18:02:10 +0530 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: sorry for that I thought I am asking something else which is not belongs to previous questions On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen wrote: > With all respect, this is the third thread you are starting on the same > issue. Please stick to the original thread. > > On 14 September 2016 at 14:18, Aman Jaiswal com> wrote: > >> Hi >> >> Can You please tell me what is the changes are required in standalone.xml >> or standalone-ha.xml file and what does that means , is there is any >> document's for that so I can batter understand it. >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/3055b8ad/attachment.html From sthorger at redhat.com Wed Sep 14 08:40:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 14:40:05 +0200 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: If you are asking a general question that is not related to your previous questions from today then the answer is no changes is needed. Just get the standalone server dist and start it. If you need to do any specific configuration like setup a database then you need to configure it accordingly. On 14 September 2016 at 14:32, Aman Jaiswal wrote: > sorry for that I thought I am asking something else which is not belongs > to previous questions > > On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen > wrote: > >> With all respect, this is the third thread you are starting on the same >> issue. Please stick to the original thread. >> >> On 14 September 2016 at 14:18, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> Hi >>> >>> Can You please tell me what is the changes are required in >>> standalone.xml or standalone-ha.xml file and what does that means , is >>> there is any document's for that so I can batter understand it. >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/5d94be20/attachment.html From aman.jaiswal at arvindinternet.com Wed Sep 14 09:18:44 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 18:48:44 +0530 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: I want to understand the meaning of all tag's which are used in standalone.xml and atandalone-ha.xml file so that I can configure it according to my requirement . On Wed, Sep 14, 2016 at 6:10 PM, Stian Thorgersen wrote: > If you are asking a general question that is not related to your previous > questions from today then the answer is no changes is needed. Just get the > standalone server dist and start it. If you need to do any specific > configuration like setup a database then you need to configure it > accordingly. > > On 14 September 2016 at 14:32, Aman Jaiswal com> wrote: > >> sorry for that I thought I am asking something else which is not belongs >> to previous questions >> >> On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen >> wrote: >> >>> With all respect, this is the third thread you are starting on the same >>> issue. Please stick to the original thread. >>> >>> On 14 September 2016 at 14:18, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> Hi >>>> >>>> Can You please tell me what is the changes are required in >>>> standalone.xml or standalone-ha.xml file and what does that means , is >>>> there is any document's for that so I can batter understand it. >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/f26dfbdf/attachment.html From sthorger at redhat.com Wed Sep 14 09:22:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 15:22:55 +0200 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: Read our docs and WildFly docs and you'll find out. A much better approach is to figure out what you want to configure (database, ssl, etc.) and search for help on that. On 14 September 2016 at 15:18, Aman Jaiswal wrote: > I want to understand the meaning of all tag's which are used in > standalone.xml and atandalone-ha.xml file so that I can configure it > according to my requirement . > > On Wed, Sep 14, 2016 at 6:10 PM, Stian Thorgersen > wrote: > >> If you are asking a general question that is not related to your previous >> questions from today then the answer is no changes is needed. Just get the >> standalone server dist and start it. If you need to do any specific >> configuration like setup a database then you need to configure it >> accordingly. >> >> On 14 September 2016 at 14:32, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> sorry for that I thought I am asking something else which is not belongs >>> to previous questions >>> >>> On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen >>> wrote: >>> >>>> With all respect, this is the third thread you are starting on the same >>>> issue. Please stick to the original thread. >>>> >>>> On 14 September 2016 at 14:18, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> Hi >>>>> >>>>> Can You please tell me what is the changes are required in >>>>> standalone.xml or standalone-ha.xml file and what does that means , is >>>>> there is any document's for that so I can batter understand it. >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/9ed688e4/attachment.html From aman.jaiswal at arvindinternet.com Wed Sep 14 09:25:14 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 18:55:14 +0530 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: I want to configure infinispan in keycloak-server.json On Wed, Sep 14, 2016 at 6:52 PM, Stian Thorgersen wrote: > Read our docs and WildFly docs and you'll find out. A much better approach > is to figure out what you want to configure (database, ssl, etc.) and > search for help on that. > > On 14 September 2016 at 15:18, Aman Jaiswal com> wrote: > >> I want to understand the meaning of all tag's which are used in >> standalone.xml and atandalone-ha.xml file so that I can configure it >> according to my requirement . >> >> On Wed, Sep 14, 2016 at 6:10 PM, Stian Thorgersen >> wrote: >> >>> If you are asking a general question that is not related to your >>> previous questions from today then the answer is no changes is needed. Just >>> get the standalone server dist and start it. If you need to do any specific >>> configuration like setup a database then you need to configure it >>> accordingly. >>> >>> On 14 September 2016 at 14:32, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> sorry for that I thought I am asking something else which is not >>>> belongs to previous questions >>>> >>>> On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> With all respect, this is the third thread you are starting on the >>>>> same issue. Please stick to the original thread. >>>>> >>>>> On 14 September 2016 at 14:18, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> Can You please tell me what is the changes are required in >>>>>> standalone.xml or standalone-ha.xml file and what does that means , is >>>>>> there is any document's for that so I can batter understand it. >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/5b76ae4b/attachment-0001.html From sthorger at redhat.com Wed Sep 14 09:29:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Sep 2016 15:29:15 +0200 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: Read the docs On 14 September 2016 at 15:25, Aman Jaiswal wrote: > I want to configure infinispan in keycloak-server.json > > On Wed, Sep 14, 2016 at 6:52 PM, Stian Thorgersen > wrote: > >> Read our docs and WildFly docs and you'll find out. A much better >> approach is to figure out what you want to configure (database, ssl, etc.) >> and search for help on that. >> >> On 14 September 2016 at 15:18, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> I want to understand the meaning of all tag's which are used in >>> standalone.xml and atandalone-ha.xml file so that I can configure it >>> according to my requirement . >>> >>> On Wed, Sep 14, 2016 at 6:10 PM, Stian Thorgersen >>> wrote: >>> >>>> If you are asking a general question that is not related to your >>>> previous questions from today then the answer is no changes is needed. Just >>>> get the standalone server dist and start it. If you need to do any specific >>>> configuration like setup a database then you need to configure it >>>> accordingly. >>>> >>>> On 14 September 2016 at 14:32, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> sorry for that I thought I am asking something else which is not >>>>> belongs to previous questions >>>>> >>>>> On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen >>>> > wrote: >>>>> >>>>>> With all respect, this is the third thread you are starting on the >>>>>> same issue. Please stick to the original thread. >>>>>> >>>>>> On 14 September 2016 at 14:18, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> Can You please tell me what is the changes are required in >>>>>>> standalone.xml or standalone-ha.xml file and what does that means , is >>>>>>> there is any document's for that so I can batter understand it. >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/51f1d79b/attachment.html From aman.jaiswal at arvindinternet.com Wed Sep 14 11:12:07 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 20:42:07 +0530 Subject: [keycloak-user] About standalone-ha.xml In-Reply-To: References: Message-ID: I already did and didn't find any useful for me ? On Wed, Sep 14, 2016 at 6:59 PM, Stian Thorgersen wrote: > Read the docs > > On 14 September 2016 at 15:25, Aman Jaiswal com> wrote: > >> I want to configure infinispan in keycloak-server.json >> >> On Wed, Sep 14, 2016 at 6:52 PM, Stian Thorgersen >> wrote: >> >>> Read our docs and WildFly docs and you'll find out. A much better >>> approach is to figure out what you want to configure (database, ssl, etc.) >>> and search for help on that. >>> >>> On 14 September 2016 at 15:18, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> I want to understand the meaning of all tag's which are used in >>>> standalone.xml and atandalone-ha.xml file so that I can configure it >>>> according to my requirement . >>>> >>>> On Wed, Sep 14, 2016 at 6:10 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> If you are asking a general question that is not related to your >>>>> previous questions from today then the answer is no changes is needed. Just >>>>> get the standalone server dist and start it. If you need to do any specific >>>>> configuration like setup a database then you need to configure it >>>>> accordingly. >>>>> >>>>> On 14 September 2016 at 14:32, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> sorry for that I thought I am asking something else which is not >>>>>> belongs to previous questions >>>>>> >>>>>> On Wed, Sep 14, 2016 at 5:59 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> With all respect, this is the third thread you are starting on the >>>>>>> same issue. Please stick to the original thread. >>>>>>> >>>>>>> On 14 September 2016 at 14:18, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> Can You please tell me what is the changes are required in >>>>>>>> standalone.xml or standalone-ha.xml file and what does that means , is >>>>>>>> there is any document's for that so I can batter understand it. >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/eb46f39a/attachment.html From aman.jaiswal at arvindinternet.com Wed Sep 14 12:50:35 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Wed, 14 Sep 2016 22:20:35 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache Message-ID: Hi I am geting follwoing error when trying to integrate infinispan with keycloak /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_key=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 -Djgroups.management.address=$ipkeycloakdevadmin ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final JAVA: java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in the resource at address '/subsystem=jgroups' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version 3.3.4.Final 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.3.4.Final 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss Remoting version 4.0.18.Final 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with 32 task threads based on your 2 available processors 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1) 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = mysql 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49) WFLYNAM0001: Activating Naming Subsystem 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) WFLYNAM0003: Starting Naming Service 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]'] 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server. 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0018: Host default-host starting 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on 10.1.3.93:8080 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on 10.1.3.93:8009 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) 16:17:08,079 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: Starting JGroups channel keycloak 16:17:08,080 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel server 16:17:08,081 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: Starting JGroups channel hibernate 16:17:08,081 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] 16:17:08,098 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] 16:17:08,101 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical addresses are [10.1.3.93:55200] 16:17:08,102 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel server local address is ip-10-1-3-93, physical addresses are [10.1.3.93:55200] 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 16:17:08,108 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses are [10.1.3.93:55200] 16:17:08,108 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical addresses are [10.1.3.93:55200] 16:17:08,147 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: Starting JGroups channel ejb 16:17:08,150 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] 16:17:08,150 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses are [10.1.3.93:55200] 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from keycloak container 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak container 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from keycloak container 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures cache from keycloak container 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache from keycloak container 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from keycloak container 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool -- 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/configuration/keycloak-server.json 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 66) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.RuntimeException: Failed to find provider infinispan for realmCache at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs(DefaultKeycloakSessionFactory.java:96) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:75) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:244) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:78) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 19 more 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to find provider infinispan for realmCache"}} 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with errors) in 10846ms - Started 475 of 853 services (2 services failed or missing dependencies, 588 services are lazy, passive or on-demand) -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/24b4d321/attachment-0001.html From andy.stebbing at adelaide.edu.au Wed Sep 14 19:52:45 2016 From: andy.stebbing at adelaide.edu.au (Andy Stebbing) Date: Wed, 14 Sep 2016 23:52:45 +0000 Subject: [keycloak-user] OpenID Connect Clients and Roles In-Reply-To: References: <63AAB40440E1504E9FE1925114858CD05ABABDB0@mailmb14.ad.adelaide.edu.au> Message-ID: <63AAB40440E1504E9FE1925114858CD05ABACF4D@mailmb14.ad.adelaide.edu.au> Thanks very much for that info. I?ve managed to get it from the token, didn?t realise it had that information in there. I used this tool: https://jwt.io/ to decode the token for testing. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 14 September 2016 9:27 PM To: Andy Stebbing Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] OpenID Connect Clients and Roles Roles are a Keycloak specific extension and are not shown in the OpenID Connect configuration. They are available in the access token. On 14 September 2016 at 08:52, Andy Stebbing > wrote: Hi, I'm fairly new to OpenID Connect and Keycloak (using version 2.2.0-CR1 and RedHat SSO v7), I've managed to get a client working with a realm within Keycloak. I've configured the client in the realm using a shared key and have configured my remote client accordingly. It works fine for authentication and I'm getting the standard claims back. But I don't know how to get the roles associated with the user to come through. I can see in the endpoint OpenID connect configuration on the server that the following claims are supported: "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "claims_supported": [ "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ] Does this mean that it's not possible to get the roles from the userinfo call? Or if it is possible, how do I configure it to be supported? Any help is very much appreciated ! Thanks andy _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/deb16ca5/attachment.html From adilelfahmi at gmail.com Wed Sep 14 20:13:05 2016 From: adilelfahmi at gmail.com (Harits Elfahmi) Date: Thu, 15 Sep 2016 07:13:05 +0700 Subject: [keycloak-user] Allow google login without reauthentication In-Reply-To: <5768D9C4.3000308@redhat.com> References: <5768D9C4.3000308@redhat.com> Message-ID: Hi Marek, Any pointer on this? I've looked through the source code, but can't seem to find the place where it does the actual linking. Must I replace the entire default First Broker Login flow, or is it possible to just make some changes into some if its authenticator? Thanks 2016-06-21 13:08 GMT+07:00 Marek Posolda : > You mean that if in keycloak database is already existing user > "john at gmail.com" and you authenticate the same user > "john at gmail.com" with google identity provider, you want > to automatically link google provider with this keycloak account? > > We didn't want to support this OOTB because of possible security > implications. For example if identity provider doesn't verify emails, you > can see security issues similar to this: > - There is user "john at gmail.com" in keycloak > - Attacker registers the account on identity provider side with email > "john at gmail.com" . If identity provider doesn't verify > emails, attacker can easily do it. > - Now attacker login to keycloak with identity provider and keycloak will > automatically link with the existing keycloak account "john at gmail.com" > . So now attacker was able to login to keycloak as user > "john at gmail.com" because 3rd party identity provider > didn't verify emails and accounts were linked automatically just based on > emails. > > You can admit that this one issue doesn't exist in case that identity > provider properly verify emails. However there are still in theory some > other issues... > > So feel free to implement your own authenticator, which will do the > linking automatically based on email and then configure "first broker > login" flow with your authenticator. See docs for "First broker login" and > "Authentication SPI" for more details. > > Also feel free to create JIRA if you really want this OOTB. We may > eventually add it if there is big requirement for this. However we will > never change the default "first broker login" flow to behave like this and > automatically link accounts. > > Marek > > > On 17/06/16 08:46, Harits Elfahmi wrote: > > Hello, > > Currently we use google login using the identity provider in keycloak. The > first broker login states that we must verify existing account and then > reauthenticate using user password form. Is it possible to use the already > available executions/flows and skip the reauthentication part? > > So if the google email already exist in a keycloak account, we allow them > to login without the form. > > Or must we create a custom execution? Is it possible using custom > execution? > > Thanks > -- > Cheers, > > *Harits* Elfahmi > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Cheers, *Harits* Elfahmi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/2c90a394/attachment.html From tinjoy_6 at yahoo.com Wed Sep 14 22:53:35 2016 From: tinjoy_6 at yahoo.com (Tin) Date: Thu, 15 Sep 2016 10:53:35 +0800 Subject: [keycloak-user] Lock user within indefinite period of time Message-ID: <6F4171BF-514D-4972-9636-D0E12458B772@yahoo.com> Hi, I would like to know if there is a configuration in keycloak 1.3 where a temporarily disabled user will NOT be unlocked automatically. It will depend on the admin whether the user will be unlocked or not. Thanks! From fmontadamt at gmail.com Thu Sep 15 00:55:20 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Wed, 14 Sep 2016 21:55:20 -0700 Subject: [keycloak-user] Keycloak user credentials clean up Message-ID: Hi Team We are facing the problem with the user credentials clean up, the uses cases are two and are consisten 1. From the Keycloak Web Console, sometime if I remove more that one role at the same time, is happen the credential clean up. 2. After redeploy the server, the credential for some users are being clean up This is how the user credentials looks after the clean up "credentials" : [ { "value" : "ZTA3VTu2d7X6Cl/iSWKjGBGb5bJUFBto1EiOs8AjLj5rI KkMo2Wzymgm8rdPP27LMBBovNw8nxpDvcp4tniCqw==" } ], The problem is that after that Keycloak can no do anything with that user because the server start getting NullpointerException 03:36:36,031 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/admin/realms/opencarwash/users/09c74660- 902c-441b-8892-f7dd560a7b83/reset-password: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException( ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException( SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) And on the login page the user see this "Unexpected error when handling authentication request to identity provider." could you please help us ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160914/0fc1cb70/attachment-0001.html From h.p.przybysz at gmail.com Thu Sep 15 01:18:48 2016 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Thu, 15 Sep 2016 07:18:48 +0200 Subject: [keycloak-user] Support for CORS Access-Control-Expose-Headers in 2.0.0.Final In-Reply-To: References: <20160709053836.GA23953@abstractj.org> <20160711161310.GA7375@abstractj.org> Message-ID: Hi Stian, Any chance to have this included in the next release? This problem is really bugging me. BR / Hubert. On Tue, Jul 12, 2016 at 8:32 AM, Hubert Przybysz wrote: > Ok, thanks. It was a bit unclear to me if it should have been supported. > > On Tue, Jul 12, 2016 at 7:17 AM, Stian Thorgersen > wrote: > >> I changed that issue to a feature request, since we've never supported it >> it's not a bug. >> >> On 11 July 2016 at 20:25, Hubert Przybysz wrote: >> >>> I have created KEYCLOAK-3297 >>> . >>> >>> On Mon, Jul 11, 2016 at 7:29 PM, Bruno Oliveira >>> wrote: >>> >>>> Please, go ahead and create one. I couldn't find any Jira related to >>>> this. >>>> >>>> On Mon, Jul 11, 2016 at 1:36 PM Hubert Przybysz >>>> wrote: >>>> >>>>> Does anyone know when it will be possible to configure the adapters >>>>> with CORS expose headers? >>>>> >>>>> I don't find any jira for it. >>>>> >>>>> Br / Hubert. >>>>> >>>>> On Mon, Jul 11, 2016 at 6:13 PM, Bruno Oliveira >>>>> wrote: >>>>> >>>>>> You are right Hubert it's not supported at keycloak.json file, I just >>>>>> overlooked the code. >>>>>> Sorry about that. >>>>>> >>>>>> On 2016-07-11, Hubert Przybysz wrote: >>>>>> > Thanks for the info. >>>>>> > >>>>>> > I've tried configuring cors-exposed-headers in a JBOSS EAP 6 >>>>>> adapter like >>>>>> > this: >>>>>> > >>>>>> > keycloak.json: >>>>>> > { >>>>>> > ... >>>>>> > >>>>>> > "enable-cors" : true, >>>>>> > >>>>>> > "cors-allowed-methods" : "POST,PUT,DELETE,GET", >>>>>> > >>>>>> > "cors-allowed-headers" : >>>>>> > "Accept,Content-Type,If-Match,If-None-Match,Origin", >>>>>> > >>>>>> > "cors-exposed-headers" : "ETag,Location", >>>>>> > >>>>>> > ... >>>>>> > >>>>>> > } >>>>>> > >>>>>> > >>>>>> > But the adapter does not recognise this config and fails to start: >>>>>> > >>>>>> > 10:57:15,923 ERROR [org.apache.catalina.core] (ServerService Thread >>>>>> Pool -- >>>>>> > 69) JBWEB001097: Error starting context /data: >>>>>> java.lang.RuntimeException: >>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >>>>>> > Unrecognized field "cors-exposed-headers" (class >>>>>> > org.keycloak.representations.adapters.config.AdapterConfig), not >>>>>> marked as >>>>>> > ignorable (32 known properties: "ssl-required", >>>>>> "cors-allowed-headers", >>>>>> > "register-node-period", "turn-off-change-session-id-on-login", >>>>>> > "truststore", "always-refresh-token", "client-key-password", >>>>>> > "policy-enforcer", "token-store", "resource", "realm", "proxy-url", >>>>>> > "disable-trust-manager", "bearer-only", "truststore-password", >>>>>> > "use-resource-role-mappings", "connection-pool-size", >>>>>> "client-keystore", >>>>>> > "register-node-at-startup", "client-keystore-password", >>>>>> "auth-server-url", >>>>>> > "cors-allowed-methods", "public-client", "expose-token", >>>>>> > "token-minimum-time-to-live", "enable-basic-auth", "cors-max-age", >>>>>> > "enable-cors", "allow-any-hostname", "realm-public-key", >>>>>> "credentials", >>>>>> > "principal-attribute"]) >>>>>> > >>>>>> > at [Source: java.io.ByteArrayInputStream at 67593e31; line: 14, >>>>>> column: 29] >>>>>> > (through reference chain: >>>>>> > org.keycloak.representations.adapters.config.AdapterConfig[ >>>>>> "cors-exposed-headers"]) >>>>>> > >>>>>> > at >>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig( >>>>>> KeycloakDeploymentBuilder.java:137) >>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>> > >>>>>> > at >>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.build( >>>>>> KeycloakDeploymentBuilder.java:126) >>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>> > >>>>>> > at >>>>>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV >>>>>> alve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) >>>>>> > [keycloak-tomcat-core-adapter-2.0.0.Final.jar:2.0.0.Final] >>>>>> > >>>>>> > at >>>>>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV >>>>>> alve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) >>>>>> > [keycloak-tomcat-core-adapter-2.0.0.Final.jar:2.0.0.Final] >>>>>> > >>>>>> > at >>>>>> > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent( >>>>>> LifecycleSupport.java:115) >>>>>> > [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] >>>>>> > >>>>>> > at >>>>>> > org.apache.catalina.core.StandardContext.start( >>>>>> StandardContext.java:3775) >>>>>> > [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService.doStart( >>>>>> WebDeploymentService.java:163) >>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService.access$ >>>>>> 000(WebDeploymentService.java:61) >>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run( >>>>>> WebDeploymentService.java:96) >>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>> > >>>>>> > at java.util.concurrent.Executors$RunnableAdapter. >>>>>> call(Executors.java:471) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at java.util.concurrent.FutureTask.run(FutureTask.java:262) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at >>>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>> ThreadPoolExecutor.java:1145) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at >>>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>> ThreadPoolExecutor.java:615) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at org.jboss.threads.JBossThread.run(JBossThread.java:122) >>>>>> > >>>>>> > Caused by: >>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >>>>>> > Unrecognized field "cors-exposed-headers" (class >>>>>> > org.keycloak.representations.adapters.config.AdapterConfig), not >>>>>> marked as >>>>>> > ignorable (32 known properties: "ssl-required", >>>>>> "cors-allowed-headers", >>>>>> > "register-node-period", "turn-off-change-session-id-on-login", >>>>>> > "truststore", "always-refresh-token", "client-key-password", >>>>>> > "policy-enforcer", "token-store", "resource", "realm", "proxy-url", >>>>>> > "disable-trust-manager", "bearer-only", "truststore-password", >>>>>> > "use-resource-role-mappings", "connection-pool-size", >>>>>> "client-keystore", >>>>>> > "register-node-at-startup", "client-keystore-password", >>>>>> "auth-server-url", >>>>>> > "cors-allowed-methods", "public-client", "expose-token", >>>>>> > "token-minimum-time-to-live", "enable-basic-auth", "cors-max-age", >>>>>> > "enable-cors", "allow-any-hostname", "realm-public-key", >>>>>> "credentials", >>>>>> > "principal-attribute"]) >>>>>> > >>>>>> > at [Source: java.io.ByteArrayInputStream at 67593e31; line: 14, >>>>>> column: 29] >>>>>> > (through reference chain: >>>>>> > org.keycloak.representations.adapters.config.AdapterConfig[ >>>>>> "cors-exposed-headers"]) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException. >>>>>> from(UnrecognizedPropertyException.java:51) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.DeserializationContext. >>>>>> reportUnknownProperty(DeserializationContext.java:817) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.deser.std.StdDeserializer. >>>>>> handleUnknownProperty(StdDeserializer.java:958) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializerBase. >>>>>> handleUnknownProperty(BeanDeserializerBase.java:1324) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializerBase. >>>>>> handleUnknownVanilla(BeanDeserializerBase.java:1302) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializer. >>>>>> vanillaDeserialize(BeanDeserializer.java:249) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize( >>>>>> BeanDeserializer.java:136) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.ObjectMapper._ >>>>>> readMapAndClose(ObjectMapper.java:3564) >>>>>> > >>>>>> > at >>>>>> > com.fasterxml.jackson.databind.ObjectMapper. >>>>>> readValue(ObjectMapper.java:2650) >>>>>> > >>>>>> > at >>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig( >>>>>> KeycloakDeploymentBuilder.java:135) >>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>> > >>>>>> > ... 14 more >>>>>> > >>>>>> > >>>>>> > 10:57:15,973 ERROR [org.apache.catalina.core] (ServerService Thread >>>>>> Pool -- >>>>>> > 69) JBWEB001103: Error detected during context /data start, will >>>>>> stop it >>>>>> > >>>>>> > 10:57:15,985 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>> Thread Pool >>>>>> > -- 69) MSC000001: Failed to start service >>>>>> > jboss.web.deployment.default-host./data: >>>>>> > org.jboss.msc.service.StartException in service >>>>>> > jboss.web.deployment.default-host./data: >>>>>> > org.jboss.msc.service.StartException in anonymous service: >>>>>> JBAS018040: >>>>>> > Failed to start context >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run( >>>>>> WebDeploymentService.java:99) >>>>>> > >>>>>> > at java.util.concurrent.Executors$RunnableAdapter. >>>>>> call(Executors.java:471) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at java.util.concurrent.FutureTask.run(FutureTask.java:262) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at >>>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>> ThreadPoolExecutor.java:1145) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at >>>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>> ThreadPoolExecutor.java:615) >>>>>> > [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] >>>>>> > >>>>>> > at org.jboss.threads.JBossThread.run(JBossThread.java:122) >>>>>> > >>>>>> > Caused by: org.jboss.msc.service.StartException in anonymous >>>>>> service: >>>>>> > JBAS018040: Failed to start context >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService.doStart( >>>>>> WebDeploymentService.java:168) >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService.access$ >>>>>> 000(WebDeploymentService.java:61) >>>>>> > >>>>>> > at >>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run( >>>>>> WebDeploymentService.java:96) >>>>>> > >>>>>> > ... 6 more >>>>>> > >>>>>> > >>>>>> > 10:57:16,019 ERROR [org.jboss.as.controller.management-operation] >>>>>> > (Controller Boot Thread) JBAS014612: Operation ("deploy") failed - >>>>>> address: >>>>>> > ([("deployment" => "webims-jcom-data-1.3.1- >>>>>> SNAPSHOT-secure-keycloak.war")]) >>>>>> > - failure description: {"JBAS014671: Failed services" => >>>>>> > {"jboss.web.deployment.default-host./data" => >>>>>> > "org.jboss.msc.service.StartException in service >>>>>> > jboss.web.deployment.default-host./data: >>>>>> > org.jboss.msc.service.StartException in anonymous service: >>>>>> JBAS018040: >>>>>> > Failed to start context >>>>>> > >>>>>> > Caused by: org.jboss.msc.service.StartException in anonymous >>>>>> service: >>>>>> > JBAS018040: Failed to start context"}} >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > On Sat, Jul 9, 2016 at 7:38 AM, Bruno Oliveira >>>>>> wrote: >>>>>> > >>>>>> > > As far as I can tell, yes. >>>>>> > > >>>>>> > > See: >>>>>> > > >>>>>> > > https://keycloak.gitbooks.io/server-adminstration-guide/ >>>>>> content/topics/clients/client-oidc.html >>>>>> > > >>>>>> > > https://github.com/keycloak/keycloak/blob/ >>>>>> 5c98b8c6ae7052b2d906156d8fc212ccd9dfd57d/services/src/main/ >>>>>> java/org/keycloak/services/resources/Cors.java#L143 >>>>>> > > >>>>>> > > On 2016-07-08, Hubert Przybysz wrote: >>>>>> > > > Hi, >>>>>> > > > >>>>>> > > > Is configuration of CORS Access-Control-Expose-Headers >>>>>> supported in >>>>>> > > > 2.0.0.Final adapters? >>>>>> > > > >>>>>> > > > Best regards / Hubert. >>>>>> > > >>>>>> > > > _______________________________________________ >>>>>> > > > keycloak-user mailing list >>>>>> > > > keycloak-user at lists.jboss.org >>>>>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > >>>>>> > > abstractj >>>>>> > > PGP: 0x84DC9914 >>>>>> > > >>>>>> >>>>>> -- >>>>>> >>>>>> abstractj >>>>>> PGP: 0x84DC9914 >>>>>> >>>>> >>>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/2df8efe8/attachment-0001.html From sheishere48 at gmail.com Thu Sep 15 02:44:29 2016 From: sheishere48 at gmail.com (sheishere b) Date: Thu, 15 Sep 2016 12:14:29 +0530 Subject: [keycloak-user] session inactivity; ignoring auto refresh requests In-Reply-To: References: Message-ID: Thanks for your input On Thu, Sep 8, 2016 at 12:08 PM, Stian Thorgersen wrote: > As long as the token is refreshed Keycloak sees it as an active user. > Simplest option would be to make your app stop doing the background > requests after a while, which would result in in the session timing out. It > could also trigger a logout of the user from the application itself. > Alternatively we could potentially do something like having adding a > proprietary option to the refresh request to prevent it being seen as "user > activity", but I'm less keen on that since it'd be non-standard OIDC. > > On 7 September 2016 at 12:41, sheishere b wrote: > >> We have node js integrated with keycloak & keycloak is running as a >> service in jboss. >> There are many http requests being sent from browser to server in the >> background as part of auto refresh of some tables. >> So if user has opened browser & remains inactive; in the background many >> requests are made. Keycloak will never detect inactivity & hence session >> will never be invalidated after session inactivity timeout. >> Is there a way in keycloak to ignore such background requests from being >> considered for session alive scenarios? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/262bfb57/attachment.html From thomas.darimont at googlemail.com Thu Sep 15 04:13:11 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 15 Sep 2016 10:13:11 +0200 Subject: [keycloak-user] Configuring KC adapter through ENV/programatically In-Reply-To: References: Message-ID: Hello, you can use env-variables in Keycloak.json - see paragraph after the config example: https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html Cheers, Thomas 2016-09-14 13:30 GMT+02:00 Stian Thorgersen : > What adapter? Java adapters has support to write your own config loader > (see multi-tenancy example). For JavaScript adapter make your web server > dynamically create the keycloak.json. > > On 14 September 2016 at 11:30, cen wrote: > >> Hi >> >> We have a Java REST microservice which is configured as a whole through >> environment variables and deployed in Docker. >> >> We can't provide production keycloak.json at Docker build time because >> then it becomes a specific container for a specific deployment. We want >> to keep the container unconfigured and neutral, ready to be deployed >> with any Keycloak server. >> >> At the moment we have an additional step in production deployment that >> copies the correct keycloak.json into a running Docker container and >> restarts it. >> >> Ideally though, we would like to provide keycloak.json through an >> environment variable or load it dynamically from etcd/zookeeper/similar. >> >> is it possible to somehow configure the Keycloak adapter at runtime? >> >> >> Best regards, cen >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/5d570885/attachment.html From thomas.darimont at googlemail.com Thu Sep 15 04:58:43 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 15 Sep 2016 10:58:43 +0200 Subject: [keycloak-user] Keycloak user credentials clean up In-Reply-To: References: Message-ID: Which Keycloak version are you using? 2016-09-15 6:55 GMT+02:00 Francisco Montada : > Hi Team > We are facing the problem with the user credentials clean up, the uses > cases are two and are consisten > > 1. From the Keycloak Web Console, sometime if I remove more that one role > at the same time, is happen the credential clean up. > 2. After redeploy the server, the credential for some users are being > clean up > > > This is how the user credentials looks after the clean up > "credentials" : [ > { > "value" : "ZTA3VTu2d7X6Cl/iSWKjGBGb5bJUF > Bto1EiOs8AjLj5rIKkMo2Wzymgm8rdPP27LMBBovNw8nxpDvcp4tniCqw==" > } > ], > > The problem is that after that Keycloak can no do anything with that user > because the server start getting NullpointerException > > 03:36:36,031 ERROR [io.undertow.request] (default task-5) UT005023: > Exception handling request to /auth/admin/realms/opencarwash > /users/09c74660-902c-441b-8892-f7dd560a7b83/reset-password: > org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx > ception(ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc > eptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException > (SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi > spatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se > rvletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.d > oFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > > > > And on the login page the user see this > "Unexpected error when handling authentication request to identity > provider." > > > could you please help us ? > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/a0fe576b/attachment.html From imbacen at gmail.com Thu Sep 15 05:55:13 2016 From: imbacen at gmail.com (cen) Date: Thu, 15 Sep 2016 11:55:13 +0200 Subject: [keycloak-user] Configuring KC adapter through ENV/programatically In-Reply-To: References: Message-ID: There is something weird about ENV vars in keycloak.json. It works if I run my service from Eclipse but I am getting "Invalid token signature" when running it in Docker (which in my experience means something in json is broken/not loaded correctly). As soon as I physically copy the keycloak.json into the container it starts working again. No idea why really but something about that environment prevent keycloak.json to load correctly with ENV vars. The multi-tenancy example seems promising, thanks. Thomas Darimont je 15. 09. 2016 ob 10:13 napisal: > Hello, > > you can use env-variables in Keycloak.json - see paragraph after the config > example: > https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html > > Cheers, > Thomas > > 2016-09-14 13:30 GMT+02:00 Stian Thorgersen : > >> What adapter? Java adapters has support to write your own config loader >> (see multi-tenancy example). For JavaScript adapter make your web server >> dynamically create the keycloak.json. >> >> On 14 September 2016 at 11:30, cen wrote: >> >>> Hi >>> >>> We have a Java REST microservice which is configured as a whole through >>> environment variables and deployed in Docker. >>> >>> We can't provide production keycloak.json at Docker build time because >>> then it becomes a specific container for a specific deployment. We want >>> to keep the container unconfigured and neutral, ready to be deployed >>> with any Keycloak server. >>> >>> At the moment we have an additional step in production deployment that >>> copies the correct keycloak.json into a running Docker container and >>> restarts it. >>> >>> Ideally though, we would like to provide keycloak.json through an >>> environment variable or load it dynamically from etcd/zookeeper/similar. >>> >>> is it possible to somehow configure the Keycloak adapter at runtime? >>> >>> >>> Best regards, cen >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From aman.jaiswal at arvindinternet.com Thu Sep 15 05:56:35 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 15:26:35 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: Hi According to the error I think I have to add infinispan jar file in providers folder but I don't know that I am right or not, and there are many jar file regarding this . My keycloak-server.json file is given below: { "providers": [ "classpath:${jboss.server.config.dir}/providers/*" ], "admin": { "realm": "master" }, "eventsStore": { "provider": "jpa", "jpa": { "exclude-events": [ "REFRESH_TOKEN" ] } }, "realm": { "provider": "jpa" }, "user": { "provider": "jpa" }, "realmCache": { "provider": "infinispan" }, "userCache": { "provider": "infinispan" }, "userSessions": { "provider": "infinispan" }, "timer": { "provider": "basic" }, "theme": { "default": "keycloak", "staticMaxAge": 2592000, "cacheTemplates": true, "cacheThemes": true, "folder": { "dir": "${jboss.server.config.dir}/themes" } }, "scheduled": { "interval": 900 }, "connectionsHttpClient": { "default": { "disable-trust-manager": true } }, "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/KeycloakDS", "databaseSchema": "update" } }, "connectionsInfinispan": { "default" : { "cacheContainer" : "java:jboss/infinispan/Keycloak" } } } On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < aman.jaiswal at arvindinternet.com> wrote: > Hi I am geting follwoing error when trying to integrate infinispan with > keycloak > > > /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh > --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true > -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev > -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_ > key=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 > -Djgroups.management.address=$ipkeycloakdevadmin > > ========================================================================= > > > > JBoss Bootstrap Environment > > > > JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final > > > > JAVA: java > > > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > > > ========================================================================= > > > > 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > > 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > > 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0049: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting > > 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] > (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in > the resource at address '/subsystem=jgroups' is deprecated, and may be > removed in future version. See the attribute description in the output of > the read-resource-description operation to learn more about the deprecation. > > 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0039: Creating http management service using socket-binding > (management-http) > > 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version > 3.3.4.Final > > 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO > Implementation Version 3.3.4.Final > > 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss > Remoting version 4.0.18.Final > > 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant > driver class org.h2.Driver (version 1.3) > > 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. > > 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread Pool > -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads > with 32 task threads based on your 2 available processors > > 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant > driver class com.mysql.jdbc.Driver (version 5.1) > > 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService > Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. > > 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) > WFLYJSF0007: Activated the following JSF Implementations: [main] > > 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) > WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) > > 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-3) WFLYJCA0018: Started Driver service with driver-name = mysql > > 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 > > 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49) > WFLYNAM0001: Activating Naming Subsystem > > 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool -- > 56) WFLYSEC0002: Activating Security Subsystem > > 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread Pool > -- 59) WFLYWS0002: Activating WebServices Extension > > 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) > WFLYSEC0001: Current PicketBox version=4.9.4.Final > > 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting > > 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-4) WFLYUT0003: Undertow 1.3.15.Final starting > > 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) > WFLYNAM0003: Starting Naming Service > > 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4) > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] > > 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 58) WFLYUT0014: Creating file handler for path > '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with options > [directory-listing: 'false', follow-symlink: 'false', case-sensitive: > 'true', safe-symlink-paths: '[]'] > > 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0012: Started server default-server. > > 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-4) WFLYUT0018: Host default-host starting > > 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTP listener default listening on > 10.1.3.93:8080 > > 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0006: Undertow AJP listener ajp listening on 10.1.3.93:8009 > > 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool -- > 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final > > 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool -- > 62) MODCLUSTER000032: Listening to proxy advertisements on / > 224.0.1.105:23364 > > 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/ > KeycloakDS] > > 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" > (runtime-name: "keycloak-server.war") > > 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service thread > 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) > > 16:17:08,079 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-4) ISPN000078: Starting JGroups channel keycloak > > 16:17:08,080 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000078: Starting JGroups channel server > > 16:17:08,081 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000078: Starting JGroups channel hibernate > > 16:17:08,081 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000078: Starting JGroups channel web > > 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-4) ISPN000094: Received new cluster view for channel > keycloak: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] > > 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000094: Received new cluster view for channel > server: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] > > 16:17:08,096 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000094: Received new cluster view for channel > hibernate: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] > > 16:17:08,098 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000094: Received new cluster view for channel > web: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] > > 16:17:08,101 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000079: Channel hibernate local address is > ip-10-1-3-93, physical addresses are [10.1.3.93:55200] > > 16:17:08,102 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000079: Channel server local address is > ip-10-1-3-93, physical addresses are [10.1.3.93:55200] > > 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] > (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' > 8.1.0.Final > > 16:17:08,108 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000079: Channel web local address is > ip-10-1-3-93, physical addresses are [10.1.3.93:55200] > > 16:17:08,108 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-4) ISPN000079: Channel keycloak local address is > ip-10-1-3-93, physical addresses are [10.1.3.93:55200] > > 16:17:08,147 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000078: Starting JGroups channel ejb > > 16:17:08,150 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000094: Received new cluster view for channel > ejb: [ip-10-1-3-93|0] (1) [ip-10-1-3-93] > > 16:17:08,150 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000079: Channel ejb local address is > ip-10-1-3-93, physical addresses are [10.1.3.93:55200] > > 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 67) WFLYCLINF0002: Started work cache from keycloak container > > 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak > container > > 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > > 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 66) WFLYCLINF0002: Started loginFailures cache from keycloak > container > > 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 63) WFLYCLINF0002: Started sessions cache from keycloak > container > > 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 62) WFLYCLINF0002: Started users cache from keycloak > container > > 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool -- > 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/ > keycloak-2.1.0.Final/standalone/configuration/keycloak-server.json > > 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 66) MSC000001: Failed to start service jboss.undertow.deployment. > default-server.default-host./auth: org.jboss.msc.service.StartException > in service jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:162) > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > createProviderInstance(ResteasyProviderFactory.java:2209) > > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:299) > > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > init(ServletContainerDispatcher.java:113) > > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > HttpServletDispatcher.java:36) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > > at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor. > init(RunAsLifecycleInterceptor.java:78) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > > at io.undertow.servlet.core.ManagedServlet$ > DefaultInstanceStrategy.start(ManagedServlet.java:231) > > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:132) > > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:526) > > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > startContext(UndertowDeploymentService.java:101) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > ... 6 more > > Caused by: java.lang.RuntimeException: Failed to find provider infinispan > for realmCache > > at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs( > DefaultKeycloakSessionFactory.java:96) > > at org.keycloak.services.DefaultKeycloakSessionFactory.init( > DefaultKeycloakSessionFactory.java:75) > > at org.keycloak.services.resources.KeycloakApplication. > createSessionFactory(KeycloakApplication.java:244) > > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:78) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > > ... 19 more > > > > 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment. > default-server.default-host./auth" => "org.jboss.msc.service.StartException > in service jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: Failed to find provider > infinispan for realmCache"}} > > 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > > 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) > WFLYCTL0183: Service status report > > WFLYCTL0186: Services which failed to start: service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service jboss.undertow.deployment. > default-server.default-host./auth: java.lang.RuntimeException: > RESTEASY003325: Failed to construct public org.keycloak.services. > resources.KeycloakApplication(javax.servlet.ServletContext, > org.jboss.resteasy.core.Dispatcher) > > > > 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: > Http management interface listening on http://127.0.0.1:9990/management > > 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: > Admin console listening on http://127.0.0.1:9990 > > 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with errors) in > 10846ms - Started 475 of 853 services (2 services failed or missing > dependencies, 588 services are lazy, passive or on-demand) > > > -- > Thanks, > Aman Jaiswal > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/4c8aede0/attachment-0001.html From sthorger at redhat.com Thu Sep 15 06:01:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 12:01:12 +0200 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: Looks like you're probably upgrading from an old version and you're keycloak-server.json file needs updating. Please look at the migration docs for full details or compare with the keycloak-server.json included. At least 'realmCache' and 'userCache' is wrong. Should just be 'default'. On 15 September 2016 at 11:56, Aman Jaiswal wrote: > Hi > > According to the error I think I have to add infinispan jar file in > providers folder but I don't know that I am right or not, and there are > many jar file regarding this . > My keycloak-server.json file is given below: > > { > "providers": [ > "classpath:${jboss.server.config.dir}/providers/*" > ], > > "admin": { > "realm": "master" > }, > > "eventsStore": { > "provider": "jpa", > "jpa": { > "exclude-events": [ "REFRESH_TOKEN" ] > } > }, > > "realm": { > "provider": "jpa" > }, > > "user": { > "provider": "jpa" > }, > > "realmCache": { > "provider": "infinispan" > }, > > "userCache": { > "provider": "infinispan" > }, > > "userSessions": { > "provider": "infinispan" > }, > > "timer": { > "provider": "basic" > }, > > "theme": { > "default": "keycloak", > "staticMaxAge": 2592000, > "cacheTemplates": true, > "cacheThemes": true, > "folder": { > "dir": "${jboss.server.config.dir}/themes" > } > }, > > "scheduled": { > "interval": 900 > }, > > "connectionsHttpClient": { > "default": { > "disable-trust-manager": true > } > }, > > "connectionsJpa": { > "default": { > "dataSource": "java:jboss/datasources/KeycloakDS", > "databaseSchema": "update" > } > }, > > "connectionsInfinispan": { > "default" : { > "cacheContainer" : "java:jboss/infinispan/Keycloak" > } > } > } > > On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < > aman.jaiswal at arvindinternet.com> wrote: > >> Hi I am geting follwoing error when trying to integrate infinispan with >> keycloak >> >> >> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >> --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true >> -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev >> -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >> -Djgroups.s3.secret_access_key=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 >> -Djgroups.management.address=$ipkeycloakdevadmin >> >> ========================================================================= >> >> >> >> JBoss Bootstrap Environment >> >> >> >> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >> >> >> >> JAVA: java >> >> >> >> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >> >> >> >> ========================================================================= >> >> >> >> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >> 1.5.1.Final >> >> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >> >> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0049: >> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >> >> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >> the resource at address '/subsystem=jgroups' is deprecated, and may be >> removed in future version. See the attribute description in the output of >> the read-resource-description operation to learn more about the deprecation. >> >> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0039: Creating http management service using socket-binding >> (management-http) >> >> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >> 3.3.4.Final >> >> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >> Implementation Version 3.3.4.Final >> >> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss >> Remoting version 4.0.18.Final >> >> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >> driver class org.h2.Driver (version 1.3) >> >> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. >> >> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread Pool >> -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads >> with 32 task threads based on your 2 available processors >> >> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >> driver class com.mysql.jdbc.Driver (version 5.1) >> >> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >> >> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) >> WFLYJSF0007: Activated the following JSF Implementations: [main] >> >> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >> >> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >> thread 1-3) WFLYJCA0018: Started Driver service with driver-name = mysql >> >> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >> thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 >> >> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- >> 49) WFLYNAM0001: Activating Naming Subsystem >> >> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool -- >> 56) WFLYSEC0002: Activating Security Subsystem >> >> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread Pool >> -- 59) WFLYWS0002: Activating WebServices Extension >> >> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >> WFLYSEC0001: Current PicketBox version=4.9.4.Final >> >> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >> >> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >> >> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >> WFLYNAM0003: Starting Naming Service >> >> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4) >> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >> >> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >> options [directory-listing: 'false', follow-symlink: 'false', >> case-sensitive: 'true', safe-symlink-paths: '[]'] >> >> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-1) WFLYUT0012: Started server default-server. >> >> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-4) WFLYUT0018: Host default-host starting >> >> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-3) WFLYUT0006: Undertow HTTP listener default listening on >> 10.1.3.93:8080 >> >> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-1) WFLYUT0006: Undertow AJP listener ajp listening on 10.1.3.93:8009 >> >> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >> >> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >> 62) MODCLUSTER000032: Listening to proxy advertisements on / >> 224.0.1.105:23364 >> >> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC >> service thread 1-2) WFLYJCA0001: Bound data source >> [java:jboss/datasources/KeycloakDS] >> >> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service thread >> 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >> (runtime-name: "keycloak-server.war") >> >> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service thread >> 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >> >> 16:17:08,079 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: >> Starting JGroups channel keycloak >> >> 16:17:08,080 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: >> Starting JGroups channel server >> >> 16:17:08,081 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >> Starting JGroups channel hibernate >> >> 16:17:08,081 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: >> Starting JGroups channel web >> >> 16:17:08,096 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >> Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) >> [ip-10-1-3-93] >> >> 16:17:08,096 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >> Received new cluster view for channel server: [ip-10-1-3-93|0] (1) >> [ip-10-1-3-93] >> >> 16:17:08,096 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >> Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) >> [ip-10-1-3-93] >> >> 16:17:08,098 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >> Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >> [ip-10-1-3-93] >> >> 16:17:08,101 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >> Channel hibernate local address is ip-10-1-3-93, physical addresses are [ >> 10.1.3.93:55200] >> >> 16:17:08,102 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: >> Channel server local address is ip-10-1-3-93, physical addresses are [ >> 10.1.3.93:55200] >> >> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >> 8.1.0.Final >> >> 16:17:08,108 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: >> Channel web local address is ip-10-1-3-93, physical addresses are [ >> 10.1.3.93:55200] >> >> 16:17:08,108 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: >> Channel keycloak local address is ip-10-1-3-93, physical addresses are [ >> 10.1.3.93:55200] >> >> 16:17:08,147 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >> Starting JGroups channel ejb >> >> 16:17:08,150 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >> Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >> [ip-10-1-3-93] >> >> 16:17:08,150 INFO [org.infinispan.remoting.tran >> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >> Channel ejb local address is ip-10-1-3-93, physical addresses are [ >> 10.1.3.93:55200] >> >> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 67) WFLYCLINF0002: Started work cache from keycloak container >> >> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak >> container >> >> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from >> keycloak container >> >> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 66) WFLYCLINF0002: Started loginFailures cache from keycloak >> container >> >> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 63) WFLYCLINF0002: Started sessions cache from keycloak >> container >> >> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 62) WFLYCLINF0002: Started users cache from keycloak >> container >> >> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool -- >> 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak >> -2.1.0.Final/standalone/configuration/keycloak-server.json >> >> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread >> Pool -- 66) MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:85) >> >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public org.keycloak.services.resource >> s.KeycloakApplication(javax.servlet.ServletContext,org. >> jboss.resteasy.core.Dispatcher) >> >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:162) >> >> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >> rInstance(ResteasyProviderFactory.java:2209) >> >> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >> ResteasyDeployment.java:299) >> >> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >> oyment.java:240) >> >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.init(ServletContainerDispatcher.java:113) >> >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.init(HttpServletDispatcher.java:36) >> >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:117) >> >> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >> eptor.init(RunAsLifecycleInterceptor.java:78) >> >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:103) >> >> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >> egy.start(ManagedServlet.java:231) >> >> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >> dServlet.java:132) >> >> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >> entManagerImpl.java:526) >> >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service.startContext(UndertowDeploymentService.java:101) >> >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:82) >> >> ... 6 more >> >> Caused by: java.lang.RuntimeException: Failed to find provider infinispan >> for realmCache >> >> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >> (DefaultKeycloakSessionFactory.java:96) >> >> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >> aultKeycloakSessionFactory.java:75) >> >> at org.keycloak.services.resources.KeycloakApplication.createSe >> ssionFactory(KeycloakApplication.java:244) >> >> at org.keycloak.services.resources.KeycloakApplication.( >> KeycloakApplication.java:78) >> >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> >> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >> ConstructorAccessorImpl.java:62) >> >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >> legatingConstructorAccessorImpl.java:45) >> >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:150) >> >> ... 19 more >> >> >> >> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >> ([("deployment" => "keycloak-server.war")]) - failure description: >> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >> in service jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public org.keycloak.services.resource >> s.KeycloakApplication(javax.servlet.ServletContext,org. >> jboss.resteasy.core.Dispatcher) >> >> Caused by: java.lang.RuntimeException: Failed to find provider >> infinispan for realmCache"}} >> >> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- >> 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >> "keycloak-server.war") >> >> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) >> WFLYCTL0183: Service status report >> >> WFLYCTL0186: Services which failed to start: service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> >> >> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: >> Http management interface listening on http://127.0.0.1:9990/management >> >> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: >> Admin console listening on http://127.0.0.1:9990 >> >> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: >> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with errors) in >> 10846ms - Started 475 of 853 services (2 services failed or missing >> dependencies, 588 services are lazy, passive or on-demand) >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/f79afd46/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 06:07:41 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 15:37:41 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: yes I am I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final and according to document it says that : "You should copy standalone/configuration/keycloak-server.json from the old version to make sure any configuration changes you?ve done are added to the new installation. The version specific section below will list any changes done to this file that you have to do when upgrading from one version to another." That's why I am changed this file . On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen wrote: > Looks like you're probably upgrading from an old version and you're > keycloak-server.json file needs updating. Please look at the migration docs > for full details or compare with the keycloak-server.json included. At > least 'realmCache' and 'userCache' is wrong. Should just be 'default'. > > On 15 September 2016 at 11:56, Aman Jaiswal com> wrote: > >> Hi >> >> According to the error I think I have to add infinispan jar file in >> providers folder but I don't know that I am right or not, and there are >> many jar file regarding this . >> My keycloak-server.json file is given below: >> >> { >> "providers": [ >> "classpath:${jboss.server.config.dir}/providers/*" >> ], >> >> "admin": { >> "realm": "master" >> }, >> >> "eventsStore": { >> "provider": "jpa", >> "jpa": { >> "exclude-events": [ "REFRESH_TOKEN" ] >> } >> }, >> >> "realm": { >> "provider": "jpa" >> }, >> >> "user": { >> "provider": "jpa" >> }, >> >> "realmCache": { >> "provider": "infinispan" >> }, >> >> "userCache": { >> "provider": "infinispan" >> }, >> >> "userSessions": { >> "provider": "infinispan" >> }, >> >> "timer": { >> "provider": "basic" >> }, >> >> "theme": { >> "default": "keycloak", >> "staticMaxAge": 2592000, >> "cacheTemplates": true, >> "cacheThemes": true, >> "folder": { >> "dir": "${jboss.server.config.dir}/themes" >> } >> }, >> >> "scheduled": { >> "interval": 900 >> }, >> >> "connectionsHttpClient": { >> "default": { >> "disable-trust-manager": true >> } >> }, >> >> "connectionsJpa": { >> "default": { >> "dataSource": "java:jboss/datasources/KeycloakDS", >> "databaseSchema": "update" >> } >> }, >> >> "connectionsInfinispan": { >> "default" : { >> "cacheContainer" : "java:jboss/infinispan/Keycloak" >> } >> } >> } >> >> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> Hi I am geting follwoing error when trying to integrate infinispan with >>> keycloak >>> >>> >>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>> --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true >>> -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev >>> -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>> -Djgroups.s3.secret_access_key=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 >>> -Djgroups.management.address=$ipkeycloakdevadmin >>> >>> ============================================================ >>> ============= >>> >>> >>> >>> JBoss Bootstrap Environment >>> >>> >>> >>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>> >>> >>> >>> JAVA: java >>> >>> >>> >>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >>> >>> >>> >>> ============================================================ >>> ============= >>> >>> >>> >>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>> 1.5.1.Final >>> >>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >>> >>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0049: >>> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>> >>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>> removed in future version. See the attribute description in the output of >>> the read-resource-description operation to learn more about the deprecation. >>> >>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0039: Creating http management service using socket-binding >>> (management-http) >>> >>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>> 3.3.4.Final >>> >>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>> Implementation Version 3.3.4.Final >>> >>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss >>> Remoting version 4.0.18.Final >>> >>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>> driver class org.h2.Driver (version 1.3) >>> >>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. >>> >>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread >>> Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core >>> threads with 32 task threads based on your 2 available processors >>> >>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>> driver class com.mysql.jdbc.Driver (version 5.1) >>> >>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >>> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >>> >>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) >>> WFLYJSF0007: Activated the following JSF Implementations: [main] >>> >>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >>> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>> >>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >>> thread 1-3) WFLYJCA0018: Started Driver service with driver-name = mysql >>> >>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >>> thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 >>> >>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- >>> 49) WFLYNAM0001: Activating Naming Subsystem >>> >>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool -- >>> 56) WFLYSEC0002: Activating Security Subsystem >>> >>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread Pool >>> -- 59) WFLYWS0002: Activating WebServices Extension >>> >>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>> >>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>> >>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>> >>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>> WFLYNAM0003: Starting Naming Service >>> >>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread >>> 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>> >>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>> options [directory-listing: 'false', follow-symlink: 'false', >>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>> >>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-1) WFLYUT0012: Started server default-server. >>> >>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-4) WFLYUT0018: Host default-host starting >>> >>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>> 10.1.3.93:8080 >>> >>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-1) WFLYUT0006: Undertow AJP listener ajp listening on 10.1.3.93:8009 >>> >>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >>> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>> >>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >>> 62) MODCLUSTER000032: Listening to proxy advertisements on / >>> 224.0.1.105:23364 >>> >>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC >>> service thread 1-2) WFLYJCA0001: Bound data source >>> [java:jboss/datasources/KeycloakDS] >>> >>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service thread >>> 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>> (runtime-name: "keycloak-server.war") >>> >>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service thread >>> 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>> >>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: >>> Starting JGroups channel keycloak >>> >>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: >>> Starting JGroups channel server >>> >>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>> Starting JGroups channel hibernate >>> >>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: >>> Starting JGroups channel web >>> >>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>> Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) >>> [ip-10-1-3-93] >>> >>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>> Received new cluster view for channel server: [ip-10-1-3-93|0] (1) >>> [ip-10-1-3-93] >>> >>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>> Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) >>> [ip-10-1-3-93] >>> >>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>> Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>> [ip-10-1-3-93] >>> >>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>> Channel hibernate local address is ip-10-1-3-93, physical addresses are [ >>> 10.1.3.93:55200] >>> >>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: >>> Channel server local address is ip-10-1-3-93, physical addresses are [ >>> 10.1.3.93:55200] >>> >>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>> 8.1.0.Final >>> >>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: >>> Channel web local address is ip-10-1-3-93, physical addresses are [ >>> 10.1.3.93:55200] >>> >>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: >>> Channel keycloak local address is ip-10-1-3-93, physical addresses are [ >>> 10.1.3.93:55200] >>> >>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>> Starting JGroups channel ejb >>> >>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>> Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>> [ip-10-1-3-93] >>> >>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>> Channel ejb local address is ip-10-1-3-93, physical addresses are [ >>> 10.1.3.93:55200] >>> >>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 67) WFLYCLINF0002: Started work cache from keycloak container >>> >>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak >>> container >>> >>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from >>> keycloak container >>> >>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 66) WFLYCLINF0002: Started loginFailures cache from keycloak >>> container >>> >>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 63) WFLYCLINF0002: Started sessions cache from keycloak >>> container >>> >>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 62) WFLYCLINF0002: Started users cache from keycloak >>> container >>> >>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool -- >>> 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak >>> -2.1.0.Final/standalone/configuration/keycloak-server.json >>> >>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>> Pool -- 66) MSC000001: Failed to start service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.se >>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>> Service$1.run(UndertowDeploymentService.java:85) >>> >>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>> s.java:511) >>> >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> >>> at java.lang.Thread.run(Thread.java:745) >>> >>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>> >>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>> construct public org.keycloak.services.resources.KeycloakApplication( >>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>> nstructorInjectorImpl.java:162) >>> >>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>> rInstance(ResteasyProviderFactory.java:2209) >>> >>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>> ResteasyDeployment.java:299) >>> >>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>> oyment.java:240) >>> >>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>> spatcher.init(ServletContainerDispatcher.java:113) >>> >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.init(HttpServletDispatcher.java:36) >>> >>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>> ed(LifecyleInterceptorInvocation.java:117) >>> >>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>> eptor.init(RunAsLifecycleInterceptor.java:78) >>> >>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>> ed(LifecyleInterceptorInvocation.java:103) >>> >>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>> egy.start(ManagedServlet.java:231) >>> >>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>> dServlet.java:132) >>> >>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>> entManagerImpl.java:526) >>> >>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>> Service.startContext(UndertowDeploymentService.java:101) >>> >>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>> Service$1.run(UndertowDeploymentService.java:82) >>> >>> ... 6 more >>> >>> Caused by: java.lang.RuntimeException: Failed to find provider >>> infinispan for realmCache >>> >>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>> (DefaultKeycloakSessionFactory.java:96) >>> >>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>> aultKeycloakSessionFactory.java:75) >>> >>> at org.keycloak.services.resources.KeycloakApplication.createSe >>> ssionFactory(KeycloakApplication.java:244) >>> >>> at org.keycloak.services.resources.KeycloakApplication.(K >>> eycloakApplication.java:78) >>> >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> Method) >>> >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>> ConstructorAccessorImpl.java:62) >>> >>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>> legatingConstructorAccessorImpl.java:45) >>> >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> >>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>> nstructorInjectorImpl.java:150) >>> >>> ... 19 more >>> >>> >>> >>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>> ([("deployment" => "keycloak-server.war")]) - failure description: >>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>> in service jboss.undertow.deployment.default-server.default-host./auth: >>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.se >>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>> construct public org.keycloak.services.resources.KeycloakApplication( >>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> Caused by: java.lang.RuntimeException: Failed to find provider >>> infinispan for realmCache"}} >>> >>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- >>> 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>> "keycloak-server.war") >>> >>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) >>> WFLYCTL0183: Service status report >>> >>> WFLYCTL0186: Services which failed to start: service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.se >>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> >>> >>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: >>> Http management interface listening on http://127.0.0.1:9990/management >>> >>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: >>> Admin console listening on http://127.0.0.1:9990 >>> >>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: >>> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with errors) in >>> 10846ms - Started 475 of 853 services (2 services failed or missing >>> dependencies, 588 services are lazy, passive or on-demand) >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/2ec93fd0/attachment-0001.html From sthorger at redhat.com Thu Sep 15 06:12:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 12:12:36 +0200 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: If you read the "version specific section" you'll see changes that have been made to keycloak-server.json that you need to make if you are copying from an old version. Alternatively, you can stick with the new one and manually apply any changes you've made (if any). On 15 September 2016 at 12:07, Aman Jaiswal wrote: > yes I am > I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final > and according to document it says that : > "You should copy standalone/configuration/keycloak-server.json from the > old version to make sure any configuration changes you?ve done are added to > the new installation. The version specific section below will list any > changes done to this file that you have to do when upgrading from one > version to another." > That's why I am changed this file . > > On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen > wrote: > >> Looks like you're probably upgrading from an old version and you're >> keycloak-server.json file needs updating. Please look at the migration docs >> for full details or compare with the keycloak-server.json included. At >> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >> >> On 15 September 2016 at 11:56, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> Hi >>> >>> According to the error I think I have to add infinispan jar file in >>> providers folder but I don't know that I am right or not, and there are >>> many jar file regarding this . >>> My keycloak-server.json file is given below: >>> >>> { >>> "providers": [ >>> "classpath:${jboss.server.config.dir}/providers/*" >>> ], >>> >>> "admin": { >>> "realm": "master" >>> }, >>> >>> "eventsStore": { >>> "provider": "jpa", >>> "jpa": { >>> "exclude-events": [ "REFRESH_TOKEN" ] >>> } >>> }, >>> >>> "realm": { >>> "provider": "jpa" >>> }, >>> >>> "user": { >>> "provider": "jpa" >>> }, >>> >>> "realmCache": { >>> "provider": "infinispan" >>> }, >>> >>> "userCache": { >>> "provider": "infinispan" >>> }, >>> >>> "userSessions": { >>> "provider": "infinispan" >>> }, >>> >>> "timer": { >>> "provider": "basic" >>> }, >>> >>> "theme": { >>> "default": "keycloak", >>> "staticMaxAge": 2592000, >>> "cacheTemplates": true, >>> "cacheThemes": true, >>> "folder": { >>> "dir": "${jboss.server.config.dir}/themes" >>> } >>> }, >>> >>> "scheduled": { >>> "interval": 900 >>> }, >>> >>> "connectionsHttpClient": { >>> "default": { >>> "disable-trust-manager": true >>> } >>> }, >>> >>> "connectionsJpa": { >>> "default": { >>> "dataSource": "java:jboss/datasources/KeycloakDS", >>> "databaseSchema": "update" >>> } >>> }, >>> >>> "connectionsInfinispan": { >>> "default" : { >>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>> } >>> } >>> } >>> >>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> Hi I am geting follwoing error when trying to integrate infinispan with >>>> keycloak >>>> >>>> >>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>> --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true >>>> -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev >>>> -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>> -Djgroups.s3.secret_access_key=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 >>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>> >>>> ============================================================ >>>> ============= >>>> >>>> >>>> >>>> JBoss Bootstrap Environment >>>> >>>> >>>> >>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>> >>>> >>>> >>>> JAVA: java >>>> >>>> >>>> >>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >>>> >>>> >>>> >>>> ============================================================ >>>> ============= >>>> >>>> >>>> >>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>>> 1.5.1.Final >>>> >>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >>>> >>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>> >>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>> removed in future version. See the attribute description in the output of >>>> the read-resource-description operation to learn more about the deprecation. >>>> >>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>> WFLYSRV0039: Creating http management service using socket-binding >>>> (management-http) >>>> >>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>>> 3.3.4.Final >>>> >>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>>> Implementation Version 3.3.4.Final >>>> >>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss >>>> Remoting version 4.0.18.Final >>>> >>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>> driver class org.h2.Driver (version 1.3) >>>> >>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. >>>> >>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread >>>> Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core >>>> threads with 32 task threads based on your 2 available processors >>>> >>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>> >>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >>>> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >>>> >>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) >>>> WFLYJSF0007: Activated the following JSF Implementations: [main] >>>> >>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >>>> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>> >>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>> mysql >>>> >>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>> h2 >>>> >>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- >>>> 49) WFLYNAM0001: Activating Naming Subsystem >>>> >>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool >>>> -- 56) WFLYSEC0002: Activating Security Subsystem >>>> >>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread >>>> Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>> >>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>> >>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>> >>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>> >>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>> WFLYNAM0003: Starting Naming Service >>>> >>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread >>>> 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>> >>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>>> options [directory-listing: 'false', follow-symlink: 'false', >>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>> >>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>> thread 1-1) WFLYUT0012: Started server default-server. >>>> >>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>> thread 1-4) WFLYUT0018: Host default-host starting >>>> >>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>> 10.1.3.93:8080 >>>> >>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>> 10.1.3.93:8009 >>>> >>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >>>> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>> >>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool -- >>>> 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>> 224.0.1.105:23364 >>>> >>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>> [java:jboss/datasources/KeycloakDS] >>>> >>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>> (runtime-name: "keycloak-server.war") >>>> >>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>> >>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: >>>> Starting JGroups channel keycloak >>>> >>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: >>>> Starting JGroups channel server >>>> >>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>> Starting JGroups channel hibernate >>>> >>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: >>>> Starting JGroups channel web >>>> >>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>>> Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) >>>> [ip-10-1-3-93] >>>> >>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>>> Received new cluster view for channel server: [ip-10-1-3-93|0] (1) >>>> [ip-10-1-3-93] >>>> >>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>> Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) >>>> [ip-10-1-3-93] >>>> >>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>>> Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>> [ip-10-1-3-93] >>>> >>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>> Channel hibernate local address is ip-10-1-3-93, physical addresses are [ >>>> 10.1.3.93:55200] >>>> >>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: >>>> Channel server local address is ip-10-1-3-93, physical addresses are [ >>>> 10.1.3.93:55200] >>>> >>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>> 8.1.0.Final >>>> >>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: >>>> Channel web local address is ip-10-1-3-93, physical addresses are [ >>>> 10.1.3.93:55200] >>>> >>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: >>>> Channel keycloak local address is ip-10-1-3-93, physical addresses are [ >>>> 10.1.3.93:55200] >>>> >>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>> Starting JGroups channel ejb >>>> >>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>> Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>> [ip-10-1-3-93] >>>> >>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>> Channel ejb local address is ip-10-1-3-93, physical addresses are [ >>>> 10.1.3.93:55200] >>>> >>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 67) WFLYCLINF0002: Started work cache from keycloak container >>>> >>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak >>>> container >>>> >>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from >>>> keycloak container >>>> >>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 66) WFLYCLINF0002: Started loginFailures cache from keycloak >>>> container >>>> >>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 63) WFLYCLINF0002: Started sessions cache from keycloak >>>> container >>>> >>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] (ServerService >>>> Thread Pool -- 62) WFLYCLINF0002: Started users cache from keycloak >>>> container >>>> >>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool >>>> -- 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak >>>> -2.1.0.Final/standalone/configuration/keycloak-server.json >>>> >>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>>> Pool -- 66) MSC000001: Failed to start service >>>> jboss.undertow.deployment.default-server.default-host./auth: >>>> org.jboss.msc.service.StartException in service >>>> jboss.undertow.deployment.default-server.default-host./auth: >>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>> >>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>> Service$1.run(UndertowDeploymentService.java:85) >>>> >>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>> s.java:511) >>>> >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>> >>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>> >>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>> nstructorInjectorImpl.java:162) >>>> >>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>> rInstance(ResteasyProviderFactory.java:2209) >>>> >>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>> ResteasyDeployment.java:299) >>>> >>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>> oyment.java:240) >>>> >>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>> spatcher.init(ServletContainerDispatcher.java:113) >>>> >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>> her.init(HttpServletDispatcher.java:36) >>>> >>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>> ed(LifecyleInterceptorInvocation.java:117) >>>> >>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>> >>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>> ed(LifecyleInterceptorInvocation.java:103) >>>> >>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>> egy.start(ManagedServlet.java:231) >>>> >>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>> dServlet.java:132) >>>> >>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>> entManagerImpl.java:526) >>>> >>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>> Service.startContext(UndertowDeploymentService.java:101) >>>> >>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>> Service$1.run(UndertowDeploymentService.java:82) >>>> >>>> ... 6 more >>>> >>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>> infinispan for realmCache >>>> >>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>> (DefaultKeycloakSessionFactory.java:96) >>>> >>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>> aultKeycloakSessionFactory.java:75) >>>> >>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>> ssionFactory(KeycloakApplication.java:244) >>>> >>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>> eycloakApplication.java:78) >>>> >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>> Method) >>>> >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>> ConstructorAccessorImpl.java:62) >>>> >>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>> legatingConstructorAccessorImpl.java:45) >>>> >>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>> >>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>> nstructorInjectorImpl.java:150) >>>> >>>> ... 19 more >>>> >>>> >>>> >>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>> >>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>> >>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>> infinispan for realmCache"}} >>>> >>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- >>>> 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>> "keycloak-server.war") >>>> >>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) >>>> WFLYCTL0183: Service status report >>>> >>>> WFLYCTL0186: Services which failed to start: service >>>> jboss.undertow.deployment.default-server.default-host./auth: >>>> org.jboss.msc.service.StartException in service >>>> jboss.undertow.deployment.default-server.default-host./auth: >>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>> >>>> >>>> >>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>> WFLYSRV0060: Http management interface listening on >>>> http://127.0.0.1:9990/management >>>> >>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>> >>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/aff997cd/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 06:14:50 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 15:44:50 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: In this case if I am apply the relem cache as infinispan this it gives error on starting . On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen wrote: > If you read the "version specific section" you'll see changes that have > been made to keycloak-server.json that you need to make if you are copying > from an old version. Alternatively, you can stick with the new one and > manually apply any changes you've made (if any). > > On 15 September 2016 at 12:07, Aman Jaiswal com> wrote: > >> yes I am >> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >> and according to document it says that : >> "You should copy standalone/configuration/keycloak-server.json from the >> old version to make sure any configuration changes you?ve done are added to >> the new installation. The version specific section below will list any >> changes done to this file that you have to do when upgrading from one >> version to another." >> That's why I am changed this file . >> >> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen >> wrote: >> >>> Looks like you're probably upgrading from an old version and you're >>> keycloak-server.json file needs updating. Please look at the migration docs >>> for full details or compare with the keycloak-server.json included. At >>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>> >>> On 15 September 2016 at 11:56, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> Hi >>>> >>>> According to the error I think I have to add infinispan jar file in >>>> providers folder but I don't know that I am right or not, and there are >>>> many jar file regarding this . >>>> My keycloak-server.json file is given below: >>>> >>>> { >>>> "providers": [ >>>> "classpath:${jboss.server.config.dir}/providers/*" >>>> ], >>>> >>>> "admin": { >>>> "realm": "master" >>>> }, >>>> >>>> "eventsStore": { >>>> "provider": "jpa", >>>> "jpa": { >>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>> } >>>> }, >>>> >>>> "realm": { >>>> "provider": "jpa" >>>> }, >>>> >>>> "user": { >>>> "provider": "jpa" >>>> }, >>>> >>>> "realmCache": { >>>> "provider": "infinispan" >>>> }, >>>> >>>> "userCache": { >>>> "provider": "infinispan" >>>> }, >>>> >>>> "userSessions": { >>>> "provider": "infinispan" >>>> }, >>>> >>>> "timer": { >>>> "provider": "basic" >>>> }, >>>> >>>> "theme": { >>>> "default": "keycloak", >>>> "staticMaxAge": 2592000, >>>> "cacheTemplates": true, >>>> "cacheThemes": true, >>>> "folder": { >>>> "dir": "${jboss.server.config.dir}/themes" >>>> } >>>> }, >>>> >>>> "scheduled": { >>>> "interval": 900 >>>> }, >>>> >>>> "connectionsHttpClient": { >>>> "default": { >>>> "disable-trust-manager": true >>>> } >>>> }, >>>> >>>> "connectionsJpa": { >>>> "default": { >>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>> "databaseSchema": "update" >>>> } >>>> }, >>>> >>>> "connectionsInfinispan": { >>>> "default" : { >>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>> } >>>> } >>>> } >>>> >>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> Hi I am geting follwoing error when trying to integrate infinispan >>>>> with keycloak >>>>> >>>>> >>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>> --server-config=standalone-ha.xml -b=$ip >>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>> -Djgroups.s3.secret_access_key=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 >>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>> >>>>> ============================================================ >>>>> ============= >>>>> >>>>> >>>>> >>>>> JBoss Bootstrap Environment >>>>> >>>>> >>>>> >>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>> >>>>> >>>>> >>>>> JAVA: java >>>>> >>>>> >>>>> >>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >>>>> >>>>> >>>>> >>>>> ============================================================ >>>>> ============= >>>>> >>>>> >>>>> >>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>>>> 1.5.1.Final >>>>> >>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >>>>> >>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>> >>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>> removed in future version. See the attribute description in the output of >>>>> the read-resource-description operation to learn more about the deprecation. >>>>> >>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>> (management-http) >>>>> >>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>>>> 3.3.4.Final >>>>> >>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>>>> Implementation Version 3.3.4.Final >>>>> >>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss >>>>> Remoting version 4.0.18.Final >>>>> >>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>> driver class org.h2.Driver (version 1.3) >>>>> >>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>> subsystem. >>>>> >>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread >>>>> Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core >>>>> threads with 32 task threads based on your 2 available processors >>>>> >>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>> >>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >>>>> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >>>>> >>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- >>>>> 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>> >>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >>>>> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>> >>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>> mysql >>>>> >>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>> h2 >>>>> >>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool -- >>>>> 49) WFLYNAM0001: Activating Naming Subsystem >>>>> >>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool >>>>> -- 56) WFLYSEC0002: Activating Security Subsystem >>>>> >>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread >>>>> Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>> >>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>>>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>> >>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>>>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>> >>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>> >>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>> WFLYNAM0003: Starting Naming Service >>>>> >>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread >>>>> 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>> >>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>>>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>>>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>>>> options [directory-listing: 'false', follow-symlink: 'false', >>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>> >>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>> >>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>> >>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>> 10.1.3.93:8080 >>>>> >>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>> 10.1.3.93:8009 >>>>> >>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>> -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>> >>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>> -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>> 224.0.1.105:23364 >>>>> >>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>> [java:jboss/datasources/KeycloakDS] >>>>> >>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>> (runtime-name: "keycloak-server.war") >>>>> >>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>> >>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: >>>>> Starting JGroups channel keycloak >>>>> >>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: >>>>> Starting JGroups channel server >>>>> >>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>>> Starting JGroups channel hibernate >>>>> >>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: >>>>> Starting JGroups channel web >>>>> >>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>>>> Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) >>>>> [ip-10-1-3-93] >>>>> >>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>>>> Received new cluster view for channel server: [ip-10-1-3-93|0] (1) >>>>> [ip-10-1-3-93] >>>>> >>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>>> Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) >>>>> [ip-10-1-3-93] >>>>> >>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>>>> Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>> [ip-10-1-3-93] >>>>> >>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>>> Channel hibernate local address is ip-10-1-3-93, physical addresses are [ >>>>> 10.1.3.93:55200] >>>>> >>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: >>>>> Channel server local address is ip-10-1-3-93, physical addresses are [ >>>>> 10.1.3.93:55200] >>>>> >>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>> 8.1.0.Final >>>>> >>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: >>>>> Channel web local address is ip-10-1-3-93, physical addresses are [ >>>>> 10.1.3.93:55200] >>>>> >>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: >>>>> Channel keycloak local address is ip-10-1-3-93, physical addresses are [ >>>>> 10.1.3.93:55200] >>>>> >>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>>> Starting JGroups channel ejb >>>>> >>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>>> Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>> [ip-10-1-3-93] >>>>> >>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>>> Channel ejb local address is ip-10-1-3-93, physical addresses are [ >>>>> 10.1.3.93:55200] >>>>> >>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>> keycloak container >>>>> >>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>> keycloak container >>>>> >>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>> cache from keycloak container >>>>> >>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>> cache from keycloak container >>>>> >>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>> from keycloak container >>>>> >>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>> keycloak container >>>>> >>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool >>>>> -- 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak >>>>> -2.1.0.Final/standalone/configuration/keycloak-server.json >>>>> >>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>>>> Pool -- 66) MSC000001: Failed to start service >>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>> org.jboss.msc.service.StartException in service >>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>> >>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>> >>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>> s.java:511) >>>>> >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>> Executor.java:1142) >>>>> >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>> lExecutor.java:617) >>>>> >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>> >>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>> >>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>> nstructorInjectorImpl.java:162) >>>>> >>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>> >>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>> ResteasyDeployment.java:299) >>>>> >>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>> oyment.java:240) >>>>> >>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>> >>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>> her.init(HttpServletDispatcher.java:36) >>>>> >>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>> >>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>> >>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>> >>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>> egy.start(ManagedServlet.java:231) >>>>> >>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>> dServlet.java:132) >>>>> >>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>> entManagerImpl.java:526) >>>>> >>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>> >>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>> >>>>> ... 6 more >>>>> >>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>> infinispan for realmCache >>>>> >>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>> (DefaultKeycloakSessionFactory.java:96) >>>>> >>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>> aultKeycloakSessionFactory.java:75) >>>>> >>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>> ssionFactory(KeycloakApplication.java:244) >>>>> >>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>> eycloakApplication.java:78) >>>>> >>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>> Method) >>>>> >>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>> ConstructorAccessorImpl.java:62) >>>>> >>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>> legatingConstructorAccessorImpl.java:45) >>>>> >>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>>> >>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>> nstructorInjectorImpl.java:150) >>>>> >>>>> ... 19 more >>>>> >>>>> >>>>> >>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>> >>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>> >>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>> infinispan for realmCache"}} >>>>> >>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool -- >>>>> 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>> "keycloak-server.war") >>>>> >>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) >>>>> WFLYCTL0183: Service status report >>>>> >>>>> WFLYCTL0186: Services which failed to start: service >>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>> org.jboss.msc.service.StartException in service >>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>> >>>>> >>>>> >>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>> WFLYSRV0060: Http management interface listening on >>>>> http://127.0.0.1:9990/management >>>>> >>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>> >>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/de0bfed4/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 06:35:13 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 16:05:13 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: is there is any way to add provider for infinispan ? On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < aman.jaiswal at arvindinternet.com> wrote: > In this case if I am apply the relem cache as infinispan this it gives > error on starting . > > On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen > wrote: > >> If you read the "version specific section" you'll see changes that have >> been made to keycloak-server.json that you need to make if you are copying >> from an old version. Alternatively, you can stick with the new one and >> manually apply any changes you've made (if any). >> >> On 15 September 2016 at 12:07, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> yes I am >>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>> and according to document it says that : >>> "You should copy standalone/configuration/keycloak-server.json from the >>> old version to make sure any configuration changes you?ve done are added to >>> the new installation. The version specific section below will list any >>> changes done to this file that you have to do when upgrading from one >>> version to another." >>> That's why I am changed this file . >>> >>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen >>> wrote: >>> >>>> Looks like you're probably upgrading from an old version and you're >>>> keycloak-server.json file needs updating. Please look at the migration docs >>>> for full details or compare with the keycloak-server.json included. At >>>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>>> >>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> Hi >>>>> >>>>> According to the error I think I have to add infinispan jar file in >>>>> providers folder but I don't know that I am right or not, and there are >>>>> many jar file regarding this . >>>>> My keycloak-server.json file is given below: >>>>> >>>>> { >>>>> "providers": [ >>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>> ], >>>>> >>>>> "admin": { >>>>> "realm": "master" >>>>> }, >>>>> >>>>> "eventsStore": { >>>>> "provider": "jpa", >>>>> "jpa": { >>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>> } >>>>> }, >>>>> >>>>> "realm": { >>>>> "provider": "jpa" >>>>> }, >>>>> >>>>> "user": { >>>>> "provider": "jpa" >>>>> }, >>>>> >>>>> "realmCache": { >>>>> "provider": "infinispan" >>>>> }, >>>>> >>>>> "userCache": { >>>>> "provider": "infinispan" >>>>> }, >>>>> >>>>> "userSessions": { >>>>> "provider": "infinispan" >>>>> }, >>>>> >>>>> "timer": { >>>>> "provider": "basic" >>>>> }, >>>>> >>>>> "theme": { >>>>> "default": "keycloak", >>>>> "staticMaxAge": 2592000, >>>>> "cacheTemplates": true, >>>>> "cacheThemes": true, >>>>> "folder": { >>>>> "dir": "${jboss.server.config.dir}/themes" >>>>> } >>>>> }, >>>>> >>>>> "scheduled": { >>>>> "interval": 900 >>>>> }, >>>>> >>>>> "connectionsHttpClient": { >>>>> "default": { >>>>> "disable-trust-manager": true >>>>> } >>>>> }, >>>>> >>>>> "connectionsJpa": { >>>>> "default": { >>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>> "databaseSchema": "update" >>>>> } >>>>> }, >>>>> >>>>> "connectionsInfinispan": { >>>>> "default" : { >>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>> } >>>>> } >>>>> } >>>>> >>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> Hi I am geting follwoing error when trying to integrate infinispan >>>>>> with keycloak >>>>>> >>>>>> >>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>> -Djgroups.s3.secret_access_key=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 >>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>> >>>>>> ============================================================ >>>>>> ============= >>>>>> >>>>>> >>>>>> >>>>>> JBoss Bootstrap Environment >>>>>> >>>>>> >>>>>> >>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>> >>>>>> >>>>>> >>>>>> JAVA: java >>>>>> >>>>>> >>>>>> >>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>> -Djava.awt.headless=true >>>>>> >>>>>> >>>>>> >>>>>> ============================================================ >>>>>> ============= >>>>>> >>>>>> >>>>>> >>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>>>>> 1.5.1.Final >>>>>> >>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>> 1.2.6.Final >>>>>> >>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>> >>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>> removed in future version. See the attribute description in the output of >>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>> >>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>>> (management-http) >>>>>> >>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>>>>> 3.3.4.Final >>>>>> >>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>>>>> Implementation Version 3.3.4.Final >>>>>> >>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>> JBoss Remoting version 4.0.18.Final >>>>>> >>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>> driver class org.h2.Driver (version 1.3) >>>>>> >>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>> subsystem. >>>>>> >>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread >>>>>> Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core >>>>>> threads with 32 task threads based on your 2 available processors >>>>>> >>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>> >>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >>>>>> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >>>>>> >>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- >>>>>> 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>> >>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >>>>>> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>> >>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>> mysql >>>>>> >>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>> h2 >>>>>> >>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool >>>>>> -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>> >>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread Pool >>>>>> -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>> >>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread >>>>>> Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>> >>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>>>>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>> >>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>>>>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>> >>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>> >>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>>> WFLYNAM0003: Starting Naming Service >>>>>> >>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread >>>>>> 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>> >>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>>>>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>>>>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>>>>> options [directory-listing: 'false', follow-symlink: 'false', >>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>> >>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>>> >>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>>> >>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>> 10.1.3.93:8080 >>>>>> >>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>> 10.1.3.93:8009 >>>>>> >>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>>> -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>> >>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>>> -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>> 224.0.1.105:23364 >>>>>> >>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>> [java:jboss/datasources/KeycloakDS] >>>>>> >>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>>> (runtime-name: "keycloak-server.war") >>>>>> >>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>>> >>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: >>>>>> Starting JGroups channel keycloak >>>>>> >>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: >>>>>> Starting JGroups channel server >>>>>> >>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>>>> Starting JGroups channel hibernate >>>>>> >>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: >>>>>> Starting JGroups channel web >>>>>> >>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>>>>> Received new cluster view for channel keycloak: [ip-10-1-3-93|0] (1) >>>>>> [ip-10-1-3-93] >>>>>> >>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>>>>> Received new cluster view for channel server: [ip-10-1-3-93|0] (1) >>>>>> [ip-10-1-3-93] >>>>>> >>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>>>> Received new cluster view for channel hibernate: [ip-10-1-3-93|0] (1) >>>>>> [ip-10-1-3-93] >>>>>> >>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>>>>> Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>> [ip-10-1-3-93] >>>>>> >>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>>>> Channel hibernate local address is ip-10-1-3-93, physical addresses are [ >>>>>> 10.1.3.93:55200] >>>>>> >>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: >>>>>> Channel server local address is ip-10-1-3-93, physical addresses are [ >>>>>> 10.1.3.93:55200] >>>>>> >>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>> 8.1.0.Final >>>>>> >>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: >>>>>> Channel web local address is ip-10-1-3-93, physical addresses are [ >>>>>> 10.1.3.93:55200] >>>>>> >>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: >>>>>> Channel keycloak local address is ip-10-1-3-93, physical addresses are [ >>>>>> 10.1.3.93:55200] >>>>>> >>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: >>>>>> Starting JGroups channel ejb >>>>>> >>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>>>>> Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>> [ip-10-1-3-93] >>>>>> >>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: >>>>>> Channel ejb local address is ip-10-1-3-93, physical addresses are [ >>>>>> 10.1.3.93:55200] >>>>>> >>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>> keycloak container >>>>>> >>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>> keycloak container >>>>>> >>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>> cache from keycloak container >>>>>> >>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>> cache from keycloak container >>>>>> >>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>> from keycloak container >>>>>> >>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>> keycloak container >>>>>> >>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread Pool >>>>>> -- 66) KC-SERVICES0001: Loading config from /home/ubuntu/keycloak/keycloak >>>>>> -2.1.0.Final/standalone/configuration/keycloak-server.json >>>>>> >>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>>>>> Pool -- 66) MSC000001: Failed to start service >>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>> org.jboss.msc.service.StartException in service >>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>> >>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>>> >>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>>> s.java:511) >>>>>> >>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>> >>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>> Executor.java:1142) >>>>>> >>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>> lExecutor.java:617) >>>>>> >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> >>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>> >>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>> >>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>> nstructorInjectorImpl.java:162) >>>>>> >>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>>> >>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>>> ResteasyDeployment.java:299) >>>>>> >>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>>> oyment.java:240) >>>>>> >>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>>> >>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>> her.init(HttpServletDispatcher.java:36) >>>>>> >>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>>> >>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>>> >>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>>> >>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>>> egy.start(ManagedServlet.java:231) >>>>>> >>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>>> dServlet.java:132) >>>>>> >>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>>> entManagerImpl.java:526) >>>>>> >>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>>> >>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>>> >>>>>> ... 6 more >>>>>> >>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>> infinispan for realmCache >>>>>> >>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>>> (DefaultKeycloakSessionFactory.java:96) >>>>>> >>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>>> aultKeycloakSessionFactory.java:75) >>>>>> >>>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>>> ssionFactory(KeycloakApplication.java:244) >>>>>> >>>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>>> eycloakApplication.java:78) >>>>>> >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>> Method) >>>>>> >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>> ConstructorAccessorImpl.java:62) >>>>>> >>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>> legatingConstructorAccessorImpl.java:45) >>>>>> >>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>>>> >>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>> nstructorInjectorImpl.java:150) >>>>>> >>>>>> ... 19 more >>>>>> >>>>>> >>>>>> >>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>> >>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>> construct public org.keycloak.services.resources.KeycloakApplication( >>>>>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>> >>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>> infinispan for realmCache"}} >>>>>> >>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool >>>>>> -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>> "keycloak-server.war") >>>>>> >>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot Thread) >>>>>> WFLYCTL0183: Service status report >>>>>> >>>>>> WFLYCTL0186: Services which failed to start: service >>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>> org.jboss.msc.service.StartException in service >>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>> >>>>>> >>>>>> >>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>> WFLYSRV0060: Http management interface listening on >>>>>> http://127.0.0.1:9990/management >>>>>> >>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>> >>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/84e5ba13/attachment-0001.html From sthorger at redhat.com Thu Sep 15 06:38:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 12:38:07 +0200 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: I'm sorry I can't help unless you actually read my responses and do what I suggest you to do. On 15 September 2016 at 12:35, Aman Jaiswal wrote: > is there is any way to add provider for infinispan ? > > > On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < > aman.jaiswal at arvindinternet.com> wrote: > >> In this case if I am apply the relem cache as infinispan this it gives >> error on starting . >> >> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen >> wrote: >> >>> If you read the "version specific section" you'll see changes that have >>> been made to keycloak-server.json that you need to make if you are copying >>> from an old version. Alternatively, you can stick with the new one and >>> manually apply any changes you've made (if any). >>> >>> On 15 September 2016 at 12:07, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> yes I am >>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>> and according to document it says that : >>>> "You should copy standalone/configuration/keycloak-server.json from >>>> the old version to make sure any configuration changes you?ve done are >>>> added to the new installation. The version specific section below will list >>>> any changes done to this file that you have to do when upgrading from one >>>> version to another." >>>> That's why I am changed this file . >>>> >>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Looks like you're probably upgrading from an old version and you're >>>>> keycloak-server.json file needs updating. Please look at the migration docs >>>>> for full details or compare with the keycloak-server.json included. At >>>>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>>>> >>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> According to the error I think I have to add infinispan jar file in >>>>>> providers folder but I don't know that I am right or not, and there are >>>>>> many jar file regarding this . >>>>>> My keycloak-server.json file is given below: >>>>>> >>>>>> { >>>>>> "providers": [ >>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>> ], >>>>>> >>>>>> "admin": { >>>>>> "realm": "master" >>>>>> }, >>>>>> >>>>>> "eventsStore": { >>>>>> "provider": "jpa", >>>>>> "jpa": { >>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>> } >>>>>> }, >>>>>> >>>>>> "realm": { >>>>>> "provider": "jpa" >>>>>> }, >>>>>> >>>>>> "user": { >>>>>> "provider": "jpa" >>>>>> }, >>>>>> >>>>>> "realmCache": { >>>>>> "provider": "infinispan" >>>>>> }, >>>>>> >>>>>> "userCache": { >>>>>> "provider": "infinispan" >>>>>> }, >>>>>> >>>>>> "userSessions": { >>>>>> "provider": "infinispan" >>>>>> }, >>>>>> >>>>>> "timer": { >>>>>> "provider": "basic" >>>>>> }, >>>>>> >>>>>> "theme": { >>>>>> "default": "keycloak", >>>>>> "staticMaxAge": 2592000, >>>>>> "cacheTemplates": true, >>>>>> "cacheThemes": true, >>>>>> "folder": { >>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>> } >>>>>> }, >>>>>> >>>>>> "scheduled": { >>>>>> "interval": 900 >>>>>> }, >>>>>> >>>>>> "connectionsHttpClient": { >>>>>> "default": { >>>>>> "disable-trust-manager": true >>>>>> } >>>>>> }, >>>>>> >>>>>> "connectionsJpa": { >>>>>> "default": { >>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>> "databaseSchema": "update" >>>>>> } >>>>>> }, >>>>>> >>>>>> "connectionsInfinispan": { >>>>>> "default" : { >>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>> } >>>>>> } >>>>>> } >>>>>> >>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> Hi I am geting follwoing error when trying to integrate infinispan >>>>>>> with keycloak >>>>>>> >>>>>>> >>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>> >>>>>>> ============================================================ >>>>>>> ============= >>>>>>> >>>>>>> >>>>>>> >>>>>>> JBoss Bootstrap Environment >>>>>>> >>>>>>> >>>>>>> >>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>> >>>>>>> >>>>>>> >>>>>>> JAVA: java >>>>>>> >>>>>>> >>>>>>> >>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>> -Djava.awt.headless=true >>>>>>> >>>>>>> >>>>>>> >>>>>>> ============================================================ >>>>>>> ============= >>>>>>> >>>>>>> >>>>>>> >>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>>>>>> 1.5.1.Final >>>>>>> >>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>> 1.2.6.Final >>>>>>> >>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>> >>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>> removed in future version. See the attribute description in the output of >>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>> >>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>>>> (management-http) >>>>>>> >>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>>>>>> 3.3.4.Final >>>>>>> >>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>>>>>> Implementation Version 3.3.4.Final >>>>>>> >>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>>> JBoss Remoting version 4.0.18.Final >>>>>>> >>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>> >>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>> subsystem. >>>>>>> >>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService Thread >>>>>>> Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core >>>>>>> threads with 32 task threads based on your 2 available processors >>>>>>> >>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>> >>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] (ServerService >>>>>>> Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. >>>>>>> >>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- >>>>>>> 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>> >>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread 1-3) >>>>>>> WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>> >>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>> mysql >>>>>>> >>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>> h2 >>>>>>> >>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool >>>>>>> -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>> >>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread >>>>>>> Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>> >>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread >>>>>>> Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>> >>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>>>>>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>> >>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>>>>>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>> >>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>> >>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>>>> WFLYNAM0003: Starting Naming Service >>>>>>> >>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service thread >>>>>>> 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>> >>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>>>>>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>>>>>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>>>>>> options [directory-listing: 'false', follow-symlink: 'false', >>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>> >>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>>>> >>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>>>> >>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>> 10.1.3.93:8080 >>>>>>> >>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>> 10.1.3.93:8009 >>>>>>> >>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>>>> -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>> >>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread Pool >>>>>>> -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>> 224.0.1.105:23364 >>>>>>> >>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>> >>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>>>> (runtime-name: "keycloak-server.war") >>>>>>> >>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>>>> >>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>> >>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>> ISPN000078: Starting JGroups channel server >>>>>>> >>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>> >>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>> ISPN000078: Starting JGroups channel web >>>>>>> >>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>> >>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>> (1) [ip-10-1-3-93] >>>>>>> >>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>> >>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>> [ip-10-1-3-93] >>>>>>> >>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>> addresses are [10.1.3.93:55200] >>>>>>> >>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>> addresses are [10.1.3.93:55200] >>>>>>> >>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>> 8.1.0.Final >>>>>>> >>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>> are [10.1.3.93:55200] >>>>>>> >>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>> addresses are [10.1.3.93:55200] >>>>>>> >>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>> >>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>> [ip-10-1-3-93] >>>>>>> >>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>> are [10.1.3.93:55200] >>>>>>> >>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>> keycloak container >>>>>>> >>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>> keycloak container >>>>>>> >>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>> cache from keycloak container >>>>>>> >>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>> cache from keycloak container >>>>>>> >>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>> from keycloak container >>>>>>> >>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>> keycloak container >>>>>>> >>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread >>>>>>> Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>> uration/keycloak-server.json >>>>>>> >>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>> org.jboss.msc.service.StartException in service >>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>> >>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>>>> >>>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>>>> s.java:511) >>>>>>> >>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>> >>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1142) >>>>>>> >>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:617) >>>>>>> >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> >>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>> >>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>> construct public org.keycloak.services.resource >>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>> .resteasy.core.Dispatcher) >>>>>>> >>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>> nstructorInjectorImpl.java:162) >>>>>>> >>>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>>>> >>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>>>> ResteasyDeployment.java:299) >>>>>>> >>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>>>> oyment.java:240) >>>>>>> >>>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>>>> >>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>> her.init(HttpServletDispatcher.java:36) >>>>>>> >>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>>>> >>>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>>>> >>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>>>> >>>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>>>> egy.start(ManagedServlet.java:231) >>>>>>> >>>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>>>> dServlet.java:132) >>>>>>> >>>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>>>> entManagerImpl.java:526) >>>>>>> >>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>>>> >>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>>>> >>>>>>> ... 6 more >>>>>>> >>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>> infinispan for realmCache >>>>>>> >>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>>>> (DefaultKeycloakSessionFactory.java:96) >>>>>>> >>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>>>> aultKeycloakSessionFactory.java:75) >>>>>>> >>>>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>>>> ssionFactory(KeycloakApplication.java:244) >>>>>>> >>>>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>>>> eycloakApplication.java:78) >>>>>>> >>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>> Method) >>>>>>> >>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>>> ConstructorAccessorImpl.java:62) >>>>>>> >>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>>> legatingConstructorAccessorImpl.java:45) >>>>>>> >>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>>>>>> >>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>> nstructorInjectorImpl.java:150) >>>>>>> >>>>>>> ... 19 more >>>>>>> >>>>>>> >>>>>>> >>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>>>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>> >>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>> construct public org.keycloak.services.resource >>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>> .resteasy.core.Dispatcher) >>>>>>> >>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>> infinispan for realmCache"}} >>>>>>> >>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool >>>>>>> -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>> "keycloak-server.war") >>>>>>> >>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>> >>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>> org.jboss.msc.service.StartException in service >>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>> >>>>>>> >>>>>>> >>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>> http://127.0.0.1:9990/management >>>>>>> >>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>> >>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/f8f9058b/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 06:41:23 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 16:11:23 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: I already did that thing first I am just copy the old keycloak-server.json file after that I took the new one and make change one by one as you suggested me earlier . On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen wrote: > I'm sorry I can't help unless you actually read my responses and do what I > suggest you to do. > > On 15 September 2016 at 12:35, Aman Jaiswal com> wrote: > >> is there is any way to add provider for infinispan ? >> >> >> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> In this case if I am apply the relem cache as infinispan this it gives >>> error on starting . >>> >>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen >>> wrote: >>> >>>> If you read the "version specific section" you'll see changes that have >>>> been made to keycloak-server.json that you need to make if you are copying >>>> from an old version. Alternatively, you can stick with the new one and >>>> manually apply any changes you've made (if any). >>>> >>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> yes I am >>>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>>> and according to document it says that : >>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>> the old version to make sure any configuration changes you?ve done are >>>>> added to the new installation. The version specific section below will list >>>>> any changes done to this file that you have to do when upgrading from one >>>>> version to another." >>>>> That's why I am changed this file . >>>>> >>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen >>>> > wrote: >>>>> >>>>>> Looks like you're probably upgrading from an old version and you're >>>>>> keycloak-server.json file needs updating. Please look at the migration docs >>>>>> for full details or compare with the keycloak-server.json included. At >>>>>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>>>>> >>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> According to the error I think I have to add infinispan jar file in >>>>>>> providers folder but I don't know that I am right or not, and there are >>>>>>> many jar file regarding this . >>>>>>> My keycloak-server.json file is given below: >>>>>>> >>>>>>> { >>>>>>> "providers": [ >>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>> ], >>>>>>> >>>>>>> "admin": { >>>>>>> "realm": "master" >>>>>>> }, >>>>>>> >>>>>>> "eventsStore": { >>>>>>> "provider": "jpa", >>>>>>> "jpa": { >>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>> } >>>>>>> }, >>>>>>> >>>>>>> "realm": { >>>>>>> "provider": "jpa" >>>>>>> }, >>>>>>> >>>>>>> "user": { >>>>>>> "provider": "jpa" >>>>>>> }, >>>>>>> >>>>>>> "realmCache": { >>>>>>> "provider": "infinispan" >>>>>>> }, >>>>>>> >>>>>>> "userCache": { >>>>>>> "provider": "infinispan" >>>>>>> }, >>>>>>> >>>>>>> "userSessions": { >>>>>>> "provider": "infinispan" >>>>>>> }, >>>>>>> >>>>>>> "timer": { >>>>>>> "provider": "basic" >>>>>>> }, >>>>>>> >>>>>>> "theme": { >>>>>>> "default": "keycloak", >>>>>>> "staticMaxAge": 2592000, >>>>>>> "cacheTemplates": true, >>>>>>> "cacheThemes": true, >>>>>>> "folder": { >>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>> } >>>>>>> }, >>>>>>> >>>>>>> "scheduled": { >>>>>>> "interval": 900 >>>>>>> }, >>>>>>> >>>>>>> "connectionsHttpClient": { >>>>>>> "default": { >>>>>>> "disable-trust-manager": true >>>>>>> } >>>>>>> }, >>>>>>> >>>>>>> "connectionsJpa": { >>>>>>> "default": { >>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>> "databaseSchema": "update" >>>>>>> } >>>>>>> }, >>>>>>> >>>>>>> "connectionsInfinispan": { >>>>>>> "default" : { >>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>> } >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> Hi I am geting follwoing error when trying to integrate infinispan >>>>>>>> with keycloak >>>>>>>> >>>>>>>> >>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>> >>>>>>>> ============================================================ >>>>>>>> ============= >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> JBoss Bootstrap Environment >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> JAVA: java >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>> -Djava.awt.headless=true >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ============================================================ >>>>>>>> ============= >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules version >>>>>>>> 1.5.1.Final >>>>>>>> >>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>> 1.2.6.Final >>>>>>>> >>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>> >>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>> >>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>>>>> (management-http) >>>>>>>> >>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO version >>>>>>>> 3.3.4.Final >>>>>>>> >>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO >>>>>>>> Implementation Version 3.3.4.Final >>>>>>>> >>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>>>> JBoss Remoting version 4.0.18.Final >>>>>>>> >>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>> >>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>> subsystem. >>>>>>>> >>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>> >>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>> >>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>> subsystem. >>>>>>>> >>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- >>>>>>>> 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>> >>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread >>>>>>>> 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>>> >>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>> mysql >>>>>>>> >>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>> h2 >>>>>>>> >>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread Pool >>>>>>>> -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>> >>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread >>>>>>>> Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>> >>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService Thread >>>>>>>> Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>> >>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread 1-3) >>>>>>>> WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>> >>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] (ServerService >>>>>>>> Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>> >>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>> >>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>>>>> WFLYNAM0003: Starting Naming Service >>>>>>>> >>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>> >>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] (ServerService >>>>>>>> Thread Pool -- 58) WFLYUT0014: Creating file handler for path >>>>>>>> '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' with >>>>>>>> options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>> >>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>> >>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>> >>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>> 10.1.3.93:8080 >>>>>>>> >>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>> 10.1.3.93:8009 >>>>>>>> >>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>> Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>>> >>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>> Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>> 224.0.1.105:23364 >>>>>>>> >>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>> >>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>>>>> (runtime-name: "keycloak-server.war") >>>>>>>> >>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>>>>> >>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>> >>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>> >>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>> >>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>> >>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>> >>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>> (1) [ip-10-1-3-93] >>>>>>>> >>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>> >>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>> [ip-10-1-3-93] >>>>>>>> >>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>> >>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>> >>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>> 8.1.0.Final >>>>>>>> >>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>> are [10.1.3.93:55200] >>>>>>>> >>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>> >>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>> >>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>> [ip-10-1-3-93] >>>>>>>> >>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>> are [10.1.3.93:55200] >>>>>>>> >>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>> keycloak container >>>>>>>> >>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>> keycloak container >>>>>>>> >>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>> cache from keycloak container >>>>>>>> >>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>> cache from keycloak container >>>>>>>> >>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>> from keycloak container >>>>>>>> >>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>> keycloak container >>>>>>>> >>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread >>>>>>>> Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>> uration/keycloak-server.json >>>>>>>> >>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>> >>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>>>>> >>>>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>>>>> s.java:511) >>>>>>>> >>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>> >>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>> Executor.java:1142) >>>>>>>> >>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>> lExecutor.java:617) >>>>>>>> >>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>> >>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>> >>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>>> construct public org.keycloak.services.resource >>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>> .resteasy.core.Dispatcher) >>>>>>>> >>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>> nstructorInjectorImpl.java:162) >>>>>>>> >>>>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>>>>> >>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>>>>> ResteasyDeployment.java:299) >>>>>>>> >>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>>>>> oyment.java:240) >>>>>>>> >>>>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>>>>> >>>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>>> her.init(HttpServletDispatcher.java:36) >>>>>>>> >>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>>>>> >>>>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>>>>> >>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>>>>> >>>>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>>>>> egy.start(ManagedServlet.java:231) >>>>>>>> >>>>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>>>>> dServlet.java:132) >>>>>>>> >>>>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>>>>> entManagerImpl.java:526) >>>>>>>> >>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>>>>> >>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>>>>> >>>>>>>> ... 6 more >>>>>>>> >>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>> infinispan for realmCache >>>>>>>> >>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>>>>> (DefaultKeycloakSessionFactory.java:96) >>>>>>>> >>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>>>>> aultKeycloakSessionFactory.java:75) >>>>>>>> >>>>>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>>>>> ssionFactory(KeycloakApplication.java:244) >>>>>>>> >>>>>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>>>>> eycloakApplication.java:78) >>>>>>>> >>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>> Method) >>>>>>>> >>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>>>> ConstructorAccessorImpl.java:62) >>>>>>>> >>>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>>>> legatingConstructorAccessorImpl.java:45) >>>>>>>> >>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:4 >>>>>>>> 23) >>>>>>>> >>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>> nstructorInjectorImpl.java:150) >>>>>>>> >>>>>>>> ... 19 more >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>>>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>>>>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>> >>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed >>>>>>>> to construct public org.keycloak.services.resource >>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>> .resteasy.core.Dispatcher) >>>>>>>> >>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>> infinispan for realmCache"}} >>>>>>>> >>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread Pool >>>>>>>> -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>> "keycloak-server.war") >>>>>>>> >>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>> >>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>> http://127.0.0.1:9990/management >>>>>>>> >>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>> >>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/c73a195d/attachment-0001.html From sthorger at redhat.com Thu Sep 15 06:46:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 12:46:03 +0200 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: Read: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/MigrationFromOlderVersions.html Hint: Search for "Realm and User cache providers" On 15 September 2016 at 12:41, Aman Jaiswal wrote: > I already did that thing > first I am just copy the old keycloak-server.json file after that I took > the new one and make change one by one as you suggested me earlier . > > On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen > wrote: > >> I'm sorry I can't help unless you actually read my responses and do what >> I suggest you to do. >> >> On 15 September 2016 at 12:35, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> is there is any way to add provider for infinispan ? >>> >>> >>> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> In this case if I am apply the relem cache as infinispan this it gives >>>> error on starting . >>>> >>>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> If you read the "version specific section" you'll see changes that >>>>> have been made to keycloak-server.json that you need to make if you are >>>>> copying from an old version. Alternatively, you can stick with the new one >>>>> and manually apply any changes you've made (if any). >>>>> >>>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> yes I am >>>>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>>>> and according to document it says that : >>>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>>> the old version to make sure any configuration changes you?ve done are >>>>>> added to the new installation. The version specific section below will list >>>>>> any changes done to this file that you have to do when upgrading from one >>>>>> version to another." >>>>>> That's why I am changed this file . >>>>>> >>>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> Looks like you're probably upgrading from an old version and you're >>>>>>> keycloak-server.json file needs updating. Please look at the migration docs >>>>>>> for full details or compare with the keycloak-server.json included. At >>>>>>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>>>>>> >>>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> According to the error I think I have to add infinispan jar file in >>>>>>>> providers folder but I don't know that I am right or not, and there are >>>>>>>> many jar file regarding this . >>>>>>>> My keycloak-server.json file is given below: >>>>>>>> >>>>>>>> { >>>>>>>> "providers": [ >>>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>>> ], >>>>>>>> >>>>>>>> "admin": { >>>>>>>> "realm": "master" >>>>>>>> }, >>>>>>>> >>>>>>>> "eventsStore": { >>>>>>>> "provider": "jpa", >>>>>>>> "jpa": { >>>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>>> } >>>>>>>> }, >>>>>>>> >>>>>>>> "realm": { >>>>>>>> "provider": "jpa" >>>>>>>> }, >>>>>>>> >>>>>>>> "user": { >>>>>>>> "provider": "jpa" >>>>>>>> }, >>>>>>>> >>>>>>>> "realmCache": { >>>>>>>> "provider": "infinispan" >>>>>>>> }, >>>>>>>> >>>>>>>> "userCache": { >>>>>>>> "provider": "infinispan" >>>>>>>> }, >>>>>>>> >>>>>>>> "userSessions": { >>>>>>>> "provider": "infinispan" >>>>>>>> }, >>>>>>>> >>>>>>>> "timer": { >>>>>>>> "provider": "basic" >>>>>>>> }, >>>>>>>> >>>>>>>> "theme": { >>>>>>>> "default": "keycloak", >>>>>>>> "staticMaxAge": 2592000, >>>>>>>> "cacheTemplates": true, >>>>>>>> "cacheThemes": true, >>>>>>>> "folder": { >>>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>>> } >>>>>>>> }, >>>>>>>> >>>>>>>> "scheduled": { >>>>>>>> "interval": 900 >>>>>>>> }, >>>>>>>> >>>>>>>> "connectionsHttpClient": { >>>>>>>> "default": { >>>>>>>> "disable-trust-manager": true >>>>>>>> } >>>>>>>> }, >>>>>>>> >>>>>>>> "connectionsJpa": { >>>>>>>> "default": { >>>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>>> "databaseSchema": "update" >>>>>>>> } >>>>>>>> }, >>>>>>>> >>>>>>>> "connectionsInfinispan": { >>>>>>>> "default" : { >>>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>>> } >>>>>>>> } >>>>>>>> } >>>>>>>> >>>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>> >>>>>>>>> Hi I am geting follwoing error when trying to integrate infinispan >>>>>>>>> with keycloak >>>>>>>>> >>>>>>>>> >>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>>> >>>>>>>>> ============================================================ >>>>>>>>> ============= >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> JBoss Bootstrap Environment >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> JAVA: java >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>>> -Djava.awt.headless=true >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ============================================================ >>>>>>>>> ============= >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules >>>>>>>>> version 1.5.1.Final >>>>>>>>> >>>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>>> 1.2.6.Final >>>>>>>>> >>>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>>> >>>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>>> >>>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>>>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>>>>>> (management-http) >>>>>>>>> >>>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO >>>>>>>>> version 3.3.4.Final >>>>>>>>> >>>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO >>>>>>>>> NIO Implementation Version 3.3.4.Final >>>>>>>>> >>>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>>>>> JBoss Remoting version 4.0.18.Final >>>>>>>>> >>>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>>> >>>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>>> subsystem. >>>>>>>>> >>>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>>> >>>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>>> >>>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>>> subsystem. >>>>>>>>> >>>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool >>>>>>>>> -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>>> >>>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread >>>>>>>>> 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>>>> >>>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>> mysql >>>>>>>>> >>>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>> h2 >>>>>>>>> >>>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread >>>>>>>>> Pool -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>>> >>>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread >>>>>>>>> Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>>> >>>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService >>>>>>>>> Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>>> >>>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread >>>>>>>>> 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>>> >>>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] >>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>> >>>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>> >>>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>>>>>> WFLYNAM0003: Starting Naming Service >>>>>>>>> >>>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>>> >>>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] >>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for >>>>>>>>> path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' >>>>>>>>> with options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>>> >>>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>>> >>>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>>> >>>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>>> 10.1.3.93:8080 >>>>>>>>> >>>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>>> 10.1.3.93:8009 >>>>>>>>> >>>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>> Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>>>> >>>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>> Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>>> 224.0.1.105:23364 >>>>>>>>> >>>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>>> >>>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>>>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>>>>>> (runtime-name: "keycloak-server.war") >>>>>>>>> >>>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>>>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>>>>>> >>>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>>> >>>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>>> >>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>>> >>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>>> >>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>> >>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>>> (1) [ip-10-1-3-93] >>>>>>>>> >>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>> >>>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>>> [ip-10-1-3-93] >>>>>>>>> >>>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>> >>>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>> >>>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>>> 8.1.0.Final >>>>>>>>> >>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>>> are [10.1.3.93:55200] >>>>>>>>> >>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>> >>>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>>> >>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>>> [ip-10-1-3-93] >>>>>>>>> >>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>>> are [10.1.3.93:55200] >>>>>>>>> >>>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>>> keycloak container >>>>>>>>> >>>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>>> keycloak container >>>>>>>>> >>>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>>> cache from keycloak container >>>>>>>>> >>>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>>> cache from keycloak container >>>>>>>>> >>>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>>> from keycloak container >>>>>>>>> >>>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>>> keycloak container >>>>>>>>> >>>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread >>>>>>>>> Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>>> uration/keycloak-server.json >>>>>>>>> >>>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>> >>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>>>>>> >>>>>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>>>>>> s.java:511) >>>>>>>>> >>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>>> >>>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>>> Executor.java:1142) >>>>>>>>> >>>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>>> lExecutor.java:617) >>>>>>>>> >>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>> >>>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>>> >>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>>>> construct public org.keycloak.services.resource >>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>>> nstructorInjectorImpl.java:162) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>>>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>>>>>> ResteasyDeployment.java:299) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>>>>>> oyment.java:240) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>>>> her.init(HttpServletDispatcher.java:36) >>>>>>>>> >>>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>>>>>> >>>>>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>>>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>>>>>> >>>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>>>>>> >>>>>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>>>>>> egy.start(ManagedServlet.java:231) >>>>>>>>> >>>>>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>>>>>> dServlet.java:132) >>>>>>>>> >>>>>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>>>>>> entManagerImpl.java:526) >>>>>>>>> >>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>>>>>> >>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>>>>>> >>>>>>>>> ... 6 more >>>>>>>>> >>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>> infinispan for realmCache >>>>>>>>> >>>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>>>>>> (DefaultKeycloakSessionFactory.java:96) >>>>>>>>> >>>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>>>>>> aultKeycloakSessionFactory.java:75) >>>>>>>>> >>>>>>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>>>>>> ssionFactory(KeycloakApplication.java:244) >>>>>>>>> >>>>>>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>>>>>> eycloakApplication.java:78) >>>>>>>>> >>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>>> Method) >>>>>>>>> >>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>>>>> ConstructorAccessorImpl.java:62) >>>>>>>>> >>>>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>>>>> legatingConstructorAccessorImpl.java:45) >>>>>>>>> >>>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:4 >>>>>>>>> 23) >>>>>>>>> >>>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>>> nstructorInjectorImpl.java:150) >>>>>>>>> >>>>>>>>> ... 19 more >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>>>>>> fault-server.default-host./auth" => "org.jboss.msc.service.StartException >>>>>>>>> in service jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>> >>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed >>>>>>>>> to construct public org.keycloak.services.resource >>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>> >>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>> infinispan for realmCache"}} >>>>>>>>> >>>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread >>>>>>>>> Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>>> "keycloak-server.war") >>>>>>>>> >>>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>>> >>>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>>> http://127.0.0.1:9990/management >>>>>>>>> >>>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>>> >>>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks, >>>>>>>>> Aman Jaiswal >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/bb5cf364/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 06:56:22 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 16:26:22 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: I want to configure it for cluster mode . On Thu, Sep 15, 2016 at 4:16 PM, Stian Thorgersen wrote: > Read: https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/MigrationFromOlderVersions.html > Hint: Search for "Realm and User cache providers" > > On 15 September 2016 at 12:41, Aman Jaiswal com> wrote: > >> I already did that thing >> first I am just copy the old keycloak-server.json file after that I took >> the new one and make change one by one as you suggested me earlier . >> >> On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen >> wrote: >> >>> I'm sorry I can't help unless you actually read my responses and do what >>> I suggest you to do. >>> >>> On 15 September 2016 at 12:35, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> is there is any way to add provider for infinispan ? >>>> >>>> >>>> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> In this case if I am apply the relem cache as infinispan this it gives >>>>> error on starting . >>>>> >>>>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen >>>> > wrote: >>>>> >>>>>> If you read the "version specific section" you'll see changes that >>>>>> have been made to keycloak-server.json that you need to make if you are >>>>>> copying from an old version. Alternatively, you can stick with the new one >>>>>> and manually apply any changes you've made (if any). >>>>>> >>>>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> yes I am >>>>>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>>>>> and according to document it says that : >>>>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>>>> the old version to make sure any configuration changes you?ve done are >>>>>>> added to the new installation. The version specific section below will list >>>>>>> any changes done to this file that you have to do when upgrading from one >>>>>>> version to another." >>>>>>> That's why I am changed this file . >>>>>>> >>>>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> Looks like you're probably upgrading from an old version and you're >>>>>>>> keycloak-server.json file needs updating. Please look at the migration docs >>>>>>>> for full details or compare with the keycloak-server.json included. At >>>>>>>> least 'realmCache' and 'userCache' is wrong. Should just be 'default'. >>>>>>>> >>>>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>> >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> According to the error I think I have to add infinispan jar file >>>>>>>>> in providers folder but I don't know that I am right or not, and there are >>>>>>>>> many jar file regarding this . >>>>>>>>> My keycloak-server.json file is given below: >>>>>>>>> >>>>>>>>> { >>>>>>>>> "providers": [ >>>>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>>>> ], >>>>>>>>> >>>>>>>>> "admin": { >>>>>>>>> "realm": "master" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "eventsStore": { >>>>>>>>> "provider": "jpa", >>>>>>>>> "jpa": { >>>>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>>>> } >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "realm": { >>>>>>>>> "provider": "jpa" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "user": { >>>>>>>>> "provider": "jpa" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "realmCache": { >>>>>>>>> "provider": "infinispan" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "userCache": { >>>>>>>>> "provider": "infinispan" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "userSessions": { >>>>>>>>> "provider": "infinispan" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "timer": { >>>>>>>>> "provider": "basic" >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "theme": { >>>>>>>>> "default": "keycloak", >>>>>>>>> "staticMaxAge": 2592000, >>>>>>>>> "cacheTemplates": true, >>>>>>>>> "cacheThemes": true, >>>>>>>>> "folder": { >>>>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>>>> } >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "scheduled": { >>>>>>>>> "interval": 900 >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "connectionsHttpClient": { >>>>>>>>> "default": { >>>>>>>>> "disable-trust-manager": true >>>>>>>>> } >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "connectionsJpa": { >>>>>>>>> "default": { >>>>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>>>> "databaseSchema": "update" >>>>>>>>> } >>>>>>>>> }, >>>>>>>>> >>>>>>>>> "connectionsInfinispan": { >>>>>>>>> "default" : { >>>>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>>>> } >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>> >>>>>>>>>> Hi I am geting follwoing error when trying to integrate >>>>>>>>>> infinispan with keycloak >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>>>> >>>>>>>>>> ============================================================ >>>>>>>>>> ============= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> JBoss Bootstrap Environment >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> JAVA: java >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>>>> -Djava.awt.headless=true >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ============================================================ >>>>>>>>>> ============= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules >>>>>>>>>> version 1.5.1.Final >>>>>>>>>> >>>>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>>>> 1.2.6.Final >>>>>>>>>> >>>>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>>>> >>>>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>>>> >>>>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot Thread) >>>>>>>>>> WFLYSRV0039: Creating http management service using socket-binding >>>>>>>>>> (management-http) >>>>>>>>>> >>>>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO >>>>>>>>>> version 3.3.4.Final >>>>>>>>>> >>>>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO >>>>>>>>>> NIO Implementation Version 3.3.4.Final >>>>>>>>>> >>>>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>>>>>> JBoss Remoting version 4.0.18.Final >>>>>>>>>> >>>>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>>>> >>>>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>>>> subsystem. >>>>>>>>>> >>>>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>>>> >>>>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>>>> >>>>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>>>> subsystem. >>>>>>>>>> >>>>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool >>>>>>>>>> -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>>>> >>>>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread >>>>>>>>>> 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>>>>> >>>>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>>> mysql >>>>>>>>>> >>>>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>>> h2 >>>>>>>>>> >>>>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread >>>>>>>>>> Pool -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>>>> >>>>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread >>>>>>>>>> Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>>>> >>>>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService >>>>>>>>>> Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>>>> >>>>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread >>>>>>>>>> 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>>>> >>>>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] >>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>> >>>>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>>> thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>> >>>>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread 1-4) >>>>>>>>>> WFLYNAM0003: Starting Naming Service >>>>>>>>>> >>>>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>>>> >>>>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] >>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for >>>>>>>>>> path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' >>>>>>>>>> with options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>>>> >>>>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>>> thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>>>> >>>>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>>> thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>>>> >>>>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>>> thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>>>> 10.1.3.93:8080 >>>>>>>>>> >>>>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC service >>>>>>>>>> thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>>>> 10.1.3.93:8009 >>>>>>>>>> >>>>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>> Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>>>>> >>>>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>> Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>>>> 224.0.1.105:23364 >>>>>>>>>> >>>>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>>>> >>>>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC service >>>>>>>>>> thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" >>>>>>>>>> (runtime-name: "keycloak-server.war") >>>>>>>>>> >>>>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC service >>>>>>>>>> thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF 3.1.4) >>>>>>>>>> >>>>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>>>> >>>>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>>>> >>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>>>> >>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>>>> >>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>> >>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>>>> (1) [ip-10-1-3-93] >>>>>>>>>> >>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>> >>>>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>> >>>>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>> >>>>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>> >>>>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>>>> 8.1.0.Final >>>>>>>>>> >>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>> >>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>> >>>>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>>>> >>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>> >>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>> >>>>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>>>> keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>>>> keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>>>> cache from keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>>>> cache from keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>>>> from keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>>>> keycloak container >>>>>>>>>> >>>>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread >>>>>>>>>> Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>>>> uration/keycloak-server.json >>>>>>>>>> >>>>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>> >>>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>>> Service$1.run(UndertowDeploymentService.java:85) >>>>>>>>>> >>>>>>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>>>>>>>> s.java:511) >>>>>>>>>> >>>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>>>> >>>>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>>>> Executor.java:1142) >>>>>>>>>> >>>>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>>>> lExecutor.java:617) >>>>>>>>>> >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>> >>>>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>>>> >>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>>>>> construct public org.keycloak.services.resource >>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>>>> nstructorInjectorImpl.java:162) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >>>>>>>>>> rInstance(ResteasyProviderFactory.java:2209) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>>>>>>>>> ResteasyDeployment.java:299) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >>>>>>>>>> oyment.java:240) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>>>>>> spatcher.init(ServletContainerDispatcher.java:113) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>>>>> her.init(HttpServletDispatcher.java:36) >>>>>>>>>> >>>>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>>>> ed(LifecyleInterceptorInvocation.java:117) >>>>>>>>>> >>>>>>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >>>>>>>>>> eptor.init(RunAsLifecycleInterceptor.java:78) >>>>>>>>>> >>>>>>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >>>>>>>>>> ed(LifecyleInterceptorInvocation.java:103) >>>>>>>>>> >>>>>>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >>>>>>>>>> egy.start(ManagedServlet.java:231) >>>>>>>>>> >>>>>>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >>>>>>>>>> dServlet.java:132) >>>>>>>>>> >>>>>>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >>>>>>>>>> entManagerImpl.java:526) >>>>>>>>>> >>>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>>> Service.startContext(UndertowDeploymentService.java:101) >>>>>>>>>> >>>>>>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeployment >>>>>>>>>> Service$1.run(UndertowDeploymentService.java:82) >>>>>>>>>> >>>>>>>>>> ... 6 more >>>>>>>>>> >>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>>> infinispan for realmCache >>>>>>>>>> >>>>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.loadSPIs >>>>>>>>>> (DefaultKeycloakSessionFactory.java:96) >>>>>>>>>> >>>>>>>>>> at org.keycloak.services.DefaultKeycloakSessionFactory.init(Def >>>>>>>>>> aultKeycloakSessionFactory.java:75) >>>>>>>>>> >>>>>>>>>> at org.keycloak.services.resources.KeycloakApplication.createSe >>>>>>>>>> ssionFactory(KeycloakApplication.java:244) >>>>>>>>>> >>>>>>>>>> at org.keycloak.services.resources.KeycloakApplication.(K >>>>>>>>>> eycloakApplication.java:78) >>>>>>>>>> >>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>>>> Method) >>>>>>>>>> >>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>>>>>> ConstructorAccessorImpl.java:62) >>>>>>>>>> >>>>>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>>>>>> legatingConstructorAccessorImpl.java:45) >>>>>>>>>> >>>>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:4 >>>>>>>>>> 23) >>>>>>>>>> >>>>>>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >>>>>>>>>> nstructorInjectorImpl.java:150) >>>>>>>>>> >>>>>>>>>> ... 19 more >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>>>> {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.de >>>>>>>>>> fault-server.default-host./auth" => >>>>>>>>>> "org.jboss.msc.service.StartException in service >>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>> >>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed >>>>>>>>>> to construct public org.keycloak.services.resource >>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>> >>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find >>>>>>>>>> provider infinispan for realmCache"}} >>>>>>>>>> >>>>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread >>>>>>>>>> Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>>>> "keycloak-server.war") >>>>>>>>>> >>>>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>>>> >>>>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>>>> http://127.0.0.1:9990/management >>>>>>>>>> >>>>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>>>> >>>>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thanks, >>>>>>>>>> Aman Jaiswal >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks, >>>>>>>>> Aman Jaiswal >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/64bf26bb/attachment-0001.html From sthorger at redhat.com Thu Sep 15 07:09:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 13:09:45 +0200 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/booting.html On 15 September 2016 at 12:56, Aman Jaiswal wrote: > I want to configure it for cluster mode . > > On Thu, Sep 15, 2016 at 4:16 PM, Stian Thorgersen > wrote: > >> Read: https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/topics/MigrationFromOlderVersions.html >> Hint: Search for "Realm and User cache providers" >> >> On 15 September 2016 at 12:41, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> I already did that thing >>> first I am just copy the old keycloak-server.json file after that I took >>> the new one and make change one by one as you suggested me earlier . >>> >>> On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen >>> wrote: >>> >>>> I'm sorry I can't help unless you actually read my responses and do >>>> what I suggest you to do. >>>> >>>> On 15 September 2016 at 12:35, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> is there is any way to add provider for infinispan ? >>>>> >>>>> >>>>> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> In this case if I am apply the relem cache as infinispan this it >>>>>> gives error on starting . >>>>>> >>>>>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> If you read the "version specific section" you'll see changes that >>>>>>> have been made to keycloak-server.json that you need to make if you are >>>>>>> copying from an old version. Alternatively, you can stick with the new one >>>>>>> and manually apply any changes you've made (if any). >>>>>>> >>>>>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> yes I am >>>>>>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>>>>>> and according to document it says that : >>>>>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>>>>> the old version to make sure any configuration changes you?ve done are >>>>>>>> added to the new installation. The version specific section below will list >>>>>>>> any changes done to this file that you have to do when upgrading from one >>>>>>>> version to another." >>>>>>>> That's why I am changed this file . >>>>>>>> >>>>>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> Looks like you're probably upgrading from an old version and >>>>>>>>> you're keycloak-server.json file needs updating. Please look at the >>>>>>>>> migration docs for full details or compare with the keycloak-server.json >>>>>>>>> included. At least 'realmCache' and 'userCache' is wrong. Should just be >>>>>>>>> 'default'. >>>>>>>>> >>>>>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>> >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> According to the error I think I have to add infinispan jar file >>>>>>>>>> in providers folder but I don't know that I am right or not, and there are >>>>>>>>>> many jar file regarding this . >>>>>>>>>> My keycloak-server.json file is given below: >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "providers": [ >>>>>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>>>>> ], >>>>>>>>>> >>>>>>>>>> "admin": { >>>>>>>>>> "realm": "master" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "eventsStore": { >>>>>>>>>> "provider": "jpa", >>>>>>>>>> "jpa": { >>>>>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "realm": { >>>>>>>>>> "provider": "jpa" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "user": { >>>>>>>>>> "provider": "jpa" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "realmCache": { >>>>>>>>>> "provider": "infinispan" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "userCache": { >>>>>>>>>> "provider": "infinispan" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "userSessions": { >>>>>>>>>> "provider": "infinispan" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "timer": { >>>>>>>>>> "provider": "basic" >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "theme": { >>>>>>>>>> "default": "keycloak", >>>>>>>>>> "staticMaxAge": 2592000, >>>>>>>>>> "cacheTemplates": true, >>>>>>>>>> "cacheThemes": true, >>>>>>>>>> "folder": { >>>>>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "scheduled": { >>>>>>>>>> "interval": 900 >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "connectionsHttpClient": { >>>>>>>>>> "default": { >>>>>>>>>> "disable-trust-manager": true >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "connectionsJpa": { >>>>>>>>>> "default": { >>>>>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>>>>> "databaseSchema": "update" >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> >>>>>>>>>> "connectionsInfinispan": { >>>>>>>>>> "default" : { >>>>>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi I am geting follwoing error when trying to integrate >>>>>>>>>>> infinispan with keycloak >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>>>>> >>>>>>>>>>> ============================================================ >>>>>>>>>>> ============= >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> JBoss Bootstrap Environment >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> JAVA: java >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>>>>> -Djava.awt.headless=true >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ============================================================ >>>>>>>>>>> ============= >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules >>>>>>>>>>> version 1.5.1.Final >>>>>>>>>>> >>>>>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>>>>> 1.2.6.Final >>>>>>>>>>> >>>>>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>>>>> >>>>>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>>>>> >>>>>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot >>>>>>>>>>> Thread) WFLYSRV0039: Creating http management service using socket-binding >>>>>>>>>>> (management-http) >>>>>>>>>>> >>>>>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO >>>>>>>>>>> version 3.3.4.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO >>>>>>>>>>> NIO Implementation Version 3.3.4.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread 1-2) >>>>>>>>>>> JBoss Remoting version 4.0.18.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>>>>> >>>>>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>>>>> subsystem. >>>>>>>>>>> >>>>>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>>>>> >>>>>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>>>>> >>>>>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>>>>> subsystem. >>>>>>>>>>> >>>>>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread Pool >>>>>>>>>>> -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>>>>> >>>>>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread >>>>>>>>>>> 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>>>>>> >>>>>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>>>> mysql >>>>>>>>>>> >>>>>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] (MSC >>>>>>>>>>> service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = >>>>>>>>>>> h2 >>>>>>>>>>> >>>>>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread >>>>>>>>>>> Pool -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>>>>> >>>>>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService Thread >>>>>>>>>>> Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>>>>> >>>>>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService >>>>>>>>>>> Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>>>>> >>>>>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread >>>>>>>>>>> 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] >>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>> >>>>>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>> service thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>> >>>>>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread >>>>>>>>>>> 1-4) WFLYNAM0003: Starting Naming Service >>>>>>>>>>> >>>>>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>>>>> >>>>>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] >>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for >>>>>>>>>>> path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' >>>>>>>>>>> with options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>>>>> >>>>>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>> service thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>>>>> >>>>>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>> service thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>>>>> >>>>>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>> service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>>>>> 10.1.3.93:8080 >>>>>>>>>>> >>>>>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>> service thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>>>>> 10.1.3.93:8009 >>>>>>>>>>> >>>>>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>>> Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>>> Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>>>>> 224.0.1.105:23364 >>>>>>>>>>> >>>>>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>>>>> >>>>>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC >>>>>>>>>>> service thread 1-3) WFLYSRV0027: Starting deployment of >>>>>>>>>>> "keycloak-server.war" (runtime-name: "keycloak-server.war") >>>>>>>>>>> >>>>>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC >>>>>>>>>>> service thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF >>>>>>>>>>> 3.1.4) >>>>>>>>>>> >>>>>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>>>>> >>>>>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>>>>> >>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>>>>> >>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>>>>> >>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>>>>> (1) [ip-10-1-3-93] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>>>>> 8.1.0.Final >>>>>>>>>>> >>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>>>>> >>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>> >>>>>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>>>>> keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>>>>> keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>>>>> cache from keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>>>>> cache from keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>>>>> from keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>>>>> keycloak container >>>>>>>>>>> >>>>>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService Thread >>>>>>>>>>> Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>>>>> uration/keycloak-server.json >>>>>>>>>>> >>>>>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>> >>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>> ntService.java:85) >>>>>>>>>>> >>>>>>>>>>> at java.util.concurrent.Executors >>>>>>>>>>> $RunnableAdapter.call(Executors.java:511) >>>>>>>>>>> >>>>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>>>>> >>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>>>>>> >>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>>>>>> >>>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>>>>> >>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>>>>>>>>>> construct public org.keycloak.services.resource >>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>> yProviderFactory.createProviderInstance(ResteasyProviderFact >>>>>>>>>>> ory.java:2209) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>> yDeployment.createApplication(ResteasyDeployment.java:299) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>> yDeployment.start(ResteasyDeployment.java:240) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>> ver.servlet.ServletContainerDispatcher.init(ServletContainer >>>>>>>>>>> Dispatcher.java:113) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>> ver.servlet.HttpServletDispatcher.init(HttpServletDispatcher >>>>>>>>>>> .java:36) >>>>>>>>>>> >>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>> on.java:117) >>>>>>>>>>> >>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>> .security.RunAsLifecycleInterceptor.init(RunAsLifecycleInter >>>>>>>>>>> ceptor.java:78) >>>>>>>>>>> >>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>> on.java:103) >>>>>>>>>>> >>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>> edServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>>>>>>>>>> >>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>> edServlet.createServlet(ManagedServlet.java:132) >>>>>>>>>>> >>>>>>>>>>> at io.undertow.servlet.core.Deplo >>>>>>>>>>> ymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>>>>>>>>> >>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>> .deployment.UndertowDeploymentService.startContext(UndertowD >>>>>>>>>>> eploymentService.java:101) >>>>>>>>>>> >>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>> ntService.java:82) >>>>>>>>>>> >>>>>>>>>>> ... 6 more >>>>>>>>>>> >>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>>>> infinispan for realmCache >>>>>>>>>>> >>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>> eycloakSessionFactory.loadSPIs(DefaultKeycloakSessionFactory >>>>>>>>>>> .java:96) >>>>>>>>>>> >>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>> eycloakSessionFactory.init(DefaultKeycloakSessionFactory.jav >>>>>>>>>>> a:75) >>>>>>>>>>> >>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>> s.KeycloakApplication.createSessionFactory(KeycloakApplicati >>>>>>>>>>> on.java:244) >>>>>>>>>>> >>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>> s.KeycloakApplication.(KeycloakApplication.java:78) >>>>>>>>>>> >>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>> ccessorImpl.newInstance0(Native Method) >>>>>>>>>>> >>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>>>>>> >>>>>>>>>>> at sun.reflect.DelegatingConstruc >>>>>>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImp >>>>>>>>>>> l.java:45) >>>>>>>>>>> >>>>>>>>>>> at java.lang.reflect.Constructor. >>>>>>>>>>> newInstance(Constructor.java:423) >>>>>>>>>>> >>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>>>>>>>>> >>>>>>>>>>> ... 19 more >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>>>>> {"WFLYCTL0080: Failed services" => {" >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth" => >>>>>>>>>>> "org.jboss.msc.service.StartException in service >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>> >>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: >>>>>>>>>>> Failed to construct public org.keycloak.services.resource >>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>> >>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find >>>>>>>>>>> provider infinispan for realmCache"}} >>>>>>>>>>> >>>>>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread >>>>>>>>>>> Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>>>>> "keycloak-server.war") >>>>>>>>>>> >>>>>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>>>>> >>>>>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>>>>> http://127.0.0.1:9990/management >>>>>>>>>>> >>>>>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>>>>> >>>>>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks, >>>>>>>>>>> Aman Jaiswal >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thanks, >>>>>>>>>> Aman Jaiswal >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/8962592c/attachment-0001.html From aman.jaiswal at arvindinternet.com Thu Sep 15 07:16:09 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Thu, 15 Sep 2016 16:46:09 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: I already read this and my cluster is running on AWS with s3 bucket behind . and to run this I am using following command /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_ key=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 -Djgroups.management.address=$ ipkeycloakdevadmin On Thu, Sep 15, 2016 at 4:39 PM, Stian Thorgersen wrote: > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/booting.html > > On 15 September 2016 at 12:56, Aman Jaiswal com> wrote: > >> I want to configure it for cluster mode . >> >> On Thu, Sep 15, 2016 at 4:16 PM, Stian Thorgersen >> wrote: >> >>> Read: https://keycloak.gitbooks.io/server-adminstration-guide/cont >>> ent/topics/MigrationFromOlderVersions.html >>> Hint: Search for "Realm and User cache providers" >>> >>> On 15 September 2016 at 12:41, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> I already did that thing >>>> first I am just copy the old keycloak-server.json file after that I >>>> took the new one and make change one by one as you suggested me earlier . >>>> >>>> >>>> On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> I'm sorry I can't help unless you actually read my responses and do >>>>> what I suggest you to do. >>>>> >>>>> On 15 September 2016 at 12:35, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> is there is any way to add provider for infinispan ? >>>>>> >>>>>> >>>>>> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> In this case if I am apply the relem cache as infinispan this it >>>>>>> gives error on starting . >>>>>>> >>>>>>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> If you read the "version specific section" you'll see changes that >>>>>>>> have been made to keycloak-server.json that you need to make if you are >>>>>>>> copying from an old version. Alternatively, you can stick with the new one >>>>>>>> and manually apply any changes you've made (if any). >>>>>>>> >>>>>>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>> >>>>>>>>> yes I am >>>>>>>>> I am trying to upgrade from keycloak-1.5.0 to keycloak-2.1.0.Final >>>>>>>>> and according to document it says that : >>>>>>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>>>>>> the old version to make sure any configuration changes you?ve done are >>>>>>>>> added to the new installation. The version specific section below will list >>>>>>>>> any changes done to this file that you have to do when upgrading from one >>>>>>>>> version to another." >>>>>>>>> That's why I am changed this file . >>>>>>>>> >>>>>>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen < >>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Looks like you're probably upgrading from an old version and >>>>>>>>>> you're keycloak-server.json file needs updating. Please look at the >>>>>>>>>> migration docs for full details or compare with the keycloak-server.json >>>>>>>>>> included. At least 'realmCache' and 'userCache' is wrong. Should just be >>>>>>>>>> 'default'. >>>>>>>>>> >>>>>>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> According to the error I think I have to add infinispan jar file >>>>>>>>>>> in providers folder but I don't know that I am right or not, and there are >>>>>>>>>>> many jar file regarding this . >>>>>>>>>>> My keycloak-server.json file is given below: >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "providers": [ >>>>>>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>>>>>> ], >>>>>>>>>>> >>>>>>>>>>> "admin": { >>>>>>>>>>> "realm": "master" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "eventsStore": { >>>>>>>>>>> "provider": "jpa", >>>>>>>>>>> "jpa": { >>>>>>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "realm": { >>>>>>>>>>> "provider": "jpa" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "user": { >>>>>>>>>>> "provider": "jpa" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "realmCache": { >>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "userCache": { >>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "userSessions": { >>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "timer": { >>>>>>>>>>> "provider": "basic" >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "theme": { >>>>>>>>>>> "default": "keycloak", >>>>>>>>>>> "staticMaxAge": 2592000, >>>>>>>>>>> "cacheTemplates": true, >>>>>>>>>>> "cacheThemes": true, >>>>>>>>>>> "folder": { >>>>>>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "scheduled": { >>>>>>>>>>> "interval": 900 >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "connectionsHttpClient": { >>>>>>>>>>> "default": { >>>>>>>>>>> "disable-trust-manager": true >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "connectionsJpa": { >>>>>>>>>>> "default": { >>>>>>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>>>>>> "databaseSchema": "update" >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> >>>>>>>>>>> "connectionsInfinispan": { >>>>>>>>>>> "default" : { >>>>>>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi I am geting follwoing error when trying to integrate >>>>>>>>>>>> infinispan with keycloak >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>>>>>> -Djgroups.s3.bucket=keycloak-dev -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>>>>>> >>>>>>>>>>>> ============================================================ >>>>>>>>>>>> ============= >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> JBoss Bootstrap Environment >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> JAVA: java >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>>>>>> -Djava.awt.headless=true >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ============================================================ >>>>>>>>>>>> ============= >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules >>>>>>>>>>>> version 1.5.1.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>>>>>> 1.2.6.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot >>>>>>>>>>>> Thread) WFLYSRV0039: Creating http management service using socket-binding >>>>>>>>>>>> (management-http) >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO >>>>>>>>>>>> version 3.3.4.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO >>>>>>>>>>>> NIO Implementation Version 3.3.4.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread >>>>>>>>>>>> 1-2) JBoss Remoting version 4.0.18.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>>>>>> subsystem. >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>>>>>> subsystem. >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread >>>>>>>>>>>> Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service thread >>>>>>>>>>>> 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] >>>>>>>>>>>> (MSC service thread 1-3) WFLYJCA0018: Started Driver service with >>>>>>>>>>>> driver-name = mysql >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] >>>>>>>>>>>> (MSC service thread 1-3) WFLYJCA0018: Started Driver service with >>>>>>>>>>>> driver-name = h2 >>>>>>>>>>>> >>>>>>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread >>>>>>>>>>>> Pool -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService >>>>>>>>>>>> Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService >>>>>>>>>>>> Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread >>>>>>>>>>>> 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] >>>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>> service thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread >>>>>>>>>>>> 1-4) WFLYNAM0003: Starting Naming Service >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] >>>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for >>>>>>>>>>>> path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' >>>>>>>>>>>> with options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>> service thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>> service thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>> service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>>>>>> 10.1.3.93:8080 >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>> service thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>>>>>> 10.1.3.93:8009 >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>>>> Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService Thread >>>>>>>>>>>> Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>>>>>> 224.0.1.105:23364 >>>>>>>>>>>> >>>>>>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC >>>>>>>>>>>> service thread 1-3) WFLYSRV0027: Starting deployment of >>>>>>>>>>>> "keycloak-server.war" (runtime-name: "keycloak-server.war") >>>>>>>>>>>> >>>>>>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC >>>>>>>>>>>> service thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF >>>>>>>>>>>> 3.1.4) >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>>>>>> (1) [ip-10-1-3-93] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>>>>>> 8.1.0.Final >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>>>>>> keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>>>>>> keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>>>>>> cache from keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>>>>>> cache from keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>>>>>> from keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>>>>>> keycloak container >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService >>>>>>>>>>>> Thread Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>>>>>> uration/keycloak-server.json >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>> >>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>>> ntService.java:85) >>>>>>>>>>>> >>>>>>>>>>>> at java.util.concurrent.Executors >>>>>>>>>>>> $RunnableAdapter.call(Executors.java:511) >>>>>>>>>>>> >>>>>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>>>>>> >>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>>>>>>> >>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>>>>>>> >>>>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>>>>>> >>>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed >>>>>>>>>>>> to construct public org.keycloak.services.resource >>>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>> yProviderFactory.createProviderInstance(ResteasyProviderFact >>>>>>>>>>>> ory.java:2209) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>> yDeployment.createApplication(ResteasyDeployment.java:299) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>> yDeployment.start(ResteasyDeployment.java:240) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>>> ver.servlet.ServletContainerDispatcher.init(ServletContainer >>>>>>>>>>>> Dispatcher.java:113) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>>> ver.servlet.HttpServletDispatcher.init(HttpServletDispatcher >>>>>>>>>>>> .java:36) >>>>>>>>>>>> >>>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>>> on.java:117) >>>>>>>>>>>> >>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>> .security.RunAsLifecycleInterceptor.init(RunAsLifecycleInter >>>>>>>>>>>> ceptor.java:78) >>>>>>>>>>>> >>>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>>> on.java:103) >>>>>>>>>>>> >>>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>>> edServlet$DefaultInstanceStrategy.start(ManagedServlet.java: >>>>>>>>>>>> 231) >>>>>>>>>>>> >>>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>>> edServlet.createServlet(ManagedServlet.java:132) >>>>>>>>>>>> >>>>>>>>>>>> at io.undertow.servlet.core.Deplo >>>>>>>>>>>> ymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>>>>>>>>>> >>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>> .deployment.UndertowDeploymentService.startContext(UndertowD >>>>>>>>>>>> eploymentService.java:101) >>>>>>>>>>>> >>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>>> ntService.java:82) >>>>>>>>>>>> >>>>>>>>>>>> ... 6 more >>>>>>>>>>>> >>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>>>>> infinispan for realmCache >>>>>>>>>>>> >>>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>>> eycloakSessionFactory.loadSPIs(DefaultKeycloakSessionFactory >>>>>>>>>>>> .java:96) >>>>>>>>>>>> >>>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>>> eycloakSessionFactory.init(DefaultKeycloakSessionFactory.jav >>>>>>>>>>>> a:75) >>>>>>>>>>>> >>>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>>> s.KeycloakApplication.createSessionFactory(KeycloakApplicati >>>>>>>>>>>> on.java:244) >>>>>>>>>>>> >>>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>>> s.KeycloakApplication.(KeycloakApplication.java:78) >>>>>>>>>>>> >>>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>>> ccessorImpl.newInstance0(Native Method) >>>>>>>>>>>> >>>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>>>>>>> >>>>>>>>>>>> at sun.reflect.DelegatingConstruc >>>>>>>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImp >>>>>>>>>>>> l.java:45) >>>>>>>>>>>> >>>>>>>>>>>> at java.lang.reflect.Constructor. >>>>>>>>>>>> newInstance(Constructor.java:423) >>>>>>>>>>>> >>>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>>>>>>>>>> >>>>>>>>>>>> ... 19 more >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>>>>>> {"WFLYCTL0080: Failed services" => {" >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth" >>>>>>>>>>>> => "org.jboss.msc.service.StartException in service >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>> >>>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: >>>>>>>>>>>> Failed to construct public org.keycloak.services.resource >>>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>>> >>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find >>>>>>>>>>>> provider infinispan for realmCache"}} >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread >>>>>>>>>>>> Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>>>>>> "keycloak-server.war") >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>>>>>> >>>>>>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>>>>>> http://127.0.0.1:9990/management >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>>>>>> >>>>>>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Aman Jaiswal >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks, >>>>>>>>>>> Aman Jaiswal >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks, >>>>>>>>> Aman Jaiswal >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/f62884c8/attachment-0001.html From campbellg at teds.com Thu Sep 15 09:53:08 2016 From: campbellg at teds.com (Glenn Campbell) Date: Thu, 15 Sep 2016 09:53:08 -0400 Subject: [keycloak-user] remote_user header from IIS proxy not seen by keycloak Message-ID: I have a requirement to use Keycloak behind IIS where some sort of SSO product is already integrated with IIS. Whatever this product is sets the REMOTE_USER header. It is easy enough to write a custom authenticator for Keycloak to use the REMOTE_USER header. However, Keycloak's Wildfly server (or its embedded Undertow) appears to be stripping out the header. Is there any way to configure Keycloak or its Wildfly to let the REMOTE_USER header pass through? Or are there any clever workarounds? Thanks in advance. Glenn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/f255df09/attachment.html From sthorger at redhat.com Thu Sep 15 10:09:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Sep 2016 16:09:34 +0200 Subject: [keycloak-user] Keycloak 2.2.0.Final Message-ID: Final is out. Go grab it now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/2e1e2e31/attachment.html From imbacen at gmail.com Thu Sep 15 10:55:50 2016 From: imbacen at gmail.com (cen) Date: Thu, 15 Sep 2016 16:55:50 +0200 Subject: [keycloak-user] Configuring KC adapter through ENV/programatically In-Reply-To: References: Message-ID: Correction: apparently env vars do actually work, I probably forgot to pull the latest container the last time I tried it out. great! Thomas Darimont je 15. 09. 2016 ob 10:13 napisal: > Hello, > > you can use env-variables in Keycloak.json - see paragraph after the config > example: > https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html > > Cheers, > Thomas > > 2016-09-14 13:30 GMT+02:00 Stian Thorgersen : > >> What adapter? Java adapters has support to write your own config loader >> (see multi-tenancy example). For JavaScript adapter make your web server >> dynamically create the keycloak.json. >> >> On 14 September 2016 at 11:30, cen wrote: >> >>> Hi >>> >>> We have a Java REST microservice which is configured as a whole through >>> environment variables and deployed in Docker. >>> >>> We can't provide production keycloak.json at Docker build time because >>> then it becomes a specific container for a specific deployment. We want >>> to keep the container unconfigured and neutral, ready to be deployed >>> with any Keycloak server. >>> >>> At the moment we have an additional step in production deployment that >>> copies the correct keycloak.json into a running Docker container and >>> restarts it. >>> >>> Ideally though, we would like to provide keycloak.json through an >>> environment variable or load it dynamically from etcd/zookeeper/similar. >>> >>> is it possible to somehow configure the Keycloak adapter at runtime? >>> >>> >>> Best regards, cen >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From Christian.FREIMUELLER at frequentis.com Thu Sep 15 11:07:28 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Thu, 15 Sep 2016 15:07:28 +0000 Subject: [keycloak-user] Obtaining access token by username only (no HMI) Message-ID: Dear all, we have a question regarding Keycloak and obtaining an Access Token. Our setup is as follows: - users are created and maintained in Keycloak - resources, policies and permissions are also maintained in Keycloak Our use case is: As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions. To be more specific: We have an application exposing an interface the outside world. Any request from an interface-consuming application contains the name of the user in the request header that called an action on this interface (The username in the request is the same as in Keycloak). The question is now: How can we obtain an access token for the user (by only knowing the username) that is needed in order to call/use Keycloak's AuthZ client to retrieve authorization information (e.g. via its entitlement API)? We also thought about using offline tokens, but it might be that a user (available in Keycloak) that is sent within the request might have never logged in to any protected application before - therefore we would not be able to have offline tokens at hand that we could use to request a new access token. Is there a solution to obtain an access token for such a user? Thanks, Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/ab8b0186/attachment.html From pires at littlebits.cc Thu Sep 15 15:24:21 2016 From: pires at littlebits.cc (Paulo Pires) Date: Thu, 15 Sep 2016 20:24:21 +0100 Subject: [keycloak-user] Keycloak 2.2.0.Final In-Reply-To: References: Message-ID: Awesome job! On Thu, Sep 15, 2016 at 3:09 PM, Stian Thorgersen wrote: > Final is out. Go grab it now! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/a772d701/attachment.html From jblashka at redhat.com Thu Sep 15 17:16:16 2016 From: jblashka at redhat.com (Jared Blashka) Date: Thu, 15 Sep 2016 17:16:16 -0400 Subject: [keycloak-user] Custom Adapter Logout logic Message-ID: Is it currently possible to hook into the adapter's logout logic to trigger some custom behavior without interrupting the logout flow? For example, if I want to audit logout activity on a particular SP or delete some cookies (if it was a front-channel logout request) without stopping the normal federated logout process. Jared -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/9075813a/attachment.html From akaya at expedia.com Thu Sep 15 20:48:20 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 16 Sep 2016 00:48:20 +0000 Subject: [keycloak-user] Disabling password expiry for one user? Message-ID: <1AC1D226-F0F1-4B5F-95AD-5C9985DC184F@expedia.com> Hello, It just seems like it?s only possible to enable password expiry policy for all users or no users. Is it possible to have an exceptional case where one user has no password expiry and other users do have password expiry? Thanks, Sarp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/3bfe6081/attachment-0001.html From srossillo at smartling.com Thu Sep 15 22:50:13 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 16 Sep 2016 02:50:13 +0000 Subject: [keycloak-user] Disabling password expiry for one user? In-Reply-To: <1AC1D226-F0F1-4B5F-95AD-5C9985DC184F@expedia.com> References: <1AC1D226-F0F1-4B5F-95AD-5C9985DC184F@expedia.com> Message-ID: Is this for something like service users? Could you explain the use case? On Thu, Sep 15, 2016 at 8:49 PM Sarp Kaya wrote: > Hello, > > > > It just seems like it?s only possible to enable password expiry policy for > all users or no users. Is it possible to have an exceptional case where one > user has no password expiry and other users do have password expiry? > > > > Thanks, > Sarp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/6faa4f46/attachment.html From akaya at expedia.com Thu Sep 15 22:59:16 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 16 Sep 2016 02:59:16 +0000 Subject: [keycloak-user] Disabling password expiry for one user? In-Reply-To: References: <1AC1D226-F0F1-4B5F-95AD-5C9985DC184F@expedia.com> Message-ID: Kind of, We do have an automated bot using a ?normal? username and password. We need this bot to use the regular web UI in order to monitor the entire system, so using direct APIs won?t be a good option. From: Scott Rossillo Date: Friday, September 16, 2016 at 12:50 PM To: Abdullah Sarp , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Disabling password expiry for one user? Is this for something like service users? Could you explain the use case? On Thu, Sep 15, 2016 at 8:49 PM Sarp Kaya > wrote: Hello, It just seems like it?s only possible to enable password expiry policy for all users or no users. Is it possible to have an exceptional case where one user has no password expiry and other users do have password expiry? Thanks, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/6a2383a0/attachment.html From francis.zabala at yahoo.com Fri Sep 16 01:22:03 2016 From: francis.zabala at yahoo.com (Francis Zabala) Date: Fri, 16 Sep 2016 05:22:03 +0000 (UTC) Subject: [keycloak-user] Best setup to extend Keycloak References: <1904022123.759815.1474003323381.ref@mail.yahoo.com> Message-ID: <1904022123.759815.1474003323381@mail.yahoo.com> Hello, What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly? Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification. Regards,Francis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/35a1ef5a/attachment.html From sthorger at redhat.com Fri Sep 16 03:03:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 16 Sep 2016 09:03:34 +0200 Subject: [keycloak-user] How to programatically detect if a user is temporarily disabled or locked In-Reply-To: References: Message-ID: It's available in the UserRepresentation returned by http://www.keycloak.org/docs/rest-api/index.html#_get_represenation_of_the_user. You can also check brute force status on http://www.keycloak.org/docs/rest-api/index.html#_get_status_of_a_username_in_brute_force_detection. The latter will only show if it's temporary disabled. On 14 September 2016 at 10:02, Tin wrote: > Hi, > > I need to display in my java application if a user is locked or > temporarily disabled. I am using keycloak-admin-client. > Your help is very much appreciated. I have searched the internet but there > is no clear explanation on how to do this. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/acc486e1/attachment.html From aman.jaiswal at arvindinternet.com Fri Sep 16 03:09:20 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Fri, 16 Sep 2016 12:39:20 +0530 Subject: [keycloak-user] Error Failed to find provider infinispan for realmCache In-Reply-To: References: Message-ID: when I am trying to hit the url for keycoak with *Https* is does not load but working file with Http On Thu, Sep 15, 2016 at 4:46 PM, Aman Jaiswal < aman.jaiswal at arvindinternet.com> wrote: > I already read this and my cluster is running on AWS with s3 bucket behind > . and to run this I am using following command > > /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh > --server-config=standalone-ha.xml -b=$ip -Djava.net.preferIPv4Stack=true > -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=keycloak-dev > -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ -Djgroups.s3.secret_access_ > key=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 > -Djgroups.management.address=$ipkeycloakdevadmin > > On Thu, Sep 15, 2016 at 4:39 PM, Stian Thorgersen > wrote: > >> https://keycloak.gitbooks.io/server-installation-and-configu >> ration/content/topics/clustering/booting.html >> >> On 15 September 2016 at 12:56, Aman Jaiswal < >> aman.jaiswal at arvindinternet.com> wrote: >> >>> I want to configure it for cluster mode . >>> >>> On Thu, Sep 15, 2016 at 4:16 PM, Stian Thorgersen >>> wrote: >>> >>>> Read: https://keycloak.gitbooks.io/server-adminstration-guide/cont >>>> ent/topics/MigrationFromOlderVersions.html >>>> Hint: Search for "Realm and User cache providers" >>>> >>>> On 15 September 2016 at 12:41, Aman Jaiswal < >>>> aman.jaiswal at arvindinternet.com> wrote: >>>> >>>>> I already did that thing >>>>> first I am just copy the old keycloak-server.json file after that I >>>>> took the new one and make change one by one as you suggested me earlier . >>>>> >>>>> >>>>> On Thu, Sep 15, 2016 at 4:08 PM, Stian Thorgersen >>>> > wrote: >>>>> >>>>>> I'm sorry I can't help unless you actually read my responses and do >>>>>> what I suggest you to do. >>>>>> >>>>>> On 15 September 2016 at 12:35, Aman Jaiswal < >>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>> >>>>>>> is there is any way to add provider for infinispan ? >>>>>>> >>>>>>> >>>>>>> On Thu, Sep 15, 2016 at 3:44 PM, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> In this case if I am apply the relem cache as infinispan this it >>>>>>>> gives error on starting . >>>>>>>> >>>>>>>> On Thu, Sep 15, 2016 at 3:42 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> If you read the "version specific section" you'll see changes that >>>>>>>>> have been made to keycloak-server.json that you need to make if you are >>>>>>>>> copying from an old version. Alternatively, you can stick with the new one >>>>>>>>> and manually apply any changes you've made (if any). >>>>>>>>> >>>>>>>>> On 15 September 2016 at 12:07, Aman Jaiswal < >>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>> >>>>>>>>>> yes I am >>>>>>>>>> I am trying to upgrade from keycloak-1.5.0 to >>>>>>>>>> keycloak-2.1.0.Final >>>>>>>>>> and according to document it says that : >>>>>>>>>> "You should copy standalone/configuration/keycloak-server.json from >>>>>>>>>> the old version to make sure any configuration changes you?ve done are >>>>>>>>>> added to the new installation. The version specific section below will list >>>>>>>>>> any changes done to this file that you have to do when upgrading from one >>>>>>>>>> version to another." >>>>>>>>>> That's why I am changed this file . >>>>>>>>>> >>>>>>>>>> On Thu, Sep 15, 2016 at 3:31 PM, Stian Thorgersen < >>>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Looks like you're probably upgrading from an old version and >>>>>>>>>>> you're keycloak-server.json file needs updating. Please look at the >>>>>>>>>>> migration docs for full details or compare with the keycloak-server.json >>>>>>>>>>> included. At least 'realmCache' and 'userCache' is wrong. Should just be >>>>>>>>>>> 'default'. >>>>>>>>>>> >>>>>>>>>>> On 15 September 2016 at 11:56, Aman Jaiswal < >>>>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi >>>>>>>>>>>> >>>>>>>>>>>> According to the error I think I have to add infinispan jar >>>>>>>>>>>> file in providers folder but I don't know that I am right or not, and there >>>>>>>>>>>> are many jar file regarding this . >>>>>>>>>>>> My keycloak-server.json file is given below: >>>>>>>>>>>> >>>>>>>>>>>> { >>>>>>>>>>>> "providers": [ >>>>>>>>>>>> "classpath:${jboss.server.config.dir}/providers/*" >>>>>>>>>>>> ], >>>>>>>>>>>> >>>>>>>>>>>> "admin": { >>>>>>>>>>>> "realm": "master" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "eventsStore": { >>>>>>>>>>>> "provider": "jpa", >>>>>>>>>>>> "jpa": { >>>>>>>>>>>> "exclude-events": [ "REFRESH_TOKEN" ] >>>>>>>>>>>> } >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "realm": { >>>>>>>>>>>> "provider": "jpa" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "user": { >>>>>>>>>>>> "provider": "jpa" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "realmCache": { >>>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "userCache": { >>>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "userSessions": { >>>>>>>>>>>> "provider": "infinispan" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "timer": { >>>>>>>>>>>> "provider": "basic" >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "theme": { >>>>>>>>>>>> "default": "keycloak", >>>>>>>>>>>> "staticMaxAge": 2592000, >>>>>>>>>>>> "cacheTemplates": true, >>>>>>>>>>>> "cacheThemes": true, >>>>>>>>>>>> "folder": { >>>>>>>>>>>> "dir": "${jboss.server.config.dir}/themes" >>>>>>>>>>>> } >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "scheduled": { >>>>>>>>>>>> "interval": 900 >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "connectionsHttpClient": { >>>>>>>>>>>> "default": { >>>>>>>>>>>> "disable-trust-manager": true >>>>>>>>>>>> } >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "connectionsJpa": { >>>>>>>>>>>> "default": { >>>>>>>>>>>> "dataSource": "java:jboss/datasources/KeycloakDS", >>>>>>>>>>>> "databaseSchema": "update" >>>>>>>>>>>> } >>>>>>>>>>>> }, >>>>>>>>>>>> >>>>>>>>>>>> "connectionsInfinispan": { >>>>>>>>>>>> "default" : { >>>>>>>>>>>> "cacheContainer" : "java:jboss/infinispan/Keycloak" >>>>>>>>>>>> } >>>>>>>>>>>> } >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Sep 14, 2016 at 10:20 PM, Aman Jaiswal < >>>>>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi I am geting follwoing error when trying to integrate >>>>>>>>>>>>> infinispan with keycloak >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/bin/standalone.sh >>>>>>>>>>>>> --server-config=standalone-ha.xml -b=$ip >>>>>>>>>>>>> -Djava.net.preferIPv4Stack=true -Djboss.default.jgroups.stack=s3 >>>>>>>>>>>>> -Djgroups.s3.bucket=keycloak-dev >>>>>>>>>>>>> -Djgroups.s3.access_key=AKIAJLZZOFCWT37CYAXQ >>>>>>>>>>>>> -Djgroups.s3.secret_access_key=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 >>>>>>>>>>>>> -Djgroups.management.address=$ipkeycloakdevadmin >>>>>>>>>>>>> >>>>>>>>>>>>> ============================================================ >>>>>>>>>>>>> ============= >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> JBoss Bootstrap Environment >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> JAVA: java >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>>>>>>>>>>>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>>>>>>>>>>>> -Djboss.modules.system.pkgs=org.jboss.byteman >>>>>>>>>>>>> -Djava.awt.headless=true >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ============================================================ >>>>>>>>>>>>> ============= >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 16:16:59,292 INFO [org.jboss.modules] (main) JBoss Modules >>>>>>>>>>>>> version 1.5.1.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:16:59,556 INFO [org.jboss.msc] (main) JBoss MSC version >>>>>>>>>>>>> 1.2.6.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:16:59,648 INFO [org.jboss.as] (MSC service thread 1-3) >>>>>>>>>>>>> WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,235 INFO [org.jboss.as.controller.management-deprecated] >>>>>>>>>>>>> (ServerService Thread Pool -- 16) WFLYCTL0028: Attribute 'default-stack' in >>>>>>>>>>>>> the resource at address '/subsystem=jgroups' is deprecated, and may be >>>>>>>>>>>>> removed in future version. See the attribute description in the output of >>>>>>>>>>>>> the read-resource-description operation to learn more about the deprecation. >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,618 INFO [org.jboss.as.server] (Controller Boot >>>>>>>>>>>>> Thread) WFLYSRV0039: Creating http management service using socket-binding >>>>>>>>>>>>> (management-http) >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,647 INFO [org.xnio] (MSC service thread 1-2) XNIO >>>>>>>>>>>>> version 3.3.4.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,674 INFO [org.xnio.nio] (MSC service thread 1-2) >>>>>>>>>>>>> XNIO NIO Implementation Version 3.3.4.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,740 INFO [org.jboss.remoting] (MSC service thread >>>>>>>>>>>>> 1-2) JBoss Remoting version 4.0.18.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,786 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant >>>>>>>>>>>>> driver class org.h2.Driver (version 1.3) >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,792 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan >>>>>>>>>>>>> subsystem. >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,794 INFO [org.wildfly.extension.io] (ServerService >>>>>>>>>>>>> Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 >>>>>>>>>>>>> core threads with 32 task threads based on your 2 available processors >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,811 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>>> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant >>>>>>>>>>>>> driver class com.mysql.jdbc.Driver (version 5.1) >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,846 INFO [org.jboss.as.clustering.jgroups] >>>>>>>>>>>>> (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups >>>>>>>>>>>>> subsystem. >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,875 INFO [org.jboss.as.jsf] (ServerService Thread >>>>>>>>>>>>> Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,901 INFO [org.jboss.as.connector] (MSC service >>>>>>>>>>>>> thread 1-3) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar >>>>>>>>>>>>> 1.3.2.Final) >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,907 INFO [org.jboss.as.connector.deployers.jdbc] >>>>>>>>>>>>> (MSC service thread 1-3) WFLYJCA0018: Started Driver service with >>>>>>>>>>>>> driver-name = mysql >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,908 INFO [org.jboss.as.connector.deployers.jdbc] >>>>>>>>>>>>> (MSC service thread 1-3) WFLYJCA0018: Started Driver service with >>>>>>>>>>>>> driver-name = h2 >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:01,912 INFO [org.jboss.as.naming] (ServerService Thread >>>>>>>>>>>>> Pool -- 49) WFLYNAM0001: Activating Naming Subsystem >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,026 INFO [org.jboss.as.security] (ServerService >>>>>>>>>>>>> Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,050 INFO [org.jboss.as.webservices] (ServerService >>>>>>>>>>>>> Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,066 INFO [org.jboss.as.security] (MSC service thread >>>>>>>>>>>>> 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,072 INFO [org.wildfly.extension.undertow] >>>>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,078 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>>> service thread 1-4) WFLYUT0003: Undertow 1.3.15.Final starting >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,112 INFO [org.jboss.as.naming] (MSC service thread >>>>>>>>>>>>> 1-4) WFLYNAM0003: Starting Naming Service >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,113 INFO [org.jboss.as.mail.extension] (MSC service >>>>>>>>>>>>> thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,394 INFO [org.wildfly.extension.undertow] >>>>>>>>>>>>> (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for >>>>>>>>>>>>> path '/home/ubuntu/keycloak/keycloak-2.1.0.Final/welcome-content' >>>>>>>>>>>>> with options [directory-listing: 'false', follow-symlink: 'false', >>>>>>>>>>>>> case-sensitive: 'true', safe-symlink-paths: '[]'] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,404 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>>> service thread 1-1) WFLYUT0012: Started server default-server. >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,442 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>>> service thread 1-4) WFLYUT0018: Host default-host starting >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,515 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>>> service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on >>>>>>>>>>>>> 10.1.3.93:8080 >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,523 INFO [org.wildfly.extension.undertow] (MSC >>>>>>>>>>>>> service thread 1-1) WFLYUT0006: Undertow AJP listener ajp listening on >>>>>>>>>>>>> 10.1.3.93:8009 >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,527 INFO [org.jboss.modcluster] (ServerService >>>>>>>>>>>>> Thread Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version >>>>>>>>>>>>> 1.3.1.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:02,542 INFO [org.jboss.modcluster] (ServerService >>>>>>>>>>>>> Thread Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on / >>>>>>>>>>>>> 224.0.1.105:23364 >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:03,071 INFO [org.jboss.as.connector.subsystems.datasources] >>>>>>>>>>>>> (MSC service thread 1-2) WFLYJCA0001: Bound data source >>>>>>>>>>>>> [java:jboss/datasources/KeycloakDS] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:03,304 INFO [org.jboss.as.server.deployment] (MSC >>>>>>>>>>>>> service thread 1-3) WFLYSRV0027: Starting deployment of >>>>>>>>>>>>> "keycloak-server.war" (runtime-name: "keycloak-server.war") >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:03,627 INFO [org.jboss.ws.common.management] (MSC >>>>>>>>>>>>> service thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF >>>>>>>>>>>>> 3.1.4) >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,079 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>>> ISPN000078: Starting JGroups channel keycloak >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,080 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>>> ISPN000078: Starting JGroups channel server >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000078: Starting JGroups channel hibernate >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,081 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>>> ISPN000078: Starting JGroups channel web >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>>> ISPN000094: Received new cluster view for channel keycloak: >>>>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>>> ISPN000094: Received new cluster view for channel server: [ip-10-1-3-93|0] >>>>>>>>>>>>> (1) [ip-10-1-3-93] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,096 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000094: Received new cluster view for channel hibernate: >>>>>>>>>>>>> [ip-10-1-3-93|0] (1) [ip-10-1-3-93] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,098 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>>> ISPN000094: Received new cluster view for channel web: [ip-10-1-3-93|0] (1) >>>>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,101 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000079: Channel hibernate local address is ip-10-1-3-93, physical >>>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,102 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) >>>>>>>>>>>>> ISPN000079: Channel server local address is ip-10-1-3-93, physical >>>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,105 INFO [org.infinispan.factories.GlobalComponentRegistry] >>>>>>>>>>>>> (MSC service thread 1-3) ISPN000128: Infinispan version: Infinispan 'Mahou' >>>>>>>>>>>>> 8.1.0.Final >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) >>>>>>>>>>>>> ISPN000079: Channel web local address is ip-10-1-3-93, physical addresses >>>>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,108 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) >>>>>>>>>>>>> ISPN000079: Channel keycloak local address is ip-10-1-3-93, physical >>>>>>>>>>>>> addresses are [10.1.3.93:55200] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,147 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000078: Starting JGroups channel ejb >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000094: Received new cluster view for channel ejb: [ip-10-1-3-93|0] (1) >>>>>>>>>>>>> [ip-10-1-3-93] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,150 INFO [org.infinispan.remoting.tran >>>>>>>>>>>>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) >>>>>>>>>>>>> ISPN000079: Channel ejb local address is ip-10-1-3-93, physical addresses >>>>>>>>>>>>> are [10.1.3.93:55200] >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,473 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 67) WFLYCLINF0002: Started work cache from >>>>>>>>>>>>> keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,482 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from >>>>>>>>>>>>> keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,487 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions >>>>>>>>>>>>> cache from keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,491 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 66) WFLYCLINF0002: Started loginFailures >>>>>>>>>>>>> cache from keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,492 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 63) WFLYCLINF0002: Started sessions cache >>>>>>>>>>>>> from keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:08,494 INFO [org.jboss.as.clustering.infinispan] >>>>>>>>>>>>> (ServerService Thread Pool -- 62) WFLYCLINF0002: Started users cache from >>>>>>>>>>>>> keycloak container >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,206 INFO [org.keycloak.services] (ServerService >>>>>>>>>>>>> Thread Pool -- 66) KC-SERVICES0001: Loading config from >>>>>>>>>>>>> /home/ubuntu/keycloak/keycloak-2.1.0.Final/standalone/config >>>>>>>>>>>>> uration/keycloak-server.json >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,477 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>>>>>>>> Thread Pool -- 66) MSC000001: Failed to start service >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>>>> ntService.java:85) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.util.concurrent.Executors >>>>>>>>>>>>> $RunnableAdapter.call(Executors.java:511) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>>>>>>>>> >>>>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed >>>>>>>>>>>>> to construct public org.keycloak.services.resource >>>>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>>> yProviderFactory.createProviderInstance(ResteasyProviderFact >>>>>>>>>>>>> ory.java:2209) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>>> yDeployment.createApplication(ResteasyDeployment.java:299) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.spi.Resteas >>>>>>>>>>>>> yDeployment.start(ResteasyDeployment.java:240) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>>>> ver.servlet.ServletContainerDispatcher.init(ServletContainer >>>>>>>>>>>>> Dispatcher.java:113) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.plugins.ser >>>>>>>>>>>>> ver.servlet.HttpServletDispatcher.init(HttpServletDispatcher >>>>>>>>>>>>> .java:36) >>>>>>>>>>>>> >>>>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>>>> on.java:117) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>>> .security.RunAsLifecycleInterceptor.init(RunAsLifecycleInter >>>>>>>>>>>>> ceptor.java:78) >>>>>>>>>>>>> >>>>>>>>>>>>> at io.undertow.servlet.core.Lifec >>>>>>>>>>>>> yleInterceptorInvocation.proceed(LifecyleInterceptorInvocati >>>>>>>>>>>>> on.java:103) >>>>>>>>>>>>> >>>>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>>>> edServlet$DefaultInstanceStrategy.start(ManagedServlet.java: >>>>>>>>>>>>> 231) >>>>>>>>>>>>> >>>>>>>>>>>>> at io.undertow.servlet.core.Manag >>>>>>>>>>>>> edServlet.createServlet(ManagedServlet.java:132) >>>>>>>>>>>>> >>>>>>>>>>>>> at io.undertow.servlet.core.Deplo >>>>>>>>>>>>> ymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>>> .deployment.UndertowDeploymentService.startContext(UndertowD >>>>>>>>>>>>> eploymentService.java:101) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.wildfly.extension.undertow >>>>>>>>>>>>> .deployment.UndertowDeploymentService$1.run(UndertowDeployme >>>>>>>>>>>>> ntService.java:82) >>>>>>>>>>>>> >>>>>>>>>>>>> ... 6 more >>>>>>>>>>>>> >>>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find provider >>>>>>>>>>>>> infinispan for realmCache >>>>>>>>>>>>> >>>>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>>>> eycloakSessionFactory.loadSPIs(DefaultKeycloakSessionFactory >>>>>>>>>>>>> .java:96) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.keycloak.services.DefaultK >>>>>>>>>>>>> eycloakSessionFactory.init(DefaultKeycloakSessionFactory.jav >>>>>>>>>>>>> a:75) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>>>> s.KeycloakApplication.createSessionFactory(KeycloakApplicati >>>>>>>>>>>>> on.java:244) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.keycloak.services.resource >>>>>>>>>>>>> s.KeycloakApplication.(KeycloakApplication.java:78) >>>>>>>>>>>>> >>>>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>>>> ccessorImpl.newInstance0(Native Method) >>>>>>>>>>>>> >>>>>>>>>>>>> at sun.reflect.NativeConstructorA >>>>>>>>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>>>>>>>> >>>>>>>>>>>>> at sun.reflect.DelegatingConstruc >>>>>>>>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImp >>>>>>>>>>>>> l.java:45) >>>>>>>>>>>>> >>>>>>>>>>>>> at java.lang.reflect.Constructor. >>>>>>>>>>>>> newInstance(Constructor.java:423) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.jboss.resteasy.core.Constr >>>>>>>>>>>>> uctorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>>>>>>>>>>> >>>>>>>>>>>>> ... 19 more >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,482 ERROR [org.jboss.as.controller.management-operation] >>>>>>>>>>>>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>>>>>>>>>>>> ([("deployment" => "keycloak-server.war")]) - failure description: >>>>>>>>>>>>> {"WFLYCTL0080: Failed services" => {" >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth" >>>>>>>>>>>>> => "org.jboss.msc.service.StartException in service >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>>> >>>>>>>>>>>>> Caused by: java.lang.RuntimeException: RESTEASY003325: >>>>>>>>>>>>> Failed to construct public org.keycloak.services.resource >>>>>>>>>>>>> s.KeycloakApplication(javax.servlet.ServletContext,org.jboss >>>>>>>>>>>>> .resteasy.core.Dispatcher) >>>>>>>>>>>>> >>>>>>>>>>>>> Caused by: java.lang.RuntimeException: Failed to find >>>>>>>>>>>>> provider infinispan for realmCache"}} >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,543 INFO [org.jboss.as.server] (ServerService Thread >>>>>>>>>>>>> Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>>>>>>>>>>>> "keycloak-server.war") >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,545 INFO [org.jboss.as.controller] (Controller Boot >>>>>>>>>>>>> Thread) WFLYCTL0183: Service status report >>>>>>>>>>>>> >>>>>>>>>>>>> WFLYCTL0186: Services which failed to start: service >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>>> org.jboss.msc.service.StartException in service >>>>>>>>>>>>> jboss.undertow.deployment.default-server.default-host./auth: >>>>>>>>>>>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>>>>>>>>>>>> org.keycloak.services.resources.KeycloakApplication(javax.se >>>>>>>>>>>>> rvlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,750 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>>> WFLYSRV0060: Http management interface listening on >>>>>>>>>>>>> http://127.0.0.1:9990/management >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,751 INFO [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>>> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 >>>>>>>>>>>>> >>>>>>>>>>>>> 16:17:09,753 ERROR [org.jboss.as] (Controller Boot Thread) >>>>>>>>>>>>> WFLYSRV0026: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) started (with >>>>>>>>>>>>> errors) in 10846ms - Started 475 of 853 services (2 services failed or >>>>>>>>>>>>> missing dependencies, 588 services are lazy, passive or on-demand) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Aman Jaiswal >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Aman Jaiswal >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thanks, >>>>>>>>>> Aman Jaiswal >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Aman Jaiswal >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/f111cc46/attachment-0001.html From postmaster at lists.jboss.org Fri Sep 16 03:56:14 2016 From: postmaster at lists.jboss.org (Mail Delivery Subsystem) Date: Fri, 16 Sep 2016 13:26:14 +0530 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201609160756.u8G7uDno028074@lists01.dmz-a.mwc.hst.phx2.redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: vggmfz.zip Type: application/octet-stream Size: 28982 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/4f39b850/attachment-0001.obj From sblanc at redhat.com Fri Sep 16 04:24:51 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 16 Sep 2016 10:24:51 +0200 Subject: [keycloak-user] Ideas for the JavaOne's KeyCloak Hackengarten Message-ID: Hi ! Next week I will be at JavaOne, during the week I will have the privilege to lead for an afternoon the hackergarten area. For sure, I would like to bring up the KeyCloak project (along with Forge and maybe Swarm). For those who don't know what an hackergarten is : http://hackergarten.net/ So, do we have any JIRAs, docs , tests missing that would fit for a 3 hours hacker session ? My own ideas : - Work on the Keycloak Forge Addon : Create Clients from Forge etc ... - Start exploring a Keycloak Go Adapter - Polish Java Adapter Documentation I wait for your ideas ! Sebi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/0092eb64/attachment.html From chairfield at gmail.com Fri Sep 16 05:02:22 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Fri, 16 Sep 2016 09:02:22 +0000 Subject: [keycloak-user] Why is email required when joining via Google? In-Reply-To: <57CE6404.2080101@redhat.com> References: <57CE6404.2080101@redhat.com> Message-ID: It's been a while, but I just figured this out. You were right to point me back to the docs. We had an incorrect value for default scopes. By leaving it blank, those 3 inputs were avoided. Thanks, Marek! On Tue, Sep 6, 2016 at 12:36 AM Marek Posolda wrote: > That's strange. Email should be automatically added from Google though. > Did you follow the steps for setup your Google application based on our > docs? See > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/identity-broker/social/google.html > . > > Also are you sure you are using your gmail account and not some different > Google-apps domain account? > > Marek > > > > On 01/09/16 01:04, Chris Hairfield wrote: > > Hello, > > I'm attempting to register via the Google OAuth link. Keycloak routes me > to Google where I authorize my app. Then I'm returned to Keycloak. > > Why am I asked to input my email (below)? Keycloak requests > > the email scope and Google is an email provider. Why is my Google email not > automatically stored at the email of this new account? > > I even have Trust Email on for Google. > > Chris > > [image: keycloak-q.png] > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/dc6c3676/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 24501 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/dc6c3676/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 24501 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/dc6c3676/attachment-0003.png From federico at info.nl Fri Sep 16 05:51:37 2016 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Fri, 16 Sep 2016 09:51:37 +0000 Subject: [keycloak-user] How to add new custom form for additional user management Message-ID: <796F199F-EACE-493A-A0C5-83AD9C62977B@info.nl> Hello, In my Keycloak configuration, there are a number of custom attributes defined for each user. I would like to offer the possibility to manage these attributes in a form similar to the ?account profile? form, not using and modifying the existing account.ftl itself, but creating a new template for that (eg: secondary_account.ftl). What is the recommended approach to do this? I would assume I need to create a new SPI, but I am not sure what would be the next steps to configure it and make it work. I think what I need is something in the same direction as the domain-extension example, but it?s not exactly the same, as I want to 1) create a new form and 2) base that form data in the existing domain of the user. Could someone give some pointers? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/28893036/attachment.html From mposolda at redhat.com Fri Sep 16 05:55:26 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 16 Sep 2016 11:55:26 +0200 Subject: [keycloak-user] How to add new custom form for additional user management In-Reply-To: <796F199F-EACE-493A-A0C5-83AD9C62977B@info.nl> References: <796F199F-EACE-493A-A0C5-83AD9C62977B@info.nl> Message-ID: We have theme SPI, which allows to override themes. See our "theme" examples in the keycloak-examples, especially address theme, which looks to be exactly what you want. Marek On 16/09/16 11:51, Federico Navarro Polo - Info.nl wrote: > > Hello, > > In my Keycloak configuration, there are a number of custom attributes > defined for each user. I would like to offer the possibility to manage > these attributes in a form similar to the ?account profile? form, not > using and modifying the existing account.ftl itself, but creating a > new template for that (eg: secondary_account.ftl). > > What is the recommended approach to do this? > > I would assume I need to create a new SPI, but I am not sure what > would be the next steps to configure it and make it work. I think what > I need is something in the same direction as the domain-extension > example, but it?s not exactly the same, as I want to 1) create a new > form and 2) base that form data in the existing domain of the user. > > Could someone give some pointers? > > Thanks in advance! > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/f711d1cb/attachment.html From federico at info.nl Fri Sep 16 06:18:41 2016 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Fri, 16 Sep 2016 10:18:41 +0000 Subject: [keycloak-user] How to add new custom form for additional user management In-Reply-To: References: <796F199F-EACE-493A-A0C5-83AD9C62977B@info.nl> Message-ID: <3794C364-15A8-48DE-970E-271C0BD03B6B@info.nl> Hello Marek, Thanks for your answer. The address example does not cover exactly what I would like to have, as it modifies the existing account.ftl I would like to leave the account.ftl as it is, but having a custom form to manage only the custom attributes. In other words, when I access the /auth/realms/abc/account page, I can see there is a sidebar menu on the left with options like: ?Account?, ?Password?, ?Authenticator?, and so on. I would like to add a new item in that sidebar and be able to access through something like /auth/realms/abc/account/custom Is there an example for that? Regards, Federico From: Marek Posolda Date: Friday 16 September 2016 at 11:55 To: Federico Navarro Polo , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to add new custom form for additional user management We have theme SPI, which allows to override themes. See our "theme" examples in the keycloak-examples, especially address theme, which looks to be exactly what you want. Marek On 16/09/16 11:51, Federico Navarro Polo - Info.nl wrote: Hello, In my Keycloak configuration, there are a number of custom attributes defined for each user. I would like to offer the possibility to manage these attributes in a form similar to the ?account profile? form, not using and modifying the existing account.ftl itself, but creating a new template for that (eg: secondary_account.ftl). What is the recommended approach to do this? I would assume I need to create a new SPI, but I am not sure what would be the next steps to configure it and make it work. I think what I need is something in the same direction as the domain-extension example, but it?s not exactly the same, as I want to 1) create a new form and 2) base that form data in the existing domain of the user. Could someone give some pointers? Thanks in advance! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/939c9caa/attachment-0001.html From sthorger at redhat.com Fri Sep 16 06:49:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 16 Sep 2016 12:49:58 +0200 Subject: [keycloak-user] Ideas for the JavaOne's KeyCloak Hackengarten In-Reply-To: References: Message-ID: NIce. Some ideas from me: * *Identity what sucks and fix it*. Reducing and simplyfing steps to secure an application or service. * Automatic/dynamic client registration built-in to WF subsystem, or maybe to adapter in general * Ability to force token validation on server-side in services using token introspection endpoint * Way to specify what URLs are RESTful services and what are web app when both are combined in same WAR (first should return 401, second should redirect to login page) * Role mapping - ability to map realm and client roles onto different JEE roles * Remove the need to specify security domain in EJBs By the way Go ain't Java? So is that not out of scope for JavaOne? Just curious. On 16 September 2016 at 10:24, Sebastien Blanc wrote: > Hi ! > > Next week I will be at JavaOne, during the week I will have the privilege > to lead for an afternoon the hackergarten area. For sure, I would like to > bring up the KeyCloak project (along with Forge and maybe Swarm). > For those who don't know what an hackergarten is : > http://hackergarten.net/ > > So, do we have any JIRAs, docs , tests missing that would fit for a 3 > hours hacker session ? > > My own ideas : > - Work on the Keycloak Forge Addon : Create Clients from Forge etc ... > - Start exploring a Keycloak Go Adapter > - Polish Java Adapter Documentation > > I wait for your ideas ! > > Sebi > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/885ee4e4/attachment.html From aman.jaiswal at arvindinternet.com Fri Sep 16 11:07:57 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Fri, 16 Sep 2016 20:37:57 +0530 Subject: [keycloak-user] Error On Https Message-ID: Hi team when I am trying to hit the url for keycoak with *Https* is does not load but working file with Http -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/2da68843/attachment.html From jorsol at gmail.com Fri Sep 16 13:23:40 2016 From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=) Date: Fri, 16 Sep 2016 17:23:40 +0000 Subject: [keycloak-user] Error On Https In-Reply-To: References: Message-ID: How did you configure https? You should reformulate your questions if you want to get an answer. Did you read the manual? If you post something like this in stackoverflow it will be closed immediately. Regards, El vie., 16 de sept. de 2016 9:10 AM, Aman Jaiswal < aman.jaiswal at arvindinternet.com> escribi?: > Hi team > > when I am trying to hit the url for keycoak with *Https* is does not load > but working file with Http > > -- > Thanks, > Aman Jaiswal > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Jorge Sol?rzano me.jorsol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160916/2fa604fa/attachment.html From i.pop at centurylink.net Sat Sep 17 22:15:07 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Sat, 17 Sep 2016 22:15:07 -0400 (EDT) Subject: [keycloak-user] Setting up a Keycloak Domain Cluster In-Reply-To: <1372641136.12644228.1474158984531.JavaMail.root@centurylink.net> Message-ID: <1808317031.12684437.1474164907188.JavaMail.root@centurylink.net> Hi , I work on POC to use Keycloak to secure a set of microservices( java written SpringBooth&gradle projects). I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace the embedded H2 db. I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server Installation and Configuration Guide". 1. I have logged on the master keycloak server and configured my new Realm that has my microservice processes as clients.I have added roles,users,groups, etc., The realm configuration of the master keycloak instance got replicated on the slave instances ( I can see the cluster running when loging-on WildFly Management Interface). 2. I have added to all microservice java projects the keycloak securing code: 2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak server(Client's "Installation" utility) 2.2 Added to the project's Application class a system property, to target the keycloak.json file generated by the MASTER keycloak instance: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json"); 2.3 Created a new config's package class : public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter 2.4 Added to the build.gradle file keycloak spring security adapter compilation : compile group: 'org.keycloak', name:'keycloak-spring-security-adapter',version:'2.1.0.Final Note. I have compared the content of the json format code generated by the Client "Installation" utility of the slave instances against master instance and, THE ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL address) 3. Now, I want to do the test of accessing particular resources of my microservice applications(additional info: I did not implemented any load-balancer in front of the keycloak cluster): I have created a simple java program that uses a Basic Authorization procedure to get an access token, and then use this token to sent request messages to my microservice application and get the expected response messages. - When I use the MASTER's instance authorization endpoint to get an access token, I get the expected response message( because, I presume, my microservice application attached keycloak.json file has HARDCODED content generated by the MASTER's instance & containing MASTERS's authorization endpoint). - When I use either-one SLAVE keycloak instance authorization&token generation endpoint to generate an access token, my request fails with a 401 error: "Unable to authenticate bearer token" I believe or feel, I use a wrong approach to solve my problem. My microservice applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or, a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak instance ( MASTER's ) "auth-server-url" info ). Here, I need your help to enlighten me. Is there another approach to handle my problem? It should, otherwise why writing about Domain Mode in Keycloak Release documentation. Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain Cluster and how to do test simulations with it. I would appreciate any help on this issue. Thanks, Ioan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160917/9232e77a/attachment.html From haimv at perfectomobile.com Mon Sep 19 06:27:00 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Mon, 19 Sep 2016 10:27:00 +0000 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: Message-ID: Hi, I have combined the offline-access and the saml-broker-authentication examples in order to create demo for generating offline tokens. It works as expected with External IDP however when the user is already logged in the offline token is not generated - a regular token is generated instead. Any idea if it as designed or am I doing something wrong ? if it is by design is there any work around to generate the External IDP offline token without user logout ? Thanks, Haim. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, August 16, 2016 12:09 PM To: Haim Vana Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP On 16 August 2016 at 10:11, Haim Vana > wrote: Hi Stian, Thanks for your answer. What I meant to ask is how to create offline token for external IDP, I wasn't able to it with REST API (I am able to it if it's not external IDP). The only way I managed to do it was when adding offline_access to the UI login page, so for external IDP ? is it the only way ? REST API is not supported ? Login page is the only way for external IdPs. Assuming it's the only way I thought to create external UI service for the user to log in and get his offline token. What do you think about such solution ? also if the user will be already logged in ? do you know if the offline token will be created ? or the will have to logout and login again? Depends on what your script is implemented in it can also start a web server on localhost, then popup the browser window to do the login and finally it'll get the code and can get the offline token directly itself. Take a look at our customer-app-cli example. It doesn't do offline token, but would be trivial to change it to do that instead. Thanks, Haim. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, August 16, 2016 10:52 AM To: Haim Vana > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP On 25 July 2016 at 09:01, Haim Vana > wrote: Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Assuming you're using the Keycloak login screen it's just a matter of configuring the external IdP as an identity broker provider and it will be displayed as an option on the login screen. Second in section #2 above the user enters his password to generate the offline token, with external IDP we can?t use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? You shouldn't create offline token for every login, just once for a new user or once offline token is no longer valid. Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/4e28475e/attachment-0001.html From thomas.darimont at googlemail.com Mon Sep 19 08:59:36 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 19 Sep 2016 14:59:36 +0200 Subject: [keycloak-user] Migrate provider config from Keycloak 2.1.0.Final to 2.2.0.Final Message-ID: Hello, I'm current trying to migrate our Keycloak configuration from 2.1.0.Final to 2.2.0.Final. Since we have some custom extensions deployed as jboss-modules in Keycloak I need to convert the configuration from "keycloak-server.json" to the appropriate form in standalone-ha.xml. I tried to do that via jboss-cli but I seem to miss something... I currently don't see a way to do that via the cli and since I currently don't want to fallback to XSLT I wonder: Does anyone have a hint for converting the providers configuration from: keycloak-server.json: { "providers" : [ "classpath:${jboss.home.dir}/providers/*" , "module:com.acme.idm.keycloak.idm-keycloak-ext-login-action" , "module:com.acme.idm.keycloak.jms-forwarding-event-listener" ] ... to: standalone-ha.xml: auth classpath:${jboss.home.dir}/providers/* ... ??? Thanks in advance! Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/c1bb00eb/attachment.html From thomas.darimont at googlemail.com Mon Sep 19 09:11:29 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 19 Sep 2016 15:11:29 +0200 Subject: [keycloak-user] Migrate provider config from Keycloak 2.1.0.Final to 2.2.0.Final In-Reply-To: References: Message-ID: Nevermind, got it... D:\dev\server\keycloak-2.2.0.Final>bin\jboss-cli.bat You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands. [disconnected /] connect [standalone at localhost:9990 /] /subsystem=keycloak-server:list-add( index= name= value= [standalone at localhost:9990 /] [standalone at localhost:9990 /] /subsystem=keycloak-server:list-add(name=providers,value=module:com.acme.idm.keycloak.jms-forwarding-event-listener) {"outcome" => "success"} [standalone at localhost:9990 /] ls /subsystem=keycloak-server spi theme master-realm-name=master providers=[expression "classpath:${jboss.home.dir}/providers/*","module:com.acme.idm.keycloak.idm-keycloak-ext-login-action","module:com.acme.idm.keycloak.jms-forwarding-event-listener"] scheduled-task-interval=900 web-context=auth Cheers, Thomas 2016-09-19 14:59 GMT+02:00 Thomas Darimont : > Hello, > > I'm current trying to migrate our Keycloak configuration from 2.1.0.Final > to 2.2.0.Final. > Since we have some custom extensions deployed as jboss-modules in Keycloak > I need to convert the configuration from "keycloak-server.json" to the > appropriate form in standalone-ha.xml. > > I tried to do that via jboss-cli but I seem to miss something... I > currently don't see a way to > do that via the cli and since I currently don't want to fallback to XSLT I > wonder: > Does anyone have a hint for converting the providers configuration from: > > keycloak-server.json: > { > "providers" : [ "classpath:${jboss.home.dir}/providers/*" > , "module:com.acme.idm.keycloak. > idm-keycloak-ext-login-action" > , "module:com.acme.idm.keycloak.jms-forwarding-event-listener" ] > ... > > to: > > standalone-ha.xml: > > auth > > classpath:${jboss.home.dir}/providers/* provider> > > > ... > ??? > > Thanks in advance! > > Cheers, > Thomas > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/39b0528c/attachment.html From Edgar at info.nl Mon Sep 19 09:25:07 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 19 Sep 2016 13:25:07 +0000 Subject: [keycloak-user] Updating lastLogon in LDAP/AD from Keycloak when user is authenticated Message-ID: Hi, We would like to have Keycloak update the lastLogon user attribute in our Active Directory server whenever a user logs in to our customer portal. It is possible to do this from Keycloak? The portal is secured using Keycloak so behind the scenes the Keycloak bind user is the one that authenticates the user in AD. The only thing we have now is the user session information in Keycloak but that is not of much value to us because: - in our situation AD is leading for all user data - whenever we redeploy Keycloak (quite often) we empty out the Keycloak database and start new by synching users from AD - if I am not mistaken currently user session data is not stored in the Keycloak database anyway? cheers Edgar From keycloaklist at ulise.de Mon Sep 19 09:36:52 2016 From: keycloaklist at ulise.de (Uli SE) Date: Mon, 19 Sep 2016 15:36:52 +0200 Subject: [keycloak-user] Update custom attribute in the account management console Message-ID: <3f6d4b33-7a9b-bdb5-ff51-6518192311a0@ulise.de> Hi, I added a attribute to the users in my realm and I added the attribute to the management-console like described here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/custom-attributes.html So, now I can see the custom attribute, but I cannot update it. After changing and pressing save, the former value appears again. Do I need to change the "OnSave..."? (I?m using 1.9.8) Thanks, Uli From keycloaklist at ulise.de Mon Sep 19 09:43:25 2016 From: keycloaklist at ulise.de (Uli SE) Date: Mon, 19 Sep 2016 15:43:25 +0200 Subject: [keycloak-user] Map group attributes to users Message-ID: Hi Is it possible to map group attributes to users of the group to see them in the users tokens? Thanks, Uli From abhi.raghav007 at gmail.com Mon Sep 19 12:50:57 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Mon, 19 Sep 2016 22:20:57 +0530 Subject: [keycloak-user] Fwd: Unable to configure client certificate In-Reply-To: References: Message-ID: Hi Team, I am facing an issue while I am trying to set Client Authenticator as 'Signed JWT'. I am using Keycloak-admin.jar to do it. Here I am trying to automate the complete client creation work through a java program. ClientAttributeCertificateResource cacr =clientResource.getCertficateR esource("jwt.credentials"); byte[] mycert=cacr.generateAndGetKeystore(keyStoreConfig); Here keyStoreConfig is the config object which contains all the metadata required to generate the certificate e.g keystore password, format, alias name etc. I could successfully got the certificate generated and got it as a byte array and in the backend it is not configuring for the client. I am still seeing this: Even though value for Client Authenticator is set as Signed Jwt and same is getting updated in keycloak.json (under installation) as well. Code to set the authenticator is : client.setClientAuthenticatorType(client-jwt); Please *- Best Regards* Abhishek Raghav -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/a0a8a701/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 12582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/a0a8a701/attachment-0001.png From chairfield at gmail.com Mon Sep 19 13:32:36 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Mon, 19 Sep 2016 17:32:36 +0000 Subject: [keycloak-user] API to map from Provider User ID to Keycloak User ID? Message-ID: Is there an efficient API for obtaining the Keycloak User given an identity provider ID? For instance, Keycloak user ABC has linked to their Facebook account with provider id 123. Can we efficiently get from 123 to ABC? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160919/a093989a/attachment.html From sthorger at redhat.com Tue Sep 20 03:48:21 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 09:48:21 +0200 Subject: [keycloak-user] Lock user within indefinite period of time In-Reply-To: <6F4171BF-514D-4972-9636-D0E12458B772@yahoo.com> References: <6F4171BF-514D-4972-9636-D0E12458B772@yahoo.com> Message-ID: Not sure this applies to 1.3 (we don't support that version and you really do need to upgrade as there are loads of security fixes since then!), but you can just set Wait Increment and Max Wait to very high values. On 15 September 2016 at 04:53, Tin wrote: > Hi, > > I would like to know if there is a configuration in keycloak 1.3 where a > temporarily disabled user will NOT be unlocked automatically. It will > depend on the admin whether the user will be unlocked or not. > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/aba9b8e7/attachment.html From sthorger at redhat.com Tue Sep 20 03:50:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 09:50:04 +0200 Subject: [keycloak-user] Support for CORS Access-Control-Expose-Headers in 2.0.0.Final In-Reply-To: References: <20160709053836.GA23953@abstractj.org> <20160711161310.GA7375@abstractj.org> Message-ID: Only if we get a contribution and it includes tests and documentation. We don't have the time to do it ourselves at the moment. On 15 September 2016 at 07:18, Hubert Przybysz wrote: > Hi Stian, > > Any chance to have this included in the next release? > > This problem is really bugging me. > > BR / Hubert. > > On Tue, Jul 12, 2016 at 8:32 AM, Hubert Przybysz > wrote: > >> Ok, thanks. It was a bit unclear to me if it should have been supported. >> >> On Tue, Jul 12, 2016 at 7:17 AM, Stian Thorgersen >> wrote: >> >>> I changed that issue to a feature request, since we've never supported >>> it it's not a bug. >>> >>> On 11 July 2016 at 20:25, Hubert Przybysz >>> wrote: >>> >>>> I have created KEYCLOAK-3297 >>>> . >>>> >>>> On Mon, Jul 11, 2016 at 7:29 PM, Bruno Oliveira >>>> wrote: >>>> >>>>> Please, go ahead and create one. I couldn't find any Jira related to >>>>> this. >>>>> >>>>> On Mon, Jul 11, 2016 at 1:36 PM Hubert Przybysz < >>>>> h.p.przybysz at gmail.com> wrote: >>>>> >>>>>> Does anyone know when it will be possible to configure the adapters >>>>>> with CORS expose headers? >>>>>> >>>>>> I don't find any jira for it. >>>>>> >>>>>> Br / Hubert. >>>>>> >>>>>> On Mon, Jul 11, 2016 at 6:13 PM, Bruno Oliveira >>>>>> wrote: >>>>>> >>>>>>> You are right Hubert it's not supported at keycloak.json file, I >>>>>>> just overlooked the code. >>>>>>> Sorry about that. >>>>>>> >>>>>>> On 2016-07-11, Hubert Przybysz wrote: >>>>>>> > Thanks for the info. >>>>>>> > >>>>>>> > I've tried configuring cors-exposed-headers in a JBOSS EAP 6 >>>>>>> adapter like >>>>>>> > this: >>>>>>> > >>>>>>> > keycloak.json: >>>>>>> > { >>>>>>> > ... >>>>>>> > >>>>>>> > "enable-cors" : true, >>>>>>> > >>>>>>> > "cors-allowed-methods" : "POST,PUT,DELETE,GET", >>>>>>> > >>>>>>> > "cors-allowed-headers" : >>>>>>> > "Accept,Content-Type,If-Match,If-None-Match,Origin", >>>>>>> > >>>>>>> > "cors-exposed-headers" : "ETag,Location", >>>>>>> > >>>>>>> > ... >>>>>>> > >>>>>>> > } >>>>>>> > >>>>>>> > >>>>>>> > But the adapter does not recognise this config and fails to start: >>>>>>> > >>>>>>> > 10:57:15,923 ERROR [org.apache.catalina.core] (ServerService >>>>>>> Thread Pool -- >>>>>>> > 69) JBWEB001097: Error starting context /data: >>>>>>> java.lang.RuntimeException: >>>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >>>>>>> > Unrecognized field "cors-exposed-headers" (class >>>>>>> > org.keycloak.representations.adapters.config.AdapterConfig), not >>>>>>> marked as >>>>>>> > ignorable (32 known properties: "ssl-required", >>>>>>> "cors-allowed-headers", >>>>>>> > "register-node-period", "turn-off-change-session-id-on-login", >>>>>>> > "truststore", "always-refresh-token", "client-key-password", >>>>>>> > "policy-enforcer", "token-store", "resource", "realm", "proxy-url", >>>>>>> > "disable-trust-manager", "bearer-only", "truststore-password", >>>>>>> > "use-resource-role-mappings", "connection-pool-size", >>>>>>> "client-keystore", >>>>>>> > "register-node-at-startup", "client-keystore-password", >>>>>>> "auth-server-url", >>>>>>> > "cors-allowed-methods", "public-client", "expose-token", >>>>>>> > "token-minimum-time-to-live", "enable-basic-auth", "cors-max-age", >>>>>>> > "enable-cors", "allow-any-hostname", "realm-public-key", >>>>>>> "credentials", >>>>>>> > "principal-attribute"]) >>>>>>> > >>>>>>> > at [Source: java.io.ByteArrayInputStream at 67593e31; line: 14, >>>>>>> column: 29] >>>>>>> > (through reference chain: >>>>>>> > org.keycloak.representations.adapters.config.AdapterConfig[" >>>>>>> cors-exposed-headers"]) >>>>>>> > >>>>>>> > at >>>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterC >>>>>>> onfig(KeycloakDeploymentBuilder.java:137) >>>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>>> > >>>>>>> > at >>>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.build(Keyclo >>>>>>> akDeploymentBuilder.java:126) >>>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>>> > >>>>>>> > at >>>>>>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >>>>>>> lve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) >>>>>>> > [keycloak-tomcat-core-adapter-2.0.0.Final.jar:2.0.0.Final] >>>>>>> > >>>>>>> > at >>>>>>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >>>>>>> lve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) >>>>>>> > [keycloak-tomcat-core-adapter-2.0.0.Final.jar:2.0.0.Final] >>>>>>> > >>>>>>> > at >>>>>>> > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent >>>>>>> (LifecycleSupport.java:115) >>>>>>> > [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] >>>>>>> > >>>>>>> > at >>>>>>> > org.apache.catalina.core.StandardContext.start(StandardConte >>>>>>> xt.java:3775) >>>>>>> > [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService.doStart(Web >>>>>>> DeploymentService.java:163) >>>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService.access$000( >>>>>>> WebDeploymentService.java:61) >>>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDe >>>>>>> ploymentService.java:96) >>>>>>> > [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >>>>>>> > >>>>>>> > at java.util.concurrent.Executors$RunnableAdapter.call( >>>>>>> Executors.java:471) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at java.util.concurrent.FutureTask.run(FutureTask.java:262) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at >>>>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1145) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at >>>>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:615) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at org.jboss.threads.JBossThread.run(JBossThread.java:122) >>>>>>> > >>>>>>> > Caused by: >>>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >>>>>>> > Unrecognized field "cors-exposed-headers" (class >>>>>>> > org.keycloak.representations.adapters.config.AdapterConfig), not >>>>>>> marked as >>>>>>> > ignorable (32 known properties: "ssl-required", >>>>>>> "cors-allowed-headers", >>>>>>> > "register-node-period", "turn-off-change-session-id-on-login", >>>>>>> > "truststore", "always-refresh-token", "client-key-password", >>>>>>> > "policy-enforcer", "token-store", "resource", "realm", "proxy-url", >>>>>>> > "disable-trust-manager", "bearer-only", "truststore-password", >>>>>>> > "use-resource-role-mappings", "connection-pool-size", >>>>>>> "client-keystore", >>>>>>> > "register-node-at-startup", "client-keystore-password", >>>>>>> "auth-server-url", >>>>>>> > "cors-allowed-methods", "public-client", "expose-token", >>>>>>> > "token-minimum-time-to-live", "enable-basic-auth", "cors-max-age", >>>>>>> > "enable-cors", "allow-any-hostname", "realm-public-key", >>>>>>> "credentials", >>>>>>> > "principal-attribute"]) >>>>>>> > >>>>>>> > at [Source: java.io.ByteArrayInputStream at 67593e31; line: 14, >>>>>>> column: 29] >>>>>>> > (through reference chain: >>>>>>> > org.keycloak.representations.adapters.config.AdapterConfig[" >>>>>>> cors-exposed-headers"]) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyExcep >>>>>>> tion.from(UnrecognizedPropertyException.java:51) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.DeserializationContext.report >>>>>>> UnknownProperty(DeserializationContext.java:817) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.deser.std.StdDeserializer.han >>>>>>> dleUnknownProperty(StdDeserializer.java:958) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializerBase.ha >>>>>>> ndleUnknownProperty(BeanDeserializerBase.java:1324) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializerBase.ha >>>>>>> ndleUnknownVanilla(BeanDeserializerBase.java:1302) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializer.vanill >>>>>>> aDeserialize(BeanDeserializer.java:249) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.deser.BeanDeserializer. >>>>>>> deserialize(BeanDeserializer.java:136) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose >>>>>>> (ObjectMapper.java:3564) >>>>>>> > >>>>>>> > at >>>>>>> > com.fasterxml.jackson.databind.ObjectMapper.readValue( >>>>>>> ObjectMapper.java:2650) >>>>>>> > >>>>>>> > at >>>>>>> > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterC >>>>>>> onfig(KeycloakDeploymentBuilder.java:135) >>>>>>> > [keycloak-adapter-core-2.0.0.Final.jar:2.0.0.Final] >>>>>>> > >>>>>>> > ... 14 more >>>>>>> > >>>>>>> > >>>>>>> > 10:57:15,973 ERROR [org.apache.catalina.core] (ServerService >>>>>>> Thread Pool -- >>>>>>> > 69) JBWEB001103: Error detected during context /data start, will >>>>>>> stop it >>>>>>> > >>>>>>> > 10:57:15,985 ERROR [org.jboss.msc.service.fail] (ServerService >>>>>>> Thread Pool >>>>>>> > -- 69) MSC000001: Failed to start service >>>>>>> > jboss.web.deployment.default-host./data: >>>>>>> > org.jboss.msc.service.StartException in service >>>>>>> > jboss.web.deployment.default-host./data: >>>>>>> > org.jboss.msc.service.StartException in anonymous service: >>>>>>> JBAS018040: >>>>>>> > Failed to start context >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDe >>>>>>> ploymentService.java:99) >>>>>>> > >>>>>>> > at java.util.concurrent.Executors$RunnableAdapter.call( >>>>>>> Executors.java:471) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at java.util.concurrent.FutureTask.run(FutureTask.java:262) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at >>>>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1145) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at >>>>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:615) >>>>>>> > [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] >>>>>>> > >>>>>>> > at org.jboss.threads.JBossThread.run(JBossThread.java:122) >>>>>>> > >>>>>>> > Caused by: org.jboss.msc.service.StartException in anonymous >>>>>>> service: >>>>>>> > JBAS018040: Failed to start context >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService.doStart(Web >>>>>>> DeploymentService.java:168) >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService.access$000( >>>>>>> WebDeploymentService.java:61) >>>>>>> > >>>>>>> > at >>>>>>> > org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDe >>>>>>> ploymentService.java:96) >>>>>>> > >>>>>>> > ... 6 more >>>>>>> > >>>>>>> > >>>>>>> > 10:57:16,019 ERROR [org.jboss.as.controller.management-operation] >>>>>>> > (Controller Boot Thread) JBAS014612: Operation ("deploy") failed - >>>>>>> address: >>>>>>> > ([("deployment" => "webims-jcom-data-1.3.1-SNAPSH >>>>>>> OT-secure-keycloak.war")]) >>>>>>> > - failure description: {"JBAS014671: Failed services" => >>>>>>> > {"jboss.web.deployment.default-host./data" => >>>>>>> > "org.jboss.msc.service.StartException in service >>>>>>> > jboss.web.deployment.default-host./data: >>>>>>> > org.jboss.msc.service.StartException in anonymous service: >>>>>>> JBAS018040: >>>>>>> > Failed to start context >>>>>>> > >>>>>>> > Caused by: org.jboss.msc.service.StartException in anonymous >>>>>>> service: >>>>>>> > JBAS018040: Failed to start context"}} >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > On Sat, Jul 9, 2016 at 7:38 AM, Bruno Oliveira < >>>>>>> bruno at abstractj.org> wrote: >>>>>>> > >>>>>>> > > As far as I can tell, yes. >>>>>>> > > >>>>>>> > > See: >>>>>>> > > >>>>>>> > > https://keycloak.gitbooks.io/server-adminstration-guide/cont >>>>>>> ent/topics/clients/client-oidc.html >>>>>>> > > >>>>>>> > > https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d9 >>>>>>> 06156d8fc212ccd9dfd57d/services/src/main/java/org/ >>>>>>> keycloak/services/resources/Cors.java#L143 >>>>>>> > > >>>>>>> > > On 2016-07-08, Hubert Przybysz wrote: >>>>>>> > > > Hi, >>>>>>> > > > >>>>>>> > > > Is configuration of CORS Access-Control-Expose-Headers >>>>>>> supported in >>>>>>> > > > 2.0.0.Final adapters? >>>>>>> > > > >>>>>>> > > > Best regards / Hubert. >>>>>>> > > >>>>>>> > > > _______________________________________________ >>>>>>> > > > keycloak-user mailing list >>>>>>> > > > keycloak-user at lists.jboss.org >>>>>>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> > > >>>>>>> > > >>>>>>> > > -- >>>>>>> > > >>>>>>> > > abstractj >>>>>>> > > PGP: 0x84DC9914 >>>>>>> > > >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> abstractj >>>>>>> PGP: 0x84DC9914 >>>>>>> >>>>>> >>>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/d9efc02b/attachment-0001.html From sthorger at redhat.com Tue Sep 20 03:55:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 09:55:22 +0200 Subject: [keycloak-user] remote_user header from IIS proxy not seen by keycloak In-Reply-To: References: Message-ID: Not sure, but how are you retrieving the header? Did you try: request.getHttpHeaders().getRequestHeaders().getFirst("REMOTE_USER") Also is it the first authenticator in the flow? On 15 September 2016 at 15:53, Glenn Campbell wrote: > I have a requirement to use Keycloak behind IIS where some sort of SSO > product is already integrated with IIS. Whatever this product is sets the > REMOTE_USER header. It is easy enough to write a custom authenticator for > Keycloak to use the REMOTE_USER header. However, Keycloak's Wildfly server > (or its embedded Undertow) appears to be stripping out the header. > > Is there any way to configure Keycloak or its Wildfly to let the > REMOTE_USER header pass through? Or are there any clever workarounds? > > Thanks in advance. > Glenn > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/db7f43d4/attachment.html From sthorger at redhat.com Tue Sep 20 03:57:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 09:57:14 +0200 Subject: [keycloak-user] Obtaining access token by username only (no HMI) In-Reply-To: References: Message-ID: Pedro - is this possible? Seems like a valid use-case. On 15 September 2016 at 17:07, FREIMUELLER Christian < Christian.FREIMUELLER at frequentis.com> wrote: > Dear all, > > we have a question regarding Keycloak and obtaining an Access Token. > > Our setup is as follows: > > - users are created and maintained in Keycloak > - resources, policies and permissions are also maintained in Keycloak > > > *Our** use case is:* > As a third party application, I want to obtain authorization information > (e.g. resource- and scope-based permissions) for a specific user by only > providing the username to Keycloak, so I can allow or prohibit further > actions. > > *To be more specific: * > We have an application exposing an interface the outside world. Any > request from an interface-consuming application contains the name of the > user in the request header that called an action on this interface (The > username in the request is the same as in Keycloak). > > *The question is now: * > How can we obtain an access token for the user (by only knowing the > username) that is needed in order to call/use Keycloak?s AuthZ client to > retrieve authorization information (e.g. via its entitlement API)? > > We also thought about using offline tokens, but it might be that a user > (available in Keycloak) that is sent within the request might have never > logged in to any protected application before ? therefore we would not be > able to have offline tokens at hand that we could use to request a new > access token. Is there a solution to obtain an access token for such a user? > > Thanks, > Christian > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/eaa453e0/attachment.html From sthorger at redhat.com Tue Sep 20 03:59:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 09:59:04 +0200 Subject: [keycloak-user] Disabling password expiry for one user? In-Reply-To: References: <1AC1D226-F0F1-4B5F-95AD-5C9985DC184F@expedia.com> Message-ID: Afraid it's not possible at the moment. You could add your own custom password policy for the expiration or simply have the bot update it's password once in a while? On 16 September 2016 at 04:59, Sarp Kaya wrote: > Kind of, > > > > We do have an automated bot using a ?normal? username and password. We > need this bot to use the regular web UI in order to monitor the entire > system, so using direct APIs won?t be a good option. > > > > *From: *Scott Rossillo > *Date: *Friday, September 16, 2016 at 12:50 PM > *To: *Abdullah Sarp , "keycloak-user at lists.jboss.org" < > keycloak-user at lists.jboss.org> > *Subject: *Re: [keycloak-user] Disabling password expiry for one user? > > > > Is this for something like service users? Could you explain the use case? > > On Thu, Sep 15, 2016 at 8:49 PM Sarp Kaya wrote: > > Hello, > > > > It just seems like it?s only possible to enable password expiry policy for > all users or no users. Is it possible to have an exceptional case where one > user has no password expiry and other users do have password expiry? > > > > Thanks, > Sarp > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/d87906f2/attachment.html From sthorger at redhat.com Tue Sep 20 04:00:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 10:00:00 +0200 Subject: [keycloak-user] Custom Adapter Logout logic In-Reply-To: References: Message-ID: Could you use a HttpSessionListener? On 15 September 2016 at 23:16, Jared Blashka wrote: > Is it currently possible to hook into the adapter's logout logic to > trigger some custom behavior without interrupting the logout flow? > > For example, if I want to audit logout activity on a particular SP or > delete some cookies (if it was a front-channel logout request) without > stopping the normal federated logout process. > > Jared > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/493cb6f2/attachment.html From sthorger at redhat.com Tue Sep 20 04:01:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 10:01:05 +0200 Subject: [keycloak-user] How to add new custom form for additional user management In-Reply-To: <3794C364-15A8-48DE-970E-271C0BD03B6B@info.nl> References: <796F199F-EACE-493A-A0C5-83AD9C62977B@info.nl> <3794C364-15A8-48DE-970E-271C0BD03B6B@info.nl> Message-ID: I'm afraid we don't support adding additional pages to the account management console at the moment so you're limited to extending the current forms. This is planned for the future, but will be a while to it gets implemented. On 16 September 2016 at 12:18, Federico Navarro Polo - Info.nl < federico at info.nl> wrote: > Hello Marek, > > > > Thanks for your answer. > > > > The address example does not cover exactly what I would like to have, as > it modifies the existing account.ftl > > > > I would like to leave the account.ftl as it is, but having a custom form > to manage only the custom attributes. > > > > In other words, when I access the /auth/realms/abc/account page, I can see > there is a sidebar menu on the left with options like: ?Account?, > ?Password?, ?Authenticator?, and so on. I would like to add a new item in > that sidebar and be able to access through something like > /auth/realms/abc/account/custom > > > > Is there an example for that? > > > > > > Regards, > > Federico > > > > *From: *Marek Posolda > *Date: *Friday 16 September 2016 at 11:55 > *To: *Federico Navarro Polo , " > keycloak-user at lists.jboss.org" > *Subject: *Re: [keycloak-user] How to add new custom form for additional > user management > > > > We have theme SPI, which allows to override themes. See our "theme" > examples in the keycloak-examples, especially address theme, which looks to > be exactly what you want. > > Marek > > On 16/09/16 11:51, Federico Navarro Polo - Info.nl wrote: > > Hello, > > > > In my Keycloak configuration, there are a number of custom attributes > defined for each user. I would like to offer the possibility to manage > these attributes in a form similar to the ?account profile? form, not using > and modifying the existing account.ftl itself, but creating a new template > for that (eg: secondary_account.ftl). > > > > What is the recommended approach to do this? > > > > I would assume I need to create a new SPI, but I am not sure what would be > the next steps to configure it and make it work. I think what I need is > something in the same direction as the domain-extension example, but it?s > not exactly the same, as I want to 1) create a new form and 2) base that > form data in the existing domain of the user. > > > > Could someone give some pointers? > > > > Thanks in advance! > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/e5ed82ef/attachment-0001.html From sthorger at redhat.com Tue Sep 20 04:03:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Sep 2016 10:03:09 +0200 Subject: [keycloak-user] Setting up a Keycloak Domain Cluster In-Reply-To: <1808317031.12684437.1474164907188.JavaMail.root@centurylink.net> References: <1372641136.12644228.1474158984531.JavaMail.root@centurylink.net> <1808317031.12684437.1474164907188.JavaMail.root@centurylink.net> Message-ID: Doesn't sound like you have working clustering setup. Please take a look at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering.html . On 18 September 2016 at 04:15, i.pop at centurylink.net wrote: > Hi , > I work on POC to use Keycloak to secure a set of microservices( java > written SpringBooth&gradle projects). > I use Keycloak-2.1.0.Final release installed on 3 different VMs(master > running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have > installed a shared (MySql) db to replace the embedded H2 db. > I have configured a Keycloak Domain Mode cluster using keycloak > documentation "Server Installation and Configuration Guide". > 1. I have logged on the master keycloak server and configured my new Realm > that has my microservice processes as clients.I have added > roles,users,groups, etc., The realm configuration of the master keycloak > instance got replicated on the slave instances ( I can see the cluster > running when loging-on WildFly Management Interface). > 2. I have added to all microservice java projects the keycloak securing > code: > 2.1 Created a keycloak.json file who's content was generated my the > MASTER keycloak server(Client's "Installation" utility) > 2.2 Added to the project's Application class a system property, to > target the keycloak.json file generated by the MASTER keycloak > instance:System.setProperty("keycloak.configurationFile", > "classpath:keycloak.json"); > 2.3 Created a new config's package class : public class SecurityConfig > extends KeycloakWebSecurityConfigurerAdapter > 2.4 Added to the build.gradle file keycloak spring security adapter > compilation : > compile group: 'org.keycloak', name:'keycloak-spring- > security-adapter',version:'2.1.0.Final > Note. I have compared the content of the json format code generated by > the Client "Installation" utility of the slave instances against master > instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line (having > the specific node URL address) > 3. Now, I want to do the test of accessing particular resources of my > microservice applications(additional info: I did not implemented any > load-balancer in front of the keycloak cluster): > I have created a simple java program that uses a Basic Authorization > procedure to get an access token, and then use this token to sent request > messages to my microservice application and get the expected response > messages. > - When I use the MASTER's instance authorization endpoint to get an > access token, I get the expected response message( because, I presume, my > microservice application attached keycloak.json file has HARDCODED content > generated by the MASTER's instance & containing MASTERS's authorization > endpoint). > - When I use either-one SLAVE keycloak instance authorization&token > generation endpoint to generate an access token, my request fails with a > 401 error:"Unable to authenticate bearer token" > I believe or feel, I use a wrong approach to solve my problem. My > microservice applications (at this time) DO NOT KNOW anything, whether I > use a domain mode cluster or, a simple standalone keycloak > instanceattached keycloak.json file has ONLY one keycloak instance ( > MASTER's ) "auth-server-url" info ). > Here, I need your help to enlighten me. Is there another approach to > handle my problem? It should, otherwise why writing about Domain Mode in > Keycloak Release documentation. Unfortunately, I have not found (yet ) > detailed info on how to configure a Keycloak Domain Cluster and how to do > test simulations with it. I would appreciate any help on this issue. > Thanks, > Ioan > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/1d14ec3c/attachment.html From andyyar66 at gmail.com Tue Sep 20 07:06:04 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Tue, 20 Sep 2016 13:06:04 +0200 Subject: [keycloak-user] Accumulating time skew - JS@2.2.0.Final Message-ID: Hello, I've recently faced strange issues having an authed user on JS frontend calling a backend service with bearer token. After a certain number of requests the backend started to return 401. This lasted only for a short period of time and then went back to 200, then 401 again and again. This seemed to me like there was a delta between server time/client time. However, both systems are synced. So I've tried to log the JS Keycloak timeSkew attribute. After a few requests it simply increased itself. After ~40 requests its values rose from 0, through 2, 5, 8, 15 up to 35 seconds! It has never decreased. It seems wrong to me, since documentation mentions it should be a simple delta between client and server time. Am I doing something really wrong here? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/36b09ac1/attachment.html From jblashka at redhat.com Tue Sep 20 14:36:15 2016 From: jblashka at redhat.com (Jared Blashka) Date: Tue, 20 Sep 2016 14:36:15 -0400 Subject: [keycloak-user] SessionNotOnOrAfter Saml Attribute Support? Message-ID: Saml spec allows for a SessionNotOnOrAfter attribute inside the AuthnStatement and I see some getters/setters for that attribute in AuthnStatementType.java, but it doesn't look like it gets invoked anywhere, so we can't actually use it. Were there any plans to give us a way to specify a value for this attribute, or just set it to the length of sso session max? I had some clients asking about it. Jared -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/ecd433dc/attachment.html From dick.eimers at luminis.eu Tue Sep 20 16:00:29 2016 From: dick.eimers at luminis.eu (Dick Eimers) Date: Tue, 20 Sep 2016 20:00:29 +0000 Subject: [keycloak-user] Users experience multiple emails sent from Keycloak Message-ID: Hi, We've got report about users who received activation/login-action emails (sent by Keycloak) multiple times. After doing a bit of investigation we found out that emails are sent as a side-effect of pages obtained using a GET request, which could be the cause of sending multiple emails. For example, after registration we hit a page at location: /auth/realms//login-actions/required-action?code= which also sends an email with the activation-link. Reloading this page results in the email being sent again (with a fresh code, invalidating the old one). So maybe users are refreshing the page unintentionally, or their (mobile) browser is. Or they could be using the back-button and again hit this page, which sends the request once again also resulting in a new mail. Is anyone else running into this? Should we create a new JIRA issue to fix/improve this? From jblashka at redhat.com Tue Sep 20 16:25:32 2016 From: jblashka at redhat.com (Jared Blashka) Date: Tue, 20 Sep 2016 16:25:32 -0400 Subject: [keycloak-user] SessionNotOnOrAfter Saml Attribute Support? In-Reply-To: References: Message-ID: I ended up submitting https://github.com/keycloak/keycloak/pull/3250. Please take a look! Jared On Tue, Sep 20, 2016 at 2:36 PM, Jared Blashka wrote: > Saml spec allows for a SessionNotOnOrAfter attribute inside the > AuthnStatement and I see some getters/setters for that attribute > in AuthnStatementType.java, but it doesn't look like it gets invoked > anywhere, so we can't actually use it. > > Were there any plans to give us a way to specify a value for this > attribute, or just set it to the length of sso session max? I had some > clients asking about it. > > Jared > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/7d773e4f/attachment-0001.html From j.kamal at ymail.com Tue Sep 20 17:48:49 2016 From: j.kamal at ymail.com (Kamal Jagadevan) Date: Tue, 20 Sep 2016 21:48:49 +0000 (UTC) Subject: [keycloak-user] Reg impersonation References: <1815719276.1833582.1474408129771.ref@mail.yahoo.com> Message-ID: <1815719276.1833582.1474408129771@mail.yahoo.com> Hello Keycloak Team,??? Is there a way to use impersonation feature to view/log into applications (protected by Keycloak) instead of viewing impersonated user?s User Account Management page?If not, is there a plan in road map to support them in future? BestKamal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/81e7dced/attachment.html From lganga14 at gmail.com Wed Sep 21 00:25:58 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Wed, 21 Sep 2016 09:55:58 +0530 Subject: [keycloak-user] NOT_ATTEMPTED: bearer only error while trying to access server from client Message-ID: Hi, We are getting the "NOT_ATTEMPTED: bearer only" error while trying to access our backend rest service which has access type as bearer only from our public angular js based client. We are setting the "Authorization" header in our request but looks like the adapter is not able to recognize the header with the bearer token. Please help us resolving the issue. *Note*: We are able to invoke the rest services with same bearer token from other rest clients like post man and advanced rest client for chrome. The issue comes up only when we try from our angular js code. Regards, Ganga Lakshmanasamy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/bfd5302c/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: client.png Type: image/png Size: 54278 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/bfd5302c/attachment-0001.png From adam.keily at adelaide.edu.au Wed Sep 21 01:52:36 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 21 Sep 2016 05:52:36 +0000 Subject: [keycloak-user] Keycloak as IdP Proxy Message-ID: Is it possible to configure keycloak as an IdP proxy? e.g. https://spaces.internet2.edu/display/GS/SAMLIdPProxy We're thinking about using two keycloak realms, one for our institutional users and one for externally registered users but some SP's can only handle a single IdP. Any thoughts appreciated. Regards Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/05cc0ce7/attachment.html From sthorger at redhat.com Wed Sep 21 02:20:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Sep 2016 08:20:16 +0200 Subject: [keycloak-user] Keycloak as IdP Proxy In-Reply-To: References: Message-ID: Yes, we call it identity brokering. See https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker.html On 21 September 2016 at 07:52, Adam Keily wrote: > Is it possible to configure keycloak as an IdP proxy? > > > > e.g. https://spaces.internet2.edu/display/GS/SAMLIdPProxy > > > > We?re thinking about using two keycloak realms, one for our institutional > users and one for externally registered users but some SP?s can only handle > a single IdP. > > > > Any thoughts appreciated. > > > > Regards > > Adam > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/90ea9422/attachment.html From sthorger at redhat.com Wed Sep 21 02:21:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Sep 2016 08:21:24 +0200 Subject: [keycloak-user] Accumulating time skew - JS@2.2.0.Final In-Reply-To: References: Message-ID: See https://issues.jboss.org/browse/KEYCLOAK-3586. The JavaScript adapter is broken in 2.2.0. On 20 September 2016 at 13:06, Andy Yar wrote: > Hello, > I've recently faced strange issues having an authed user on JS frontend > calling a backend service with bearer token. After a certain number of > requests the backend started to return 401. This lasted only for a short > period of time and then went back to 200, then 401 again and again. > > This seemed to me like there was a delta between server time/client time. > However, both systems are synced. > > So I've tried to log the JS Keycloak timeSkew attribute. After a few > requests it simply increased itself. After ~40 requests its values rose > from 0, through 2, 5, 8, 15 up to 35 seconds! It has never decreased. > > It seems wrong to me, since documentation mentions it should be a simple > delta between client and server time. > > Am I doing something really wrong here? > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/94b70968/attachment.html From andyyar66 at gmail.com Wed Sep 21 02:45:20 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Wed, 21 Sep 2016 08:45:20 +0200 Subject: [keycloak-user] Accumulating time skew - JS@2.2.0.Final In-Reply-To: References: Message-ID: Oh, ok. Thanks for your answer. On Wed, Sep 21, 2016 at 8:21 AM, Stian Thorgersen wrote: > See https://issues.jboss.org/browse/KEYCLOAK-3586. The JavaScript adapter > is broken in 2.2.0. > > On 20 September 2016 at 13:06, Andy Yar wrote: > >> Hello, >> I've recently faced strange issues having an authed user on JS frontend >> calling a backend service with bearer token. After a certain number of >> requests the backend started to return 401. This lasted only for a short >> period of time and then went back to 200, then 401 again and again. >> >> This seemed to me like there was a delta between server time/client time. >> However, both systems are synced. >> >> So I've tried to log the JS Keycloak timeSkew attribute. After a few >> requests it simply increased itself. After ~40 requests its values rose >> from 0, through 2, 5, 8, 15 up to 35 seconds! It has never decreased. >> >> It seems wrong to me, since documentation mentions it should be a simple >> delta between client and server time. >> >> Am I doing something really wrong here? >> >> Thanks >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/149804a9/attachment.html From sthorger at redhat.com Wed Sep 21 03:00:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Sep 2016 09:00:52 +0200 Subject: [keycloak-user] Accumulating time skew - JS@2.2.0.Final In-Reply-To: References: Message-ID: Working on fix now and will release a 2.2.1 shortly On 21 September 2016 at 08:45, Andy Yar wrote: > Oh, ok. Thanks for your answer. > > On Wed, Sep 21, 2016 at 8:21 AM, Stian Thorgersen > wrote: > >> See https://issues.jboss.org/browse/KEYCLOAK-3586. The JavaScript >> adapter is broken in 2.2.0. >> >> On 20 September 2016 at 13:06, Andy Yar wrote: >> >>> Hello, >>> I've recently faced strange issues having an authed user on JS frontend >>> calling a backend service with bearer token. After a certain number of >>> requests the backend started to return 401. This lasted only for a short >>> period of time and then went back to 200, then 401 again and again. >>> >>> This seemed to me like there was a delta between server time/client >>> time. However, both systems are synced. >>> >>> So I've tried to log the JS Keycloak timeSkew attribute. After a few >>> requests it simply increased itself. After ~40 requests its values rose >>> from 0, through 2, 5, 8, 15 up to 35 seconds! It has never decreased. >>> >>> It seems wrong to me, since documentation mentions it should be a simple >>> delta between client and server time. >>> >>> Am I doing something really wrong here? >>> >>> Thanks >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/6494e08b/attachment-0001.html From sthorger at redhat.com Wed Sep 21 04:58:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Sep 2016 10:58:52 +0200 Subject: [keycloak-user] NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: What version? Is the realm keys configured correctly? Is the token still valid? On 21 September 2016 at 06:25, Ganga Lakshmanasamy wrote: > Hi, > > We are getting the "NOT_ATTEMPTED: bearer only" error while trying to > access our backend rest service which has access type as bearer only from > our public angular js based client. > We are setting the "Authorization" header in our request but looks like > the adapter is not able to recognize the header with the bearer token. > > Please help us resolving the issue. > > *Note*: We are able to invoke the rest services with same bearer token > from other rest clients like post man and advanced rest client for chrome. > The issue comes up only when we try from our angular js code. > > Regards, > Ganga Lakshmanasamy > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/e7d0a735/attachment.html From sthorger at redhat.com Wed Sep 21 06:07:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Sep 2016 12:07:03 +0200 Subject: [keycloak-user] Keycloak 2.2.1.Final Released Message-ID: Keycloak 2.2.1.Final has just been released. This release fixes an issue in the JavaScript adapter that was introduced in 2.2.0.Final, for more details see KEYCLOAK-3586 . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/a75e903c/attachment.html From lganga14 at gmail.com Wed Sep 21 06:28:08 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Wed, 21 Sep 2016 15:58:08 +0530 Subject: [keycloak-user] NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: We are using keycloak 1.9.2 final version. The token would have got expired by now but it was valid when the api call was fired. Do you mean client keys set in keycloak.json? Regards, Ganga Lakshmanasamy On Sep 21, 2016 2:28 PM, "Stian Thorgersen" wrote: > What version? Is the realm keys configured correctly? Is the token still > valid? > > On 21 September 2016 at 06:25, Ganga Lakshmanasamy > wrote: > >> Hi, >> >> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >> access our backend rest service which has access type as bearer only from >> our public angular js based client. >> We are setting the "Authorization" header in our request but looks like >> the adapter is not able to recognize the header with the bearer token. >> >> Please help us resolving the issue. >> >> *Note*: We are able to invoke the rest services with same bearer token >> from other rest clients like post man and advanced rest client for chrome. >> The issue comes up only when we try from our angular js code. >> >> Regards, >> Ganga Lakshmanasamy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/03988444/attachment.html From postmaster at lists.jboss.org Wed Sep 21 08:09:24 2016 From: postmaster at lists.jboss.org (The Post Office) Date: Wed, 21 Sep 2016 17:39:24 +0530 Subject: [keycloak-user] RETURNED MAIL: DATA FORMAT ERROR Message-ID: <201609211208.u8LC8ZvW031663@lists01.dmz-a.mwc.hst.phx2.redhat.com> Dear user keycloak-user at lists.jboss.org, Your account was used to send a huge amount of junk e-mail during the last week. We suspect that your computer had been infected and now contains a trojaned proxy server. Please follow instruction in order to keep your computer safe. Have a nice day, The lists.jboss.org support team. -------------- next part -------------- A non-text attachment was scrubbed... Name: document.zip Type: application/octet-stream Size: 29400 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/5dd5a27a/attachment-0001.obj From manuel.herzberg at atos.net Wed Sep 21 08:26:04 2016 From: manuel.herzberg at atos.net (Herzberg, Manuel) Date: Wed, 21 Sep 2016 12:26:04 +0000 Subject: [keycloak-user] little issue with keycloak-install-ha.cli Message-ID: Hello, during the installation of keycloak i experienced a little bug for me. (jboss eap7, keycloak overlay/keycloak adapter, both latest version: 2.2.1.final) When running "keycloak-install-ha.cli" every command works except the last one "run-batch --file=default-keycloak-subsys-config.cli". I can add these entries manually to the standalone-ha.xml and everything works fine. Anyone else with the same issue? Any ideas how to fix it? It is not very important but is annoying to copy the stuff into the standalone.xml manually every time. Best Regards Manuel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/34a36d48/attachment.html From pnalyvayko at agi.com Wed Sep 21 08:45:13 2016 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Wed, 21 Sep 2016 12:45:13 +0000 Subject: [keycloak-user] ws-federation in keycloak Message-ID: Hi, Any news about "KEYCLOAK-2000 WS-Fed support for both protocol and broker #1766" pull request? Thanks! From thomas.darimont at googlemail.com Wed Sep 21 08:52:01 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 21 Sep 2016 14:52:01 +0200 Subject: [keycloak-user] little issue with keycloak-install-ha.cli In-Reply-To: References: Message-ID: What's the error do you are getting? Am 21.09.2016 2:26 nachm. schrieb "Herzberg, Manuel" < manuel.herzberg at atos.net>: > > Hello, > > during the installation of keycloak i experienced a little bug for me. (jboss eap7, keycloak overlay/keycloak adapter, both latest version: 2.2.1.final) > > When running ?keycloak-install-ha.cli? every command works except the last one ?run-batch --file=default-keycloak-subsys-config.cli?. > I can add these entries manually to the standalone-ha.xml and everything works fine. > > Anyone else with the same issue? Any ideas how to fix it? It is not very important but is annoying to copy the stuff into the standalone.xml manually every time. > > > Best Regards > Manuel > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/c825b198/attachment.html From abhi.raghav007 at gmail.com Wed Sep 21 08:57:53 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Wed, 21 Sep 2016 18:27:53 +0530 Subject: [keycloak-user] Unable to configure client certificate In-Reply-To: References: Message-ID: <3b2acbe8-caca-4ff6-ada4-450e0be15f2f@gmail.com> Hi Team, I am facing an issue while I am trying to set Client Authenticator as 'Signed JWT'. I am using Keycloak-admin.jar to do it. Here I am trying to automate the complete client creation work through a java program. ClientAttributeCertificateResource cacr =clientResource.getCertficateResource("jwt.credentials"); byte[] mycert=cacr.generateAndGetKeystore(keyStoreConfig); Here keyStoreConfig is the config object which contains all the metadata required to generate the certificate e.g keystore password, format, alias name etc. I could successfully got the certificate generated and got it as a byte array and in the backend it is not configuring for the client. I am still seeing this: Even though value for Client Authenticator is set as Signed Jwt and same is getting updated in keycloak.json (under installation) as well. Code to set the authenticator is : client.setClientAuthenticatorType(client-jwt); Please - Best Regards Abhishek Raghav -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/f1c0829f/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 12582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/f1c0829f/attachment-0001.png From ssilvert at redhat.com Wed Sep 21 09:07:11 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 21 Sep 2016 09:07:11 -0400 Subject: [keycloak-user] little issue with keycloak-install-ha.cli In-Reply-To: References: Message-ID: <57E285FF.1070100@redhat.com> What error do you get? Please post the full output of the cli script. On 9/21/2016 8:26 AM, Herzberg, Manuel wrote: > Hello, > > during the installation of keycloak i experienced a little bug for me. > (jboss eap7, keycloak overlay/keycloak adapter, both latest version: > 2.2.1.final) > > When running *"**keycloak-install-ha**.cli"* every command works > except the last one *"**run-batch > --file=default-keycloak-subsys-config.cli**"**. > *I can add these entries manually to the standalone-ha.xml and > everything works fine. > > Anyone else with the same issue? Any ideas how to fix it? It is not > very important but is annoying to copy the stuff into the > standalone.xml manually every time. > > > Best Regards > Manuel > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/7c9b52c1/attachment.html From sean.schade at drillinginfo.com Wed Sep 21 14:03:02 2016 From: sean.schade at drillinginfo.com (Sean Schade) Date: Wed, 21 Sep 2016 13:03:02 -0500 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. Message-ID: We are having an issue where our browser application will initiate a logout, but after redirecting back to the application the user is not taken to the login screen. It appears the user is still logged in, and can fully access the application. I can see the session removed in Keycloak Admin UI. However, it appears the cookie never gets invalidated. Here is the redirect URL we use. Are we missing some configuration step in the client? I have standard flow, implicit flow, and direct access grants enabled. Valid redirect URIs, Base URL, and web origins are all configured in the client. Admin URL is not set as we are relying only on browser logout. https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/7e060d7a/attachment.html From srossillo at smartling.com Wed Sep 21 14:29:47 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 21 Sep 2016 14:29:47 -0400 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: References: Message-ID: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Which adapter are you using? Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Sep 21, 2016, at 2:03 PM, Sean Schade wrote: > > We are having an issue where our browser application will initiate a logout, but after redirecting back to the application the user is not taken to the login screen. It appears the user is still logged in, and can fully access the application. I can see the session removed in Keycloak Admin UI. However, it appears the cookie never gets invalidated. Here is the redirect URL we use. Are we missing some configuration step in the client? I have standard flow, implicit flow, and direct access grants enabled. Valid redirect URIs, Base URL, and web origins are all configured in the client. Admin URL is not set as we are relying only on browser logout. > > https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/42af72f6/attachment.html From sean.schade at drillinginfo.com Wed Sep 21 15:08:05 2016 From: sean.schade at drillinginfo.com (Sean Schade) Date: Wed, 21 Sep 2016 14:08:05 -0500 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> References: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Message-ID: Thanks Scott for replying. We don't use an adapter. We have an Angular app that makes HTTP calls to backend services. All of our services are behind a Keycloak Security Proxy. We are migrating away from Oracle OAM to Keycloak, and with Oracle navigating to the logout link was sufficient. I assumed the same would be for Keycloak. I initially thought this might be the bug: https://issues.jboss.org/browse/KEYCLOAK-3311 However, after looking at the logs in Keycloak when I click the Logout button in our app I see the following errors. 18:55:10,630 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core. UriBuilderException: RESTEASY003330: Failed to create URI: null 1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280: empty host name 2. at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString( ResteasyUriBuilder.java:540) 3. at org.jboss.resteasy.specimpl.ResteasyUriBuilder .buildFromValues(ResteasyUriBuilder.java:743) Perhaps it is a combination of the Keycloak Security Proxy and some misconfiguration? I'm not really sure at this moment. Is my assumption correct that we do not need an adapter for oidc logout? On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo wrote: > Which adapter are you using? > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > On Sep 21, 2016, at 2:03 PM, Sean Schade > wrote: > > We are having an issue where our browser application will initiate a > logout, but after redirecting back to the application the user is not taken > to the login screen. It appears the user is still logged in, and can fully > access the application. I can see the session removed in Keycloak Admin UI. > However, it appears the cookie never gets invalidated. Here is the redirect > URL we use. Are we missing some configuration step in the client? I have > standard flow, implicit flow, and direct access grants enabled. Valid > redirect URIs, Base URL, and web origins are all configured in the client. > Admin URL is not set as we are relying only on browser logout. > > https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/78c3496d/attachment-0001.html From hcamp at muerte.net Wed Sep 21 15:11:11 2016 From: hcamp at muerte.net (Harold Campbell) Date: Wed, 21 Sep 2016 14:11:11 -0500 Subject: [keycloak-user] manual db init missing DATABASECHANGELOG Message-ID: <1474485071.10803.11.camel@muerte.net> Bringing up KC against an empty database with initializeEmpty=manual generates a sql file which does not include creating the?DATABASECHANGELOG table. Is this intentional? Am I missing a step somewhere? Or is creating the table by hand based on?http://www.liquiba se.org/documentation/databasechangelog_table.html?the way forward? -- Harold Campbell The algorithm for finding the longest path in a graph is NP-complete. For you systems people, that means it's *real slow*. -- Bart Miller From adam.keily at adelaide.edu.au Wed Sep 21 19:18:29 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 21 Sep 2016 23:18:29 +0000 Subject: [keycloak-user] Keycloak as IdP Proxy In-Reply-To: References: Message-ID: Thanks Stian. Is it essential that a user is created in the Identity Broker? e.g. 1. SP directs the user to the broker for login 2. User selects one of the identity providers at the broker 3. Logs in to the IdP 4. Broker accepts the login and passes attributes / roles directly through to the SP without creating a new user in the broker db? I?m trying to avoid ending up with multiple accounts in the broker IdP for the same user depending on which IdP they auth from. Thanks Adam From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 21 September 2016 3:50 PM To: Adam Keily Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak as IdP Proxy Yes, we call it identity brokering. See https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker.html On 21 September 2016 at 07:52, Adam Keily > wrote: Is it possible to configure keycloak as an IdP proxy? e.g. https://spaces.internet2.edu/display/GS/SAMLIdPProxy We?re thinking about using two keycloak realms, one for our institutional users and one for externally registered users but some SP?s can only handle a single IdP. Any thoughts appreciated. Regards Adam _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/99e5f536/attachment.html From bburke at redhat.com Wed Sep 21 19:58:58 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 21 Sep 2016 19:58:58 -0400 Subject: [keycloak-user] Keycloak as IdP Proxy In-Reply-To: References: Message-ID: Currently an import is required. On roadmap to import user only for duration of user session in memory. On 9/21/16 7:18 PM, Adam Keily wrote: > > Thanks Stian. Is it essential that a user is created in the Identity > Broker? > > e.g. > > 1.SP directs the user to the broker for login > > 2.User selects one of the identity providers at the broker > > 3.Logs in to the IdP > > 4.Broker accepts the login and passes attributes / roles directly > through to the SP without creating a new user in the broker db? > > I?m trying to avoid ending up with multiple accounts in the broker IdP > for the same user depending on which IdP they auth from. > > Thanks > > Adam > > *From:*Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Wednesday, 21 September 2016 3:50 PM > *To:* Adam Keily > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak as IdP Proxy > > Yes, we call it identity brokering. See > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker.html > > On 21 September 2016 at 07:52, Adam Keily > wrote: > > Is it possible to configure keycloak as an IdP proxy? > > e.g. https://spaces.internet2.edu/display/GS/SAMLIdPProxy > > We?re thinking about using two keycloak realms, one for our > institutional users and one for externally registered users but > some SP?s can only handle a single IdP. > > Any thoughts appreciated. > > Regards > > Adam > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/5599e025/attachment-0001.html From sean.schade at drillinginfo.com Wed Sep 21 20:01:01 2016 From: sean.schade at drillinginfo.com (Sean Schade) Date: Wed, 21 Sep 2016 19:01:01 -0500 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: References: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Message-ID: Do I need to use the Keycloak JS adapter in our Angular app in order to get logout to work correctly? I thought we would be fine with just the openid-connect logout url. It looks like the adapter clears the token in the browser. https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade wrote: > Thanks Scott for replying. We don't use an adapter. We have an Angular app > that makes HTTP calls to backend services. All of our services are behind a > Keycloak Security Proxy. > > We are migrating away from Oracle OAM to Keycloak, and with Oracle > navigating to the logout link was sufficient. I assumed the same would be > for Keycloak. > > I initially thought this might be the bug: https://issues.jboss.org/ > browse/KEYCLOAK-3311 > > However, after looking at the logs in Keycloak when I click the Logout > button in our app I see the following errors. > > 18:55:10,630 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task- > 11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core. > UriBuilderException: RESTEASY003330: Failed to create URI: null > > > 1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280: > empty host name > 2. at org.jboss.resteasy.specimpl.ResteasyUriBuilder > .buildString(ResteasyUriBuilder.java:540) > 3. at org.jboss.resteasy.specimpl.ResteasyUriBuilder. > buildFromValues(ResteasyUriBuilder.java:743) > > > Perhaps it is a combination of the Keycloak Security Proxy and some > misconfiguration? I'm not really sure at this moment. > > Is my assumption correct that we do not need an adapter for oidc logout? > > On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo > wrote: > >> Which adapter are you using? >> >> Scott Rossillo >> Smartling | Senior Software Engineer >> srossillo at smartling.com >> >> On Sep 21, 2016, at 2:03 PM, Sean Schade >> wrote: >> >> We are having an issue where our browser application will initiate a >> logout, but after redirecting back to the application the user is not taken >> to the login screen. It appears the user is still logged in, and can fully >> access the application. I can see the session removed in Keycloak Admin UI. >> However, it appears the cookie never gets invalidated. Here is the redirect >> URL we use. Are we missing some configuration step in the client? I have >> standard flow, implicit flow, and direct access grants enabled. Valid >> redirect URIs, Base URL, and web origins are all configured in the client. >> Admin URL is not set as we are relying only on browser logout. >> >> https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/59b96a92/attachment.html From adam.keily at adelaide.edu.au Wed Sep 21 20:18:57 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 22 Sep 2016 00:18:57 +0000 Subject: [keycloak-user] Keycloak as IdP Proxy In-Reply-To: References: Message-ID: Thanks Bill. That would be great. Any idea on timeframe? From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Thursday, 22 September 2016 9:29 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak as IdP Proxy Currently an import is required. On roadmap to import user only for duration of user session in memory. On 9/21/16 7:18 PM, Adam Keily wrote: Thanks Stian. Is it essential that a user is created in the Identity Broker? e.g. 1. SP directs the user to the broker for login 2. User selects one of the identity providers at the broker 3. Logs in to the IdP 4. Broker accepts the login and passes attributes / roles directly through to the SP without creating a new user in the broker db? I'm trying to avoid ending up with multiple accounts in the broker IdP for the same user depending on which IdP they auth from. Thanks Adam From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 21 September 2016 3:50 PM To: Adam Keily Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak as IdP Proxy Yes, we call it identity brokering. See https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker.html On 21 September 2016 at 07:52, Adam Keily > wrote: Is it possible to configure keycloak as an IdP proxy? e.g. https://spaces.internet2.edu/display/GS/SAMLIdPProxy We're thinking about using two keycloak realms, one for our institutional users and one for externally registered users but some SP's can only handle a single IdP. Any thoughts appreciated. Regards Adam _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/5cf75823/attachment-0001.html From john.bartko at drillinginfo.com Wed Sep 21 21:01:59 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Wed, 21 Sep 2016 20:01:59 -0500 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: References: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Message-ID: Hi folks, I believe the "RESTEASY003330: Failed to create URI" error was due to the non-URL encoded slashes in the redirect_uri. This has since been corrected. The behavior Sean and I are seeing is that accessing the app via a Keycloak Proxy continues to work even after the browser makes a request to the OIDC logout endpoint. The keycloak..session cookie remains in the browser. In the Keycloak admin web UI, the session listed under the user is removed upon request to the logout endpoint. Both Keycloak and the Keycloak Proxy are 2.0.0.Final. Any pointers would be appreciated. Thanks, -John Bartko On Wed, Sep 21, 2016 at 7:01 PM, Sean Schade wrote: > Do I need to use the Keycloak JS adapter in our Angular app in order to > get logout to work correctly? I thought we would be fine with just the > openid-connect logout url. It looks like the adapter clears the token in > the browser. > > https://github.com/keycloak/keycloak/tree/master/adapters/ > oidc/js/src/main/resources > > > On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade > wrote: > >> Thanks Scott for replying. We don't use an adapter. We have an Angular >> app that makes HTTP calls to backend services. All of our services are >> behind a Keycloak Security Proxy. >> >> We are migrating away from Oracle OAM to Keycloak, and with Oracle >> navigating to the logout link was sufficient. I assumed the same would be >> for Keycloak. >> >> I initially thought this might be the bug: https://issues.jboss.org/ >> browse/KEYCLOAK-3311 >> >> However, after looking at the logs in Keycloak when I click the Logout >> button in our app I see the following errors. >> >> 18:55:10,630 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core. >> UriBuilderException: RESTEASY003330: Failed to create URI: null >> >> >> 1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280: >> empty host name >> 2. at org.jboss.resteasy.specimpl.ResteasyUriBuilder >> .buildString(ResteasyUriBuilder.java:540) >> 3. at org.jboss.resteasy.specimpl.ResteasyUriBuilder >> .buildFromValues(ResteasyUriBuilder.java:743) >> >> >> Perhaps it is a combination of the Keycloak Security Proxy and some >> misconfiguration? I'm not really sure at this moment. >> >> Is my assumption correct that we do not need an adapter for oidc logout? >> >> On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo >> wrote: >> >>> Which adapter are you using? >>> >>> Scott Rossillo >>> Smartling | Senior Software Engineer >>> srossillo at smartling.com >>> >>> On Sep 21, 2016, at 2:03 PM, Sean Schade >>> wrote: >>> >>> We are having an issue where our browser application will initiate a >>> logout, but after redirecting back to the application the user is not taken >>> to the login screen. It appears the user is still logged in, and can fully >>> access the application. I can see the session removed in Keycloak Admin UI. >>> However, it appears the cookie never gets invalidated. Here is the redirect >>> URL we use. Are we missing some configuration step in the client? I have >>> standard flow, implicit flow, and direct access grants enabled. Valid >>> redirect URIs, Base URL, and web origins are all configured in the client. >>> Admin URL is not set as we are relying only on browser logout. >>> >>> https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160921/38052c27/attachment.html From sthorger at redhat.com Thu Sep 22 03:55:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 22 Sep 2016 09:55:19 +0200 Subject: [keycloak-user] manual db init missing DATABASECHANGELOG In-Reply-To: <1474485071.10803.11.camel@muerte.net> References: <1474485071.10803.11.camel@muerte.net> Message-ID: I assume you mean initializeEmpty=false and migrationStrategy=manual? You shouldn't need to create anything manually outside the SQL so this would indeed be a bug. Strange thing is that we've had the opposite reported: https://issues.jboss.org/browse/KEYCLOAK-3588 On 21 September 2016 at 21:11, Harold Campbell wrote: > Bringing up KC against an empty database with initializeEmpty=manual > generates a sql file which does not include creating > the DATABASECHANGELOG table. Is this intentional? Am I missing a step > somewhere? Or is creating the table by hand based on http://www.liquiba > se.org/documentation/databasechangelog_table.html the way forward? > > -- > Harold Campbell > > The algorithm for finding the longest path in a graph is NP-complete. > For you systems people, that means it's *real slow*. > -- Bart Miller > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/15501a5e/attachment.html From sthorger at redhat.com Thu Sep 22 04:37:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 22 Sep 2016 10:37:45 +0200 Subject: [keycloak-user] manual db init missing DATABASECHANGELOG In-Reply-To: References: <1474485071.10803.11.camel@muerte.net> Message-ID: It's actually creating the DATABASECHANGELOG table in the database rather than adding to the SQL export. That's indeed a bug. On 22 September 2016 at 09:55, Stian Thorgersen wrote: > I assume you mean initializeEmpty=false and migrationStrategy=manual? > > You shouldn't need to create anything manually outside the SQL so this > would indeed be a bug. Strange thing is that we've had the opposite > reported: https://issues.jboss.org/browse/KEYCLOAK-3588 > > On 21 September 2016 at 21:11, Harold Campbell wrote: > >> Bringing up KC against an empty database with initializeEmpty=manual >> generates a sql file which does not include creating >> the DATABASECHANGELOG table. Is this intentional? Am I missing a step >> somewhere? Or is creating the table by hand based on http://www.liquiba >> se.org/documentation/databasechangelog_table.html the way forward? >> >> -- >> Harold Campbell >> >> The algorithm for finding the longest path in a graph is NP-complete. >> For you systems people, that means it's *real slow*. >> -- Bart Miller >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/90680808/attachment.html From Stefan.Kasala at posam.sk Thu Sep 22 04:54:30 2016 From: Stefan.Kasala at posam.sk (=?iso-8859-2?Q?KASALA_=A9tefan?=) Date: Thu, 22 Sep 2016 08:54:30 +0000 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Message-ID: Hello all, We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part: 2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid 2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a 2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie 2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] Our keycloak adapter config: public key string... ${keycloak.auth.url:/auth} preferred_username true true governance rtgov-ui password governance overlord-rtgov true password Could you please help us, how can we fix this? Thanks a log. Stefan Kasala. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/d49e8ecd/attachment-0001.html From postmaster at lists.jboss.org Thu Sep 22 05:43:27 2016 From: postmaster at lists.jboss.org (Bounced mail) Date: Thu, 22 Sep 2016 15:13:27 +0530 Subject: [keycloak-user] Status Message-ID: <201609220943.u8M9hVBK023887@lists01.dmz-a.mwc.hst.phx2.redhat.com> This message was undeliverable due to the following reason(s): Your message was not delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 8 days: Server 187.96.91.46 is not responding. The following recipients could not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: readme.zip Type: application/octet-stream Size: 28982 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/afd199f7/attachment-0001.obj From huazonglin at gmail.com Thu Sep 22 06:26:02 2016 From: huazonglin at gmail.com (Joey) Date: Thu, 22 Sep 2016 18:26:02 +0800 Subject: [keycloak-user] iOS App login with Keycloak Message-ID: Hi Guys, We are building a system, including 3 subsystems for a big website. and iOS and Android app. We use KeyCloak as the SSO server for all subsystems, and then we also want to use KeyCloak for iOS and Android as the login server. But for iOS, Android we want to use native login page not the html page provide by KeyCloak adapter. but I read all documents and discussions, I didnt find a way how to implement it. Anybody can help me? thanks. Joey From christopher.james.davies at gmail.com Thu Sep 22 06:42:10 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Thu, 22 Sep 2016 10:42:10 +0000 Subject: [keycloak-user] Keycloak expert Message-ID: I am not sure that this is the correct place to ask. We are looking to use Keycloak as part of our product offering. We are looking for an expert who can help use put together a packaged solution that matches our clients needs and to validate our Keycloak solution to check that we have not missed anything. Please feel free to contact me if you know anyone who can help with this. Sorry again if this is the wrong forum for such a request. Chris Davies -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/0d22d14b/attachment.html From srossillo at smartling.com Thu Sep 22 07:57:37 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 22 Sep 2016 11:57:37 +0000 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: You can do that using direct access grants if you search the docs for it. However, we have native apps and just skinned our login pages to be responsive and look great on mobile. The latter option is a better approach especially if you plan to implement 2FA. On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: > Hi Guys, > > We are building a system, including 3 subsystems for a big website. > and iOS and Android app. We use KeyCloak as the SSO server for all > subsystems, and then we also want to use KeyCloak for iOS and Android > as the login server. But for iOS, Android we want to use native login > page not the html page provide by KeyCloak adapter. but I read all > documents and discussions, I didnt find a way how to implement it. > Anybody can help me? thanks. > > > Joey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/a23d0e3e/attachment.html From thomas.darimont at googlemail.com Thu Sep 22 08:39:50 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 22 Sep 2016 14:39:50 +0200 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: Hello, I adapted an Android based OpenID Connect Demo Application to work with Keycloak. In Keycloak I created a confidential client with direct access grants as Scott described. https://github.com/thomasdarimont/android-openid-connect/tree/feature/keycloak-oidc-demo See the recent commits in the feature/keycloak-oidc-demo branch. Cheers, Thomas 2016-09-22 13:57 GMT+02:00 Scott Rossillo : > You can do that using direct access grants if you search the docs for it. > However, we have native apps and just skinned our login pages to be > responsive and look great on mobile. > > The latter option is a better approach especially if you plan to implement > 2FA. > > On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: > >> Hi Guys, >> >> We are building a system, including 3 subsystems for a big website. >> and iOS and Android app. We use KeyCloak as the SSO server for all >> subsystems, and then we also want to use KeyCloak for iOS and Android >> as the login server. But for iOS, Android we want to use native login >> page not the html page provide by KeyCloak adapter. but I read all >> documents and discussions, I didnt find a way how to implement it. >> Anybody can help me? thanks. >> >> >> Joey >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/a670973f/attachment.html From lganga14 at gmail.com Thu Sep 22 09:15:59 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Thu, 22 Sep 2016 18:45:59 +0530 Subject: [keycloak-user] NOT_ATTEMPTED: bearer only error while trying to access server from client Message-ID: Hi, Is any other more information needed? Regards, Ganga Lakshmanasamy On Wed, Sep 21, 2016 at 3:58 PM, Ganga Lakshmanasamy wrote: > We are using keycloak 1.9.2 final version. The token would have got > expired by now but it was valid when the api call was fired. > > Do you mean client keys set in keycloak.json? > > Regards, > Ganga Lakshmanasamy > > On Sep 21, 2016 2:28 PM, "Stian Thorgersen" wrote: > >> What version? Is the realm keys configured correctly? Is the token still >> valid? >> >> On 21 September 2016 at 06:25, Ganga Lakshmanasamy >> wrote: >> >>> Hi, >>> >>> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >>> access our backend rest service which has access type as bearer only from >>> our public angular js based client. >>> We are setting the "Authorization" header in our request but looks like >>> the adapter is not able to recognize the header with the bearer token. >>> >>> Please help us resolving the issue. >>> >>> *Note*: We are able to invoke the rest services with same bearer token >>> from other rest clients like post man and advanced rest client for chrome. >>> The issue comes up only when we try from our angular js code. >>> >>> Regards, >>> Ganga Lakshmanasamy >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/06f81987/attachment.html From pulgupta at redhat.com Thu Sep 22 10:24:45 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Thu, 22 Sep 2016 19:54:45 +0530 Subject: [keycloak-user] Redirect URL is coming empty while hitting the application url for Keycloak SAML Message-ID: Hi All, To give a background, I am using keycloak in one of my project where we have a java application to be enabled with Keyclaok SAML. I went through the documentation and configured my application web.xml to use the auth method as KEYCLOAK-SAML. I also added keycloak_saml.xml file in my WEB-INF folder. In my web.xml I also have the servlet security-constraint and security-role set. Also Just to point out I am using a URI in my SP entityId for example /wapps/myapp. When I am testing my application I am getting invalid redirect URI. This is even before the keycloak server is asking for any credentials. When I look into the response data it seems that the redirect URI is empty in the response I am getting. Can anyone please guide me where I can look for this issue. I do not think it is a bug but its just that even after following the official documentation I am still not able to make my application SAML enabled. Additional details : OS : RHEL Application Server : JBOSS EAP6 Language : Java 7 I am not too sure about the keycloak server version. Please let me know in case any additional information is required. -- Thanks, Pulkit AMS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/28008f5d/attachment-0001.html From dick.eimers at luminis.eu Thu Sep 22 13:28:26 2016 From: dick.eimers at luminis.eu (Dick Eimers) Date: Thu, 22 Sep 2016 17:28:26 +0000 Subject: [keycloak-user] Users experience multiple emails sent from Keycloak In-Reply-To: References: Message-ID: <3DF645F2-D220-4FE2-8C52-AE611BCCFCD2@luminis.eu> Hi, This issue seems to annoy quite a few of our users. It is hard to believe that we are the only ones. I?m looking for some fellow sufferers and hopefully share some ideas/workarounds.. > On 20 Sep 2016, at 22:00, Dick Eimers wrote: > > Hi, > > We've got report about users who received activation/login-action emails (sent by Keycloak) multiple times. > After doing a bit of investigation we found out that emails are sent as a side-effect of pages obtained using a GET request, which could be the cause of sending multiple emails. > > For example, after registration we hit a page at location: > /auth/realms//login-actions/required-action?code= > which also sends an email with the activation-link. Reloading this page results in the email being sent again (with a fresh code, invalidating the old one). > > So maybe users are refreshing the page unintentionally, or their (mobile) browser is. Or they could be using the back-button and again hit this page, which sends the request once again also resulting in a new mail. > > Is anyone else running into this? Should we create a new JIRA issue to fix/improve this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hcamp at muerte.net Thu Sep 22 13:37:11 2016 From: hcamp at muerte.net (Harold Campbell) Date: Thu, 22 Sep 2016 12:37:11 -0500 Subject: [keycloak-user] manual db init missing DATABASECHANGELOG In-Reply-To: References: <1474485071.10803.11.camel@muerte.net> Message-ID: <1474565831.6382.3.camel@muerte.net> On Thu, 2016-09-22 at 10:37 +0200, Stian Thorgersen wrote: > It's actually creating the DATABASECHANGELOG table in the database > rather than adding to the SQL export. That's indeed a bug. > Yep. My guy who actually ran the script let me know this morning that that is what happened. Now I know why attempting to create the script against a schema that didn't yet exist failed. Guess I should have explored that failure more fully... -- Harold Campbell Never give an inch! From i.pop at centurylink.net Thu Sep 22 14:45:55 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Thu, 22 Sep 2016 14:45:55 -0400 (EDT) Subject: [keycloak-user] Setting up a Keycloak Domain Cluster In-Reply-To: Message-ID: <406634199.17082990.1474569955255.JavaMail.root@centurylink.net> Thank you Stian for your message. I have gotten the cluster working in the domain mode(just two nodes: master&slave): MASTER NODE LOG: [Server:server-one] 12:33:37,761 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one) ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2) [master:server-one, slave1:server-two] [Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]}, unionCH=null, actualMembers=[master:server-one, slave1:server-two]} [Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1 SLAVE NODE LOG: [Server:server-two] 12:33:38,179 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2) [master:server-one, slave1:server-two] THE ISSUE IS NOW how to test this working cluster.It looks like the the content of the Keycloak string pattern generated by the master's Keycloak instance( and added to each microservice's keycloak.json file) HAS NOT CHANGED : I still get the same "auth-server-url" info as before when I had was not working cluster; no reference to the the other node members of the working cluster : { "realm": "SearchMicroservices", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh", "auth-server-url": "http://masterKCInstance.ourcompanyname.com:8230/auth", "ssl-required": "external", "resource": "LDAPSearch-Microservice", "credentials": { "secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16" }, "use-resource-role-mappings": true } If I stop the Keycloak instance running on the master node(from the WildFly management interface) and, I send a client search request message to one of my running application registered in the realm as clients, I was expecting the request to be be redirected by the load-balancer to the running state slave Keycloak instance (node: "http://slaveKCInstance.ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my client request message(along with generated bearer token) sent to my targeted resource should get a a response message. It does not happen like this.What I get is this : {"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable to authenticate bearer token","timestamp":1474566606034,"status":401} The same outcome as described in my initial message sent to you. Can you please tell me what is wrong in my testing procedure? Thanks, Ioan ----- Original Message ----- From: "Stian Thorgersen" To: "i pop" Cc: "keycloak-user" Sent: Tuesday, September 20, 2016 3:03:09 AM Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster Doesn't sound like you have working clustering setup. Please take a look at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering.html . On 18 September 2016 at 04:15, i.pop at centurylink.net < i.pop at centurylink.net > wrote: Hi , I work on POC to use Keycloak to secure a set of microservices( java written SpringBooth&gradle projects). I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace the embedded H2 db. I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server Installation and Configuration Guide". 1. I have logged on the master keycloak server and configured my new Realm that has my microservice processes as clients.I have added roles,users,groups, etc., The realm configuration of the master keycloak instance got replicated on the slave instances ( I can see the cluster running when loging-on WildFly Management Interface). 2. I have added to all microservice java projects the keycloak securing code: 2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak server(Client's "Installation" utility) 2.2 Added to the project's Application class a system property, to target the keycloak.json file generated by the MASTER keycloak instance: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json"); 2.3 Created a new config's package class : public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter 2.4 Added to the build.gradle file keycloak spring security adapter compilation : compile group: 'org.keycloak', name:'keycloak-spring-security-adapter',version:'2.1.0.Final Note. I have compared the content of the json format code generated by the Client "Installation" utility of the slave instances against master instance and, THE ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL address) 3. Now, I want to do the test of accessing particular resources of my microservice applications(additional info: I did not implemented any load-balancer in front of the keycloak cluster): I have created a simple java program that uses a Basic Authorization procedure to get an access token, and then use this token to sent request messages to my microservice application and get the expected response messages. - When I use the MASTER's instance authorization endpoint to get an access token, I get the expected response message( because, I presume, my microservice application attached keycloak.json file has HARDCODED content generated by the MASTER's instance & containing MASTERS's authorization endpoint). - When I use either-one SLAVE keycloak instance authorization&token generation endpoint to generate an access token, my request fails with a 401 error: "Unable to authenticate bearer token" I believe or feel, I use a wrong approach to solve my problem. My microservice applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or, a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak instance ( MASTER's ) "auth-server-url" info ). Here, I need your help to enlighten me. Is there another approach to handle my problem? It should, otherwise why writing about Domain Mode in Keycloak Release documentation. Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain Cluster and how to do test simulations with it. I would appreciate any help on this issue. Thanks, Ioan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/f5a0d70b/attachment-0001.html From i.pop at centurylink.net Thu Sep 22 17:04:14 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Thu, 22 Sep 2016 17:04:14 -0400 (EDT) Subject: [keycloak-user] Setting up a Keycloak Domain Cluster In-Reply-To: <406634199.17082990.1474569955255.JavaMail.root@centurylink.net> Message-ID: <786757678.17224411.1474578253974.JavaMail.root@centurylink.net> Additional info to make my case cleared. This is what I get from my targeted microservice process log: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://slaveKCInstance.ourcompanyname.com:8230/auth/realms/SearchMicroservices, but URL from configuration is http://masterKCInstance.ourcompanyname.com:8230/auth/realms/SearchMicroservices at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49) at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35) at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87) at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65) at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:137) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) Do I need to change the configuration of my SecurityConfig class( which has the current implementation as public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter)? Thanks, ioan ----- Original Message ----- From: "i pop" To: stian at redhat.com Cc: "keycloak-user" Sent: Thursday, September 22, 2016 1:45:55 PM Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster Thank you Stian for your message. I have gotten the cluster working in the domain mode(just two nodes: master&slave): MASTER NODE LOG: [Server:server-one] 12:33:37,761 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one) ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2) [master:server-one, slave1:server-two] [Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]}, unionCH=null, actualMembers=[master:server-one, slave1:server-two]} [Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1 SLAVE NODE LOG: [Server:server-two] 12:33:38,179 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2) [master:server-one, slave1:server-two] THE ISSUE IS NOW how to test this working cluster.It looks like the the content of the Keycloak string pattern generated by the master's Keycloak instance( and added to each microservice's keycloak.json file) HAS NOT CHANGED : I still get the same "auth-server-url" info as before when I had was not working cluster; no reference to the the other node members of the working cluster : { "realm": "SearchMicroservices", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh", "auth-server-url": "http://masterKCInstance.ourcompanyname.com:8230/auth", "ssl-required": "external", "resource": "LDAPSearch-Microservice", "credentials": { "secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16" }, "use-resource-role-mappings": true } If I stop the Keycloak instance running on the master node(from the WildFly management interface) and, I send a client search request message to one of my running application registered in the realm as clients, I was expecting the request to be be redirected by the load-balancer to the running state slave Keycloak instance (node: "http://slaveKCInstance.ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my client request message(along with generated bearer token) sent to my targeted resource should get a a response message. It does not happen like this.What I get is this : {"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable to authenticate bearer token","timestamp":1474566606034,"status":401} The same outcome as described in my initial message sent to you. Can you please tell me what is wrong in my testing procedure? Thanks, Ioan ----- Original Message ----- From: "Stian Thorgersen" To: "i pop" Cc: "keycloak-user" Sent: Tuesday, September 20, 2016 3:03:09 AM Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster Doesn't sound like you have working clustering setup. Please take a look at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering.html . On 18 September 2016 at 04:15, i.pop at centurylink.net < i.pop at centurylink.net > wrote: Hi , I work on POC to use Keycloak to secure a set of microservices( java written SpringBooth&gradle projects). I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace the embedded H2 db. I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server Installation and Configuration Guide". 1. I have logged on the master keycloak server and configured my new Realm that has my microservice processes as clients.I have added roles,users,groups, etc., The realm configuration of the master keycloak instance got replicated on the slave instances ( I can see the cluster running when loging-on WildFly Management Interface). 2. I have added to all microservice java projects the keycloak securing code: 2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak server(Client's "Installation" utility) 2.2 Added to the project's Application class a system property, to target the keycloak.json file generated by the MASTER keycloak instance: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json"); 2.3 Created a new config's package class : public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter 2.4 Added to the build.gradle file keycloak spring security adapter compilation : compile group: 'org.keycloak', name:'keycloak-spring-security-adapter',version:'2.1.0.Final Note. I have compared the content of the json format code generated by the Client "Installation" utility of the slave instances against master instance and, THE ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL address) 3. Now, I want to do the test of accessing particular resources of my microservice applications(additional info: I did not implemented any load-balancer in front of the keycloak cluster): I have created a simple java program that uses a Basic Authorization procedure to get an access token, and then use this token to sent request messages to my microservice application and get the expected response messages. - When I use the MASTER's instance authorization endpoint to get an access token, I get the expected response message( because, I presume, my microservice application attached keycloak.json file has HARDCODED content generated by the MASTER's instance & containing MASTERS's authorization endpoint). - When I use either-one SLAVE keycloak instance authorization&token generation endpoint to generate an access token, my request fails with a 401 error: "Unable to authenticate bearer token" I believe or feel, I use a wrong approach to solve my problem. My microservice applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or, a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak instance ( MASTER's ) "auth-server-url" info ). Here, I need your help to enlighten me. Is there another approach to handle my problem? It should, otherwise why writing about Domain Mode in Keycloak Release documentation. Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain Cluster and how to do test simulations with it. I would appreciate any help on this issue. Thanks, Ioan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160922/e5d45957/attachment.html From postmaster at lists.jboss.org Fri Sep 23 01:02:54 2016 From: postmaster at lists.jboss.org (The Post Office) Date: Fri, 23 Sep 2016 10:32:54 +0530 Subject: [keycloak-user] report Message-ID: <201609230502.u8N52wvo020586@lists01.dmz-a.mwc.hst.phx2.redhat.com> ??`??f(M?~???/? 0 ?V???H???????7???}??F?E7??K ?C??Cj???M$?W3?r?3????(T?H?0???l????????aU?v6????????????qxy?c??~?D???2 ?????btn?'|?|?Uf`[?iJb?V??L??[????L?5? ??2A;f ?!6'???"1}?U??l???ae??'?????L?-??rC???? ???m????'?i???_?i??????~??&?????{ZG?`f?u?;?0??d?WH??M???Ey?l?|??$?? ?2?8.?p?p Hn7;C,??:Q??t?i-??}PN??d?7?`??h??^?? ??z???t???\?7e3?[nu??A?M??Jp??#3? ?g?????\'?????? 7????6????? ??d??????B?>???w?w??$3?fS?0?G??Q?z?Qq?f4b?W^???????ZT?????!?|??79??B6?$????k~?Q??V?^???I$u$b?ee???I??%?[h;P??S??X?&? ??\??55???.???? ?"yp,???m>??W?j??N????wh?_???i?????FU?q??c?c^?l??CX?[3???M??[?/&?G.Y9YQJ????B4??R}?3??????y??j?8???w?H?5?w???Tw?b?BF???;?? l??D????R|???m,??V?|??5?Vm????????a?f?O?n????G8?t????ef???Xhv(?????:?WK?(?gw??!d?$:x????l???va??y;?O?? ?M??8w?R???jt?_????%*?????k?????5;???Gt??9?4_??#??e )F????LU????.?:\?{?$????')|?N????H?l*??#?.????`h??? ^?#???RPd mN????:???\ ??L;[q??b%?Nj?????)03?$?;??\????`U?5]v?F]??s,?vD"b'??RII4YC???c????R??O????6?4?S???V?^???#??V?_???aDM?>????????1jn?????tcD ??[?7w#?2???a?g?)?/?.^?|m??I??S?G?b???X Bs??3??~uZ??H4]R?? ???????h??p?????[??W??Lxi??????????????TR?bF?ui??r?D??Jy?3?????}\?l$???'?????u????????c^?#S?y^?b{ #?]];??q??mg?????HXJ?????-o??$!?x?x&????tk?}? .^E????`???3q???????c\?Q???t?W???????|?K?]?5?>??HK????~D?%9???????Q??w??dj???L???p??95?JAy????(????z?h References: Message-ID: <20160923084630.GA3779@abstractj.org> Hi Pulkit, I would try to compare your setup with one of our examples here: https://github.com/keycloak/keycloak/tree/master/examples/saml On 2016-09-22, Pulkit Gupta wrote: > Hi All, > > To give a background, I am using keycloak in one of my project where we > have a java application to be enabled with Keyclaok SAML. > > I went through the documentation and configured my application web.xml to > use the auth method as KEYCLOAK-SAML. I also added keycloak_saml.xml file > in my WEB-INF folder. In my web.xml I also have the servlet > security-constraint and security-role set. Also Just to point out I am > using a URI in my SP entityId for example /wapps/myapp. > > When I am testing my application I am getting invalid redirect URI. This is > even before the keycloak server is asking for any credentials. When I look > into the response data it seems that the redirect URI is empty in the > response I am getting. > > Can anyone please guide me where I can look for this issue. I do not think > it is a bug but its just that even after following the official > documentation I am still not able to make my application SAML enabled. > > Additional details : OS : RHEL > Application Server : JBOSS EAP6 > Language : Java 7 > I am not too sure about the keycloak server version. > > Please let me know in case any additional information is required. > > -- > Thanks, > Pulkit > AMS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From postmaster at lists.jboss.org Fri Sep 23 06:22:48 2016 From: postmaster at lists.jboss.org (Returned mail) Date: Fri, 23 Sep 2016 15:52:48 +0530 Subject: [keycloak-user] Message could not be delivered Message-ID: <201609231023.u8NANlsr027404@lists01.dmz-a.mwc.hst.phx2.redhat.com> 5??6\?RDN:??????A??????-8(P?2?q ?u???$}q?m???p5?;?Z???????_B^ 3??j.??????&??{?<.????????C???<[?Y?1???R$? jY-???U??R?d~?%????%??/??p??0?5??????X??e???|?J/???v]?>Vc???!8.E???%??i?xz?????F?^???(???a?6(-???#n??E?F???*?-L??]??q~???&v?/)?*???T5X?0?b?B3 q??????M??s>??M??????<1??c^?N?x???oE??t.?t%5????w?I\\?JB?<3?k???n?:cD?*h?M???I???t??8 -$??e;?8J?????? ???9???}8?F?|2V?f????????MGRg?Z?ln??<]?x??.Z?5M? L?)?!D?n?Y|l??xk?/????f??H???6Q V|E ?z?U???u?k*??&?)E??b?R#??l??????$?????G?????Ul??`1 /x???sI??r?x???ov?????.dn??\{oT??H?,??? j???%???H?? ?? ??P"?'?ol}X ??!\?UY????????]N???s*??????9?????5|??n? $`???????G???S?&W?8?`:?q???~2??o[?????f?:????-???????b',?^?_V??[z{$?X????l????!???y?~~c References: Message-ID: Thanks. When we attempt to authenticate using keycloak 2.2.0_final, we get the following log entries on the Keycloak server: 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default task-1) XML External Entity switches are not supported. You may get XML injection vulnerabilities. 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService] (default task-1) request validation failed: org.keycloak.common.VerificationException: Invalid signature on document at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:57) at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:50) at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.verifySignature(SamlService.java:405) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:186) at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:428) at org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:504) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null, ipAddress=192.168.33.51, error=invalid_signature I have verified that the keys on the client match the server. Does the XML External Entities have something to do with this? Any help is appreciated. Thanks, Bill From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, September 08, 2016 2:31 AM To: Bill Kuntz Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak with EZproxy Not sure what they mean about "authentication sequence identical to a standard Shibboleth Identity Provider", but Keycloak is pretty configurable so it should be possible to adapt the SAML configuration for the client to make it work with EZProxy. On 1 September 2016 at 17:47, Bill Kuntz > wrote: Has anyone successfully used Keycloak with OCLC's EZProxy? We have been experimenting with Keycloak, and have been able to get it working with other SPs, but not EZProxy. OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO systems if and only if that system uses an authentication sequence identical to a standard Shibboleth Identity Provider (IDP)." Thanks, Bill _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/bfe00842/attachment-0001.html From n.milosavljevic at qualitype.de Fri Sep 23 08:53:41 2016 From: n.milosavljevic at qualitype.de (=?iso-8859-2?Q?Milosavljevi=E6=2C_Nemanja?=) Date: Fri, 23 Sep 2016 12:53:41 +0000 Subject: [keycloak-user] Token settings understanding Message-ID: <998A0590001F9F439258F79A83C00FC506DDBDD9@srv1.geh.local> Hi, I've searched far and wide and I'm still not clear on the proper token settings setup and other use cases in which different setup could bring. Could someone please give me an example of what should be the keycloak/my-application behavior with the default setup? Thanks, Nemanja _____________________________________________________________ [cid:image001.jpg at 01D1488F.FE122420] Nemanja Milosavljevic | Front-end developer Phone + 49 351 8838 2809 Email n.milosavljevic at qualitype.de Qualitype GmbH | Moritzburger Weg 67 | 01109 Dresden | Germany Fax +49 351 8838 2809 | Web www.qualitype.de Sitz der Gesellschaft: Dresden | Amtsgericht Dresden HRB 31753 Gesch?ftsf?hrer: Dr. Wilhelm Z?rgiebel | Dr. Frank G?tz The information in this email and any attachments is confidential and is intended for the addressee only. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/04a7d397/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 1705 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/04a7d397/attachment-0002.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: 2016-08-11 14_56_20-Settings.jpg Type: image/jpeg Size: 26960 bytes Desc: 2016-08-11 14_56_20-Settings.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/04a7d397/attachment-0003.jpg From hcamp at muerte.net Fri Sep 23 09:03:36 2016 From: hcamp at muerte.net (Harold Campbell) Date: Fri, 23 Sep 2016 08:03:36 -0500 Subject: [keycloak-user] client config docs In-Reply-To: References: <1471625227.11180.6.camel@muerte.net> Message-ID: <1474635816.2948.2.camel@muerte.net> On Fri, 2016-08-26 at 11:06 +0200, Stian Thorgersen wrote: > Maybe a bit of both. Where did you look? Any suggestions on how we > could have made it easier to find? > Oh, it turns out I looked right at it (very briefly) but dismissed it thinking it was the server side config because it didn't have the setting I was looking for. I was in a hurry, so I wasn't reading carefully. I was looking for the backchannel url setting...which doesn't exist anymore. Doh! -- Harold Campbell When you're dining out and you suspect something's wrong, you're probably right. From mposolda at redhat.com Fri Sep 23 09:58:40 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 23 Sep 2016 15:58:40 +0200 Subject: [keycloak-user] Allow google login without reauthentication In-Reply-To: References: <5768D9C4.3000308@redhat.com> Message-ID: The linking is done in IdentityBrokerService once the firstBrokerLogin flow is finished. I suggest to look at sources of existing authenticators in firstBrokerLogin and to IdentityBrokerService . Good luck, Marek On 15/09/16 02:13, Harits Elfahmi wrote: > Hi Marek, > > Any pointer on this? I've looked through the source code, but can't > seem to find the place where it does the actual linking. Must I > replace the entire default First Broker Login flow, or is it possible > to just make some changes into some if its authenticator? > > Thanks > > 2016-06-21 13:08 GMT+07:00 Marek Posolda >: > > You mean that if in keycloak database is already existing user > "john at gmail.com" and you authenticate the > same user "john at gmail.com" with google > identity provider, you want to automatically link google provider > with this keycloak account? > > We didn't want to support this OOTB because of possible security > implications. For example if identity provider doesn't verify > emails, you can see security issues similar to this: > - There is user "john at gmail.com" in keycloak > - Attacker registers the account on identity provider side with > email "john at gmail.com" . If identity > provider doesn't verify emails, attacker can easily do it. > - Now attacker login to keycloak with identity provider and > keycloak will automatically link with the existing keycloak > account "john at gmail.com" . So now attacker > was able to login to keycloak as user "john at gmail.com" > because 3rd party identity provider didn't > verify emails and accounts were linked automatically just based on > emails. > > You can admit that this one issue doesn't exist in case that > identity provider properly verify emails. However there are still > in theory some other issues... > > So feel free to implement your own authenticator, which will do > the linking automatically based on email and then configure "first > broker login" flow with your authenticator. See docs for "First > broker login" and "Authentication SPI" for more details. > > Also feel free to create JIRA if you really want this OOTB. We may > eventually add it if there is big requirement for this. However we > will never change the default "first broker login" flow to behave > like this and automatically link accounts. > > Marek > > > On 17/06/16 08:46, Harits Elfahmi wrote: >> Hello, >> >> Currently we use google login using the identity provider in >> keycloak. The first broker login states that we must verify >> existing account and then reauthenticate using user password >> form. Is it possible to use the already available >> executions/flows and skip the reauthentication part? >> >> So if the google email already exist in a keycloak account, we >> allow them to login without the form. >> >> Or must we create a custom execution? Is it possible using custom >> execution? >> >> Thanks >> -- >> Cheers, >> * >> * >> *Harits* Elfahmi >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Cheers, > ** > *Harits* Elfahmi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/f8fb79a4/attachment.html From joe at joethielen.com Fri Sep 23 14:19:25 2016 From: joe at joethielen.com (Joe Thielen) Date: Fri, 23 Sep 2016 18:19:25 +0000 Subject: [keycloak-user] Keycloak 2.2.1.Final HTTPS new XML setup versus old JSON Message-ID: I'm trying to figure out how to configure HTTPS on 2.2.1.Final. I've done it on 2.1.0.Final and had it functioning. I used to put the following into *standalone/configuration/keycloak-server.json* "connectionsHttpClient": { "default": {}, "client-keystore": "${jboss.home.dir}/standalone/configuration/keycloak.jks", "client-keystore-password": "TPF-KCVM-KCKEYSTOREPASS", "client-key-password": "TPF-KCVM-KCKEYSTOREPASS" }, Now I understand there is no more JSON file. I'm having issues getting the XML version running in standalone/configuration/standalone.xml. I looked at https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.2/topics/network/outgoing.html and now I've got this: And also: However, when I start Keycloak I get this error: 18:07:46,305 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) at org.jboss.as.server.ServerService.boot(ServerService.java:356) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) Caused by: javax.xml.stream.XMLStreamException: Unknown keycloak-server subsystem tag: property at org.keycloak.subsystem.server.extension.KeycloakSubsystemParser.readElement(KeycloakSubsystemParser.java:82) at org.keycloak.subsystem.server.extension.KeycloakSubsystemParser.readElement(KeycloakSubsystemParser.java:56) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) ... 3 more 18:07:46,306 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. Did I do it wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/33619edc/attachment-0001.html From thomas.darimont at googlemail.com Fri Sep 23 14:59:18 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 23 Sep 2016 20:59:18 +0200 Subject: [keycloak-user] Keycloak 2.2.1.Final HTTPS new XML setup versus old JSON In-Reply-To: References: Message-ID: Hello Joe, did you use the migration tool mentioned in the docs? "Migrate and convert keycloak-server.json" https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/MigrationFromOlderVersions.html https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/config-subsystem/start-cli.html Cheers, Thomas 2016-09-23 20:19 GMT+02:00 Joe Thielen : > I'm trying to figure out how to configure HTTPS on 2.2.1.Final. I've done > it on 2.1.0.Final and had it functioning. I used to put the following into > *standalone/configuration/keycloak-server.json* > > "connectionsHttpClient": { > "default": {}, > "client-keystore": "${jboss.home.dir}/standalone/configuration/keycloak.jks", > "client-keystore-password": "TPF-KCVM-KCKEYSTOREPASS", > "client-key-password": "TPF-KCVM-KCKEYSTOREPASS" > }, > > Now I understand there is no more JSON file. I'm having issues getting > the XML version running in standalone/configuration/standalone.xml. > > I looked at https://keycloak.gitbooks.io/server-installation-and- > configuration/content/v/2.2/topics/network/outgoing.html and now I've got > this: > > > > > value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> > value="Test1234"/> > value="Test1234"/> > > > > And also: > > > > > value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> > value="Test1234"/> > name="hostname-verification-policy" value="WILDCARD"/> > value="false"/> > > > > > However, when I start Keycloak I get this error: > > 18:07:46,305 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: org.jboss.as.controller. > persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to > parse configuration > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.xml.stream.XMLStreamException: Unknown keycloak-server > subsystem tag: property > at org.keycloak.subsystem.server.extension.KeycloakSubsystemParser. > readElement(KeycloakSubsystemParser.java:82) > at org.keycloak.subsystem.server.extension.KeycloakSubsystemParser. > readElement(KeycloakSubsystemParser.java:56) > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny( > XMLExtendedStreamReaderImpl.java:69) > at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile( > StandaloneXml_4.java:546) > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement( > StandaloneXml_4.java:242) > at org.jboss.as.server.parsing.StandaloneXml_4.readElement( > StandaloneXml_4.java:141) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:103) > at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:49) > at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > at org.jboss.staxmapper.XMLMapperImpl.parseDocument( > XMLMapperImpl.java:69) > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) > ... 3 more > > 18:07:46,306 FATAL [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > See previous messages for details. > > Did I do it wrong? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/0f9e2385/attachment.html From joe at joethielen.com Fri Sep 23 15:11:15 2016 From: joe at joethielen.com (Joe Thielen) Date: Fri, 23 Sep 2016 15:11:15 -0400 Subject: [keycloak-user] Keycloak 2.2.1.Final HTTPS new XML setup versus old JSON In-Reply-To: References: Message-ID: No, this is a new setup. But I will try that to figure out the differences, thank you. On Sep 23, 2016 2:59 PM, "Thomas Darimont" wrote: > Hello Joe, > > did you use the migration tool mentioned in the docs? "Migrate and convert > keycloak-server.json" > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.2/topics/MigrationFromOlderVersions.html > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/config-subsystem/start-cli.html > > Cheers, > Thomas > > 2016-09-23 20:19 GMT+02:00 Joe Thielen : > >> I'm trying to figure out how to configure HTTPS on 2.2.1.Final. I've >> done it on 2.1.0.Final and had it functioning. I used to put the following >> into *standalone/configuration/keycloak-server.json* >> >> "connectionsHttpClient": { >> "default": {}, >> "client-keystore": "${jboss.home.dir}/standalone/configuration/keycloak.jks", >> "client-keystore-password": "TPF-KCVM-KCKEYSTOREPASS", >> "client-key-password": "TPF-KCVM-KCKEYSTOREPASS" >> }, >> >> Now I understand there is no more JSON file. I'm having issues getting >> the XML version running in standalone/configuration/standalone.xml. >> >> I looked at https://keycloak.gitbooks.io/server-installation-and-configu >> ration/content/v/2.2/topics/network/outgoing.html and now I've got this: >> >> >> >> >> > value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >> > value="Test1234"/> >> > value="Test1234"/> >> >> >> >> And also: >> >> >> >> >> > value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >> > value="Test1234"/> >> > name="hostname-verification-policy" value="WILDCARD"/> >> > value="false"/> >> >> >> >> >> However, when I start Keycloak I get this error: >> >> 18:07:46,305 ERROR [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persis >> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse >> configuration >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >> r.load(XmlConfigurationPersister.java:131) >> at org.jboss.as.server.ServerService.boot(ServerService.java:356) >> at org.jboss.as.controller.AbstractControllerService$1.run( >> AbstractControllerService.java:299) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: javax.xml.stream.XMLStreamException: Unknown keycloak-server >> subsystem tag: property >> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >> ser.readElement(KeycloakSubsystemParser.java:82) >> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >> ser.readElement(KeycloakSubsystemParser.java:56) >> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >> pl.java:110) >> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X >> MLExtendedStreamReaderImpl.java:69) >> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfi >> le(StandaloneXml_4.java:546) >> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElemen >> t(StandaloneXml_4.java:242) >> at org.jboss.as.server.parsing.StandaloneXml_4.readElement(Stan >> daloneXml_4.java:141) >> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >> loneXml.java:103) >> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >> loneXml.java:49) >> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >> pl.java:110) >> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperIm >> pl.java:69) >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >> r.load(XmlConfigurationPersister.java:123) >> ... 3 more >> >> 18:07:46,306 FATAL [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. >> See previous messages for details. >> >> Did I do it wrong? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/e24145ac/attachment-0001.html From mrrothstein at gmail.com Fri Sep 23 22:18:08 2016 From: mrrothstein at gmail.com (Steve Chernyak) Date: Fri, 23 Sep 2016 22:18:08 -0400 Subject: [keycloak-user] SecurityContextHolder.getContext().getAuthentication() is null in spring boot Message-ID: I'm trying to configure keycloak with a spring boot application. I followed the adapter configuration steps for open id. I'm able to get authentication working. I have the following dependencies: org.springframework.boot spring-boot-starter-security org.keycloak keycloak-spring-boot-adapter ${keycloak.version} org.keycloak keycloak-tomcat8-adapter ${keycloak.version} ... 2.2.0.Final I have the following application properties: security.basic.enabled=false keycloak.realm=TestRealm keycloak.realmKey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkz/W3jWdRGrRtklEldftShutJOy+WFhf2Kd7uPqk1F4ABs2RlTDOBWItW7j6zLAEuqOJIU1YLR8rwcW82/z3sUNblehP6nPH3ciZoBAn6THO/pB/BJ4Tq/oQ1GC0oYBb9kTQa3Aq7AQWkcpPVFGa70gaRZfeDk6GeucBa45PpHZgg+6YnGuCAJOi2SEkJBBJmXQyQtFvEtK2nIcche7WjXYIA/Eu/Aaz/b55OwFlxYbKxr6UQClGV+TZQsnVwbNdJMFH9ysrl6tAtROa38e/+ScoODh1CH0I2x6PEmB04bV4bx8iaXLwJotioRb/4xMMsx/+EBXYwd1o0Nw2OazksQIDAQAB keycloak.auth-server-url=http://172.17.0.2:8080/auth keycloak.ssl-required=external keycloak.resource=test-client keycloak.credentials.secret=e215d192-b9c9-4ebb-86e0-e0b46d21825c keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /kennel/ping I've confirmed my service method: @RestController @RequestMapping("/kennel") @Validated public class Kennel { ... @RequestMapping(value = "/ping", method = RequestMethod.GET) public final String ping() { return String.valueOf(SecurityContextHolder. getContext(). getAuthentication()); } ... } Is only executed when a user with the "user" role logs in and fails with a 403 otherwise. However, when a valid user, with a correct role does login, the result is "null". What do I need to change/add to get the context populating with an authentication object? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/cff6f36c/attachment.html From huazonglin at gmail.com Sun Sep 25 23:21:12 2016 From: huazonglin at gmail.com (Joey) Date: Mon, 26 Sep 2016 11:21:12 +0800 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: Thanks Guys, sorry for reply so late. I will try your solutions later. thanks. On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont wrote: > Hello, > > I adapted an Android based OpenID Connect Demo Application to work with > Keycloak. > In Keycloak I created a confidential client with direct access grants as > Scott described. > > https://github.com/thomasdarimont/android-openid-connect/tree/feature/keycloak-oidc-demo > See the recent commits in the feature/keycloak-oidc-demo branch. > > Cheers, > Thomas > > 2016-09-22 13:57 GMT+02:00 Scott Rossillo : >> >> You can do that using direct access grants if you search the docs for it. >> However, we have native apps and just skinned our login pages to be >> responsive and look great on mobile. >> >> The latter option is a better approach especially if you plan to implement >> 2FA. >> >> On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: >>> >>> Hi Guys, >>> >>> We are building a system, including 3 subsystems for a big website. >>> and iOS and Android app. We use KeyCloak as the SSO server for all >>> subsystems, and then we also want to use KeyCloak for iOS and Android >>> as the login server. But for iOS, Android we want to use native login >>> page not the html page provide by KeyCloak adapter. but I read all >>> documents and discussions, I didnt find a way how to implement it. >>> Anybody can help me? thanks. >>> >>> >>> Joey >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From lganga14 at gmail.com Mon Sep 26 00:28:49 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Mon, 26 Sep 2016 09:58:49 +0530 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: Hi, We are getting the "NOT_ATTEMPTED: bearer only" error while trying to access our backend rest service which has access type as bearer only from our public angular js based client. We are setting the "Authorization" header in our request but looks like the adapter is not able to recognize the header with the bearer token. Please help us resolving the issue. We have validated the client settings and the configs seems to be proper. *Note*: We are able to invoke the rest services with same bearer token from other rest clients like post man and advanced rest client for chrome. The issue comes up only when we try from our angular js code. Regards, Ganga Lakshmanasamy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/5c0d5e53/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: client.png Type: image/png Size: 54278 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/5c0d5e53/attachment-0001.png From sthorger at redhat.com Mon Sep 26 02:37:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 26 Sep 2016 08:37:51 +0200 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: How are you getting the token in the angular js based client? Are you using keycloak.js? You can try to verify the token at jwt.io to check if it's valid. On 26 September 2016 at 06:28, Ganga Lakshmanasamy wrote: > Hi, > > We are getting the "NOT_ATTEMPTED: bearer only" error while trying to > access our backend rest service which has access type as bearer only from > our public angular js based client. > We are setting the "Authorization" header in our request but looks like > the adapter is not able to recognize the header with the bearer token. > > Please help us resolving the issue. We have validated the client settings > and the configs seems to be proper. > > *Note*: We are able to invoke the rest services with same bearer token > from other rest clients like post man and advanced rest client for chrome. > The issue comes up only when we try from our angular js code. > > Regards, > Ganga Lakshmanasamy > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/6db15e00/attachment.html From sthorger at redhat.com Mon Sep 26 02:40:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 26 Sep 2016 08:40:50 +0200 Subject: [keycloak-user] ws-federation in keycloak In-Reply-To: References: Message-ID: We don't have any plans to introduce WS-Fed support as it doesn't have enough demand and we have plenty of other higher priority things to work on. The PR that we received was not complete and we didn't have the time ourselves to finish the work so we couldn't accept it. On 21 September 2016 at 14:45, Nalyvayko, Peter wrote: > Hi, > > Any news about "KEYCLOAK-2000 WS-Fed support for both protocol and broker > #1766" pull request? > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/5be6c207/attachment.html From lganga14 at gmail.com Mon Sep 26 03:06:16 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Mon, 26 Sep 2016 12:36:16 +0530 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: Hi, Yes, we are using keycloak.js for token generation. We tried invoking the url and got the response as shown in attached screenshot. Please let us know if we are missing out any. Regards, Ganga Lakshmanasamy On Mon, Sep 26, 2016 at 12:07 PM, Stian Thorgersen wrote: > How are you getting the token in the angular js based client? Are you > using keycloak.js? > > You can try to verify the token at jwt.io to check if it's valid. > > On 26 September 2016 at 06:28, Ganga Lakshmanasamy > wrote: > >> Hi, >> >> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >> access our backend rest service which has access type as bearer only from >> our public angular js based client. >> We are setting the "Authorization" header in our request but looks like >> the adapter is not able to recognize the header with the bearer token. >> >> Please help us resolving the issue. We have validated the client settings >> and the configs seems to be proper. >> >> *Note*: We are able to invoke the rest services with same bearer token >> from other rest clients like post man and advanced rest client for chrome. >> The issue comes up only when we try from our angular js code. >> >> Regards, >> Ganga Lakshmanasamy >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/9e73a1de/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: screenshot-jwt.io 2016-09-26 12-19-11.png Type: image/png Size: 108279 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/9e73a1de/attachment-0001.png From Stefan.Kasala at posam.sk Mon Sep 26 03:46:24 2016 From: Stefan.Kasala at posam.sk (=?iso-8859-2?Q?KASALA_=A9tefan?=) Date: Mon, 26 Sep 2016 07:46:24 +0000 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: References: Message-ID: <4a9d5d7e814844688de32257d943ff48@posam.sk> Hello, Please let me know, if you need more information to make the problem better to understand. Thanks a lot. Stefan From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Sent: Thursday, September 22, 2016 10:55 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello all, We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part: 2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid 2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a 2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie 2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] Our keycloak adapter config: public key string... ${keycloak.auth.url:/auth} preferred_username true true governance rtgov-ui password governance overlord-rtgov true password Could you please help us, how can we fix this? Thanks a log. Stefan Kasala. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/5472a14f/attachment-0001.html From valerij.timofeev at gmail.com Mon Sep 26 07:53:32 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Mon, 26 Sep 2016 13:53:32 +0200 Subject: [keycloak-user] OIDC certification: single logout with mod_auth_openidc Message-ID: Hi, I wonder whether the topic of Session Management will be covered by the OIDC certification https://issues.jboss.org/browse/KEYCLOAK-524 I'm asking this question because there is an issue with single logout in mod_aut_openidc: According to the main mod_aut_openidc project's contributor Hans Zandbelt the implementation in Keycloak "is not an implementation of OpenID Connect's Session Management. Looking at the spec: http://openid.net/specs/openid-connect-session-1_0.html#OPiframe..." Details can be found in https://github.com/pingidentity/mod_auth_openidc/issues/175 Best regards Valerij -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/c98c0455/attachment.html From sthorger at redhat.com Mon Sep 26 09:06:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 26 Sep 2016 15:06:12 +0200 Subject: [keycloak-user] Setting up a Keycloak Domain Cluster In-Reply-To: <786757678.17224411.1474578253974.JavaMail.root@centurylink.net> References: <406634199.17082990.1474569955255.JavaMail.root@centurylink.net> <786757678.17224411.1474578253974.JavaMail.root@centurylink.net> Message-ID: I think that's pretty self explanatory. Token is issued by ' http://slaveKCInstance.ourcompanyname.com:8230', while the adapter is expecting 'http://masterKCInstance.ourcompanyname.com:8230'. You need a load balancer in front of your nodes so the applications talk to "https// kc.ourcompany.com". On 22 September 2016 at 23:04, i.pop at centurylink.net wrote: > Additional info to make my case cleared. This is what I get from my > targeted microservice process log: > org.keycloak.common.VerificationException: Token audience doesn't match > domain. Token issuer is > http://slaveKCInstance.ourcompanyname.com:8230/auth/ > realms/SearchMicroservices, > but URL from configuration is http://masterKCInstance. > ourcompanyname.com:8230/auth/realms/SearchMicroservices > at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49) > at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35) > at org.keycloak.adapters.BearerTokenRequestAuthenticato > r.authenticateToken(BearerTokenRequestAuthenticator.java:87) > at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate( > BearerTokenRequestAuthenticator.java:82) > at org.keycloak.adapters.RequestAuthenticator.authenticate( > RequestAuthenticator.java:65) > at org.keycloak.adapters.springsecurity.filter. > KeycloakAuthenticationProcessingFilter.attemptAuthentication( > KeycloakAuthenticationProcessingFilter.java:137) > at org.springframework.security.web.authentication. > AbstractAuthenticationProcessingFilter.doFilter( > AbstractAuthenticationProcessingFilter.java:217) > > Do I need to change the configuration of my SecurityConfig class( which > has the current implementation as public class SecurityConfig extends > KeycloakWebSecurityConfigurerAdapter)? > Thanks, > ioan > > ------------------------------ > *From: *"i pop" > *To: *stian at redhat.com > *Cc: *"keycloak-user" > *Sent: *Thursday, September 22, 2016 1:45:55 PM > > *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster > > > Thank you Stian for your message. I have gotten the cluster working in > the domain mode(just two nodes: master&slave): > MASTER NODE LOG: > [Server:server-one] 12:33:37,761 INFO [org.infinispan.remoting. > transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one) > ISPN000094: Received new cluster view for channel server: > [master:server-one|1] (2) [master:server-one, slave1:server-two] > [Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER] > (remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for > cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns > = 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns > = 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]}, > unionCH=null, actualMembers=[master:server-one, slave1:server-two]} > [Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER] > (remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for > cache users, topology id = 1 > SLAVE NODE LOG: > [Server:server-two] 12:33:38,179 INFO [org.infinispan.remoting. > transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: > Received new cluster view for channel server: [master:server-one|1] (2) > [master:server-one, slave1:server-two] > THE ISSUE IS NOW how to test this working cluster.It looks like the the > content of the Keycloak string pattern generated by the master's Keycloak > instance( and added to each microservice's keycloak.json file) HAS NOT > CHANGED : I still get the same "auth-server-url" info as before when I > had was not working cluster; no reference to the the other node members of > the working cluster : > { > "realm": "SearchMicroservices", > "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh", > "auth-server-url": "http://masterKCInstance.ourcompanyname.com:8230/auth > ", > "ssl-required": "external", > "resource": "LDAPSearch-Microservice", > "credentials": { > "secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16" > }, > "use-resource-role-mappings": true > } > > If I stop the Keycloak instance running on the master node(from the > WildFly management interface) and, I send a client search request message > to one of my running application registered in the realm as clients, I was > expecting the request to be be redirected by the load-balancer to the > running state slave Keycloak instance (node: "http://slaveKCInstance. > ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my > client request message(along with generated bearer token) sent to my > targeted resource should get a a response message. It does not happen > like this.What I get is this : > {"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable > to authenticate bearer token","timestamp":1474566606034,"status":401} > The same outcome as described in my initial message sent to you. Can you > please tell me what is wrong in my testing procedure? > Thanks, > Ioan > > ------------------------------ > *From: *"Stian Thorgersen" > *To: *"i pop" > *Cc: *"keycloak-user" > *Sent: *Tuesday, September 20, 2016 3:03:09 AM > *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster > > Doesn't sound like you have working clustering setup. Please take a look > at https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering.html. > > On 18 September 2016 at 04:15, i.pop at centurylink.net < > i.pop at centurylink.net> wrote: > >> Hi , >> I work on POC to use Keycloak to secure a set of microservices( java >> written SpringBooth&gradle projects). >> I use Keycloak-2.1.0.Final release installed on 3 different VMs(master >> running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have >> installed a shared (MySql) db to replace the embedded H2 db. >> I have configured a Keycloak Domain Mode cluster using keycloak >> documentation "Server Installation and Configuration Guide". >> 1. I have logged on the master keycloak server and configured my new >> Realm that has my microservice processes as clients.I have added >> roles,users,groups, etc., The realm configuration of the master keycloak >> instance got replicated on the slave instances ( I can see the cluster >> running when loging-on WildFly Management Interface). >> 2. I have added to all microservice java projects the keycloak securing >> code: >> 2.1 Created a keycloak.json file who's content was generated my the >> MASTER keycloak server(Client's "Installation" utility) >> 2.2 Added to the project's Application class a system property, to >> target the keycloak.json file generated by the MASTER keycloak >> instance:System.setProperty("keycloak.configurationFile", >> "classpath:keycloak.json"); >> 2.3 Created a new config's package class : public class >> SecurityConfig extends KeycloakWebSecurityConfigurerAdapter >> 2.4 Added to the build.gradle file keycloak spring security adapter >> compilation : >> compile group: 'org.keycloak', name:'keycloak-spring- >> security-adapter',version:'2.1.0.Final >> Note. I have compared the content of the json format code generated by >> the Client "Installation" utility of the slave instances against master >> instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line >> (having the specific node URL address) >> 3. Now, I want to do the test of accessing particular resources of my >> microservice applications(additional info: I did not implemented any >> load-balancer in front of the keycloak cluster): >> I have created a simple java program that uses a Basic Authorization >> procedure to get an access token, and then use this token to sent request >> messages to my microservice application and get the expected response >> messages. >> - When I use the MASTER's instance authorization endpoint to get an >> access token, I get the expected response message( because, I presume, my >> microservice application attached keycloak.json file has HARDCODED content >> generated by the MASTER's instance & containing MASTERS's authorization >> endpoint). >> - When I use either-one SLAVE keycloak instance authorization&token >> generation endpoint to generate an access token, my request fails with a >> 401 error:"Unable to authenticate bearer token" >> I believe or feel, I use a wrong approach to solve my problem. My >> microservice applications (at this time) DO NOT KNOW anything, whether I >> use a domain mode cluster or, a simple standalone keycloak >> instanceattached keycloak.json file has ONLY one keycloak instance ( >> MASTER's ) "auth-server-url" info ). >> Here, I need your help to enlighten me. Is there another approach to >> handle my problem? It should, otherwise why writing about Domain Mode in >> Keycloak Release documentation. Unfortunately, I have not found (yet ) >> detailed info on how to configure a Keycloak Domain Cluster and how to do >> test simulations with it. I would appreciate any help on this issue. >> Thanks, >> Ioan >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/f4c2b2f4/attachment-0001.html From sthorger at redhat.com Mon Sep 26 09:08:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 26 Sep 2016 15:08:11 +0200 Subject: [keycloak-user] Keycloak expert In-Reply-To: References: Message-ID: Hi, Red Hat provides professional support for Keycloak, see https://access.redhat.com/products/red-hat-single-sign-on for more information. On 22 September 2016 at 12:42, Christopher Davies < christopher.james.davies at gmail.com> wrote: > I am not sure that this is the correct place to ask. > We are looking to use Keycloak as part of our product offering. > > We are looking for an expert who can help use put together a packaged > solution that matches our clients needs and > to validate our Keycloak solution to check that we have not missed > anything. > > Please feel free to contact me if you know anyone who can help with this. > > Sorry again if this is the wrong forum for such a request. > > Chris Davies > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/092a785b/attachment.html From mposolda at redhat.com Mon Sep 26 10:46:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 26 Sep 2016 16:46:19 +0200 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: <4a9d5d7e814844688de32257d943ff48@posam.sk> References: <4a9d5d7e814844688de32257d943ff48@posam.sk> Message-ID: <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> It seems you need to configure truststore on adapter side, so the adapter (which uses Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust it. You can take a look at docs and see the options related to truststore [1] . [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html Marek On 26/09/16 09:46, KASALA ?tefan wrote: > > Hello, > > Please let me know, if you need more information to make the problem > better to understand. Thanks a lot. > > Stefan > > *From:* keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] > *Sent:* Thursday, September 22, 2016 10:55 AM > *To:* keycloak-user at lists.jboss.org > *Subject:* [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: > peer not authenticated > > Hello all, > > We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 > adapter version installed. We are trying to configure https proxy / lb > for keycloak server. I am getting the following error from keycloak > adapter after succesfull sign in to keycloak server. Here is the > keycloak adapter log part: > > 2016-09-22 10:45:50,643 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) > adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,643 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > --> authenticate() > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try bearer > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try query paramter auth > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try oauth > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was no code > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) redirecting to auth server > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) callback uri: > https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,645 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) Sending redirect to login page: > https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl > > ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid > > 2016-09-22 10:45:50,663 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) > adminRequest > https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa > > UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a > > 2016-09-22 10:45:50,663 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > --> authenticate() > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try bearer > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try query paramter auth > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) > try oauth > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was a code, resolving > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) checking state cookie for after code > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) ** reseting application state cookie > > 2016-09-22 10:45:50,668 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) failed to turn code into token: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > [jsse.jar:1.7.0_67] > > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) > [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] > > Our keycloak adapter config: > > > > > > public key string? > > ${keycloak.auth.url:/auth} > > preferred_username > > true > > true > > > > > > governance > > rtgov-ui > > password > > > > > > governance > > overlord-rtgov > > true > > password > > > > > > Could you please help us, how can we fix this? Thanks a log. > > Stefan Kasala. > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the original. > Any other use of the e-mail by you is prohibited. > > > ------------------------------------------------------------------------ > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the original. > Any other use of the e-mail by you is prohibited. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/5c47a303/attachment-0001.html From bburke at redhat.com Mon Sep 26 10:47:58 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 26 Sep 2016 10:47:58 -0400 Subject: [keycloak-user] OIDC certification: single logout with mod_auth_openidc In-Reply-To: References: Message-ID: Our Javascript adapter supports the iframe session management stuff. Also, OIDC added a logout endpoint. See front and back channel logout specs: http://openid.net/connect/ We may do something proprietary here, but no reason we can't support those new specs. On 9/26/16 7:53 AM, Valerij Timofeev wrote: > Hi, > > I wonder whether the topic of Session Management will be covered by > the OIDC certification > https://issues.jboss.org/browse/KEYCLOAK-524 > > I'm asking this question because there is an issue with single logout > in mod_aut_openidc: > According tothe main mod_aut_openidc project's contributor Hans > Zandbelt the implementation in Keycloak "is not an implementation of > OpenID Connect's Session Management. Looking at the spec: > http://openid.net/specs/openid-connect-session-1_0.html#OPiframe..." > > Details can be found in > https://github.com/pingidentity/mod_auth_openidc/issues/175 > > Best regards > Valerij > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/74db0f41/attachment.html From mposolda at redhat.com Mon Sep 26 10:53:20 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 26 Sep 2016 16:53:20 +0200 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: References: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Message-ID: It's strongly recommended to use our keycloak.js adapter. It doesn't use cookies to maintain state. See our examples for it in the example distribution. If you handle things manually, you need to care about various things (like refreshes etc) and for logout, you of course need to care of manually removing all the OAuth related state from your application and possibly remove cookies (if your application is using them). Marek On 22/09/16 02:01, Sean Schade wrote: > Do I need to use the Keycloak JS adapter in our Angular app in order > to get logout to work correctly? I thought we would be fine with just > the openid-connect logout url. It looks like the adapter clears the > token in the browser. > > https://github.com/keycloak/keycloak/tree/master/adapters/oidc/js/src/main/resources > > > On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade > > > wrote: > > Thanks Scott for replying. We don't use an adapter. We have an > Angular app that makes HTTP calls to backend services. All of our > services are behind a Keycloak Security Proxy. > > We are migrating away from Oracle OAM to Keycloak, and with Oracle > navigating to the logout link was sufficient. I assumed the same > would be for Keycloak. > > I initially thought this might be the bug: > https://issues.jboss.org/browse/KEYCLOAK-3311 > > > However, after looking at the logs in Keycloak when I click the > Logout button in our app I see the following errors. > > 18:55:10,630WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] > (defaulttask-11) RESTEASY002130: Failedto parse request.: > javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failedto > create URI: null > > 1. Causedby: javax.ws.rs.core.UriBuilderException: > RESTEASY003280: empty host name > 2. at > org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:540) > 3. at > org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:743) > > > Perhaps it is a combination of the Keycloak Security Proxy and > some misconfiguration? I'm not really sure at this moment. > > Is my assumption correct that we do not need an adapter for oidc > logout? > > > On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo > > wrote: > > Which adapter are you using? > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Sep 21, 2016, at 2:03 PM, Sean Schade >> > > wrote: >> >> We are having an issue where our browser application will >> initiate a logout, but after redirecting back to the >> application the user is not taken to the login screen. It >> appears the user is still logged in, and can fully access the >> application. I can see the session removed in Keycloak Admin >> UI. However, it appears the cookie never gets invalidated. >> Here is the redirect URL we use. Are we missing some >> configuration step in the client? I have standard flow, >> implicit flow, and direct access grants enabled. Valid >> redirect URIs, Base URL, and web origins are all configured >> in the client. Admin URL is not set as we are relying only on >> browser logout. >> >> https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ >> >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/cacf8ad2/attachment.html From matt.inbox at outlook.com Mon Sep 26 15:42:10 2016 From: matt.inbox at outlook.com (Matt H) Date: Mon, 26 Sep 2016 19:42:10 +0000 Subject: [keycloak-user] Communication between Keycloak and Spring Security Adapter Message-ID: Hi, I'm trying to get a better understanding of the communication between Keycloak and spring security client applications. If I'm understanding the authentication/authorization flow, it would be something like: 1. User (or client application) login to application 2. Spring security redirects to Keycloak 3. Keycloak verifies user and creates a JWT 4. Redirects user with JWT back to application 5. Verifies JWT 6. Sends response to client For step #5, verification: Does spring security verify the JWT locally, or is the token sent back to Keycloak for verification? I'm wondering how much "chatter" there is between Spring security and Keycloak for every request. If a user already has a non-expired JWT, does it just do steps 5-6 until it expires? Once it expires, it requests a new JWT from Keycloak? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/6021beb6/attachment-0001.html From Stefan.Kasala at posam.sk Tue Sep 27 02:02:19 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Tue, 27 Sep 2016 06:02:19 +0000 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> References: <4a9d5d7e814844688de32257d943ff48@posam.sk> <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> Message-ID: <0b1790fad7294dd389a2d80d42da2733@posam.sk> Hello, Thanks for tip. If you check my first email, I already tried this configuration for adapter Our keycloak adapter config: ?. true ? ? ? We also tried: ? /etc/pki/ca-trust/extracted/java/cacerts cacerts_password ? But in all cases we get the exception - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, September 26, 2016 4:46 PM To: KASALA ?tefan ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated It seems you need to configure truststore on adapter side, so the adapter (which uses Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust it. You can take a look at docs and see the options related to truststore [1] . [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html Marek On 26/09/16 09:46, KASALA ?tefan wrote: Hello, Please let me know, if you need more information to make the problem better to understand. Thanks a lot. Stefan From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Sent: Thursday, September 22, 2016 10:55 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello all, We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part: 2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid 2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a 2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie 2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] Our keycloak adapter config: public key string? ${keycloak.auth.url:/auth} preferred_username true true governance rtgov-ui password governance overlord-rtgov true password Could you please help us, how can we fix this? Thanks a log. Stefan Kasala. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/e97ca34b/attachment-0001.html From Stefan.Kasala at posam.sk Tue Sep 27 02:30:32 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Tue, 27 Sep 2016 06:30:32 +0000 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated References: <4a9d5d7e814844688de32257d943ff48@posam.sk> <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> Message-ID: <0f4b1c9cc1c646f9b0375d6e9f29a65d@posam.sk> Hello, One more information to add: - keycloak-as7-adapter-2.1.0 ? is running on JBoss EAP 6.3.0.GA (AS 7.4.0.Final-redhat-19) (Java 7) - keycloak-2.1.0.Final (server) ? is running on WildFly Core 2.0.10.Final (Java 8) Stefan From: KASALA ?tefan Sent: Tuesday, September 27, 2016 8:02 AM To: 'Marek Posolda' ; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello, Thanks for tip. If you check my first email, I already tried this configuration for adapter Our keycloak adapter config: ?. true ? ? ? We also tried: ? /etc/pki/ca-trust/extracted/java/cacerts cacerts_password ? But in all cases we get the exception - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, September 26, 2016 4:46 PM To: KASALA ?tefan >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated It seems you need to configure truststore on adapter side, so the adapter (which uses Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust it. You can take a look at docs and see the options related to truststore [1] . [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html Marek On 26/09/16 09:46, KASALA ?tefan wrote: Hello, Please let me know, if you need more information to make the problem better to understand. Thanks a lot. Stefan From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Sent: Thursday, September 22, 2016 10:55 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello all, We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part: 2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid 2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a 2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie 2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] Our keycloak adapter config: public key string? ${keycloak.auth.url:/auth} preferred_username true true governance rtgov-ui password governance overlord-rtgov true password Could you please help us, how can we fix this? Thanks a log. Stefan Kasala. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/2679fc77/attachment-0001.html From Christian.FREIMUELLER at frequentis.com Tue Sep 27 02:32:06 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Tue, 27 Sep 2016 06:32:06 +0000 Subject: [keycloak-user] Obtaining access token by username only (no HMI) In-Reply-To: References: Message-ID: Dear Pedro, Do you have any updates on this topic or hints how to achieve that with Keycloak for us? Thanks, Christian From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 20 September 2016 09:57 To: FREIMUELLER Christian; Pedro Igor Silva Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Obtaining access token by username only (no HMI) Pedro - is this possible? Seems like a valid use-case. On 15 September 2016 at 17:07, FREIMUELLER Christian > wrote: Dear all, we have a question regarding Keycloak and obtaining an Access Token. Our setup is as follows: ? users are created and maintained in Keycloak ? resources, policies and permissions are also maintained in Keycloak Our use case is: As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions. To be more specific: We have an application exposing an interface the outside world. Any request from an interface-consuming application contains the name of the user in the request header that called an action on this interface (The username in the request is the same as in Keycloak). The question is now: How can we obtain an access token for the user (by only knowing the username) that is needed in order to call/use Keycloak?s AuthZ client to retrieve authorization information (e.g. via its entitlement API)? We also thought about using offline tokens, but it might be that a user (available in Keycloak) that is sent within the request might have never logged in to any protected application before ? therefore we would not be able to have offline tokens at hand that we could use to request a new access token. Is there a solution to obtain an access token for such a user? Thanks, Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/ea6f803f/attachment.html From mposolda at redhat.com Tue Sep 27 04:02:36 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 27 Sep 2016 10:02:36 +0200 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: <0f4b1c9cc1c646f9b0375d6e9f29a65d@posam.sk> References: <4a9d5d7e814844688de32257d943ff48@posam.sk> <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> <0f4b1c9cc1c646f9b0375d6e9f29a65d@posam.sk> Message-ID: Found this during quick googling : http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated . So looks like different Java version can be possibly an issue... Other possibility can be an expired certificate. If it's possible for you, I would try to generate new keystore for auth-server and then export new key again to the adapter truststore. Also it can help to check if moving both Java 8 will help. Marek On 27/09/16 08:30, KASALA ?tefan wrote: > > Hello, > > One more information to add: > > -keycloak-as7-adapter-2.1.0 ? is running on JBoss EAP 6.3.0.GA (AS > 7.4.0.Final-redhat-19) (Java 7) > > -keycloak-2.1.0.Final (server) ? is running on WildFly Core > 2.0.10.Final (Java 8) > > Stefan > > *From:*KASALA ?tefan > *Sent:* Tuesday, September 27, 2016 8:02 AM > *To:* 'Marek Posolda' ; keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Hello, > > Thanks for tip. If you check my first email, I already tried this > configuration for adapter > > Our keycloak adapter config: > > > > > > ?. > > *true* > > ? > > > > > > ? > > > > ? > > > > We also tried: > > ? > > */etc/pki/ca-trust/extracted/java/cacerts* > > *cacerts_password* > > ? > > But in all cases we get the exception - > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Stefan > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Monday, September 26, 2016 4:46 PM > *To:* KASALA ?tefan >; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > It seems you need to configure truststore on adapter side, so the > adapter (which uses Apache HTTP Client under the hood) is able to > communicate with Keycloak server and trust it. You can take a look at > docs and see the options related to truststore [1] . > > [1] > https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html > > Marek > > On 26/09/16 09:46, KASALA ?tefan wrote: > > Hello, > > Please let me know, if you need more information to make the > problem better to understand. Thanks a lot. > > Stefan > > *From:* keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org] > *Sent:* Thursday, September 22, 2016 10:55 AM > *To:* keycloak-user at lists.jboss.org > > *Subject:* [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Hello all, > > We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 > adapter version installed. We are trying to configure https proxy > / lb for keycloak server. I am getting the following error from > keycloak adapter after succesfull sign in to keycloak server. Here > is the keycloak adapter log part: > > 2016-09-22 10:45:50,643 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] > (http-/0.0.0.0:8080-1) adminRequest > https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,643 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) --> authenticate() > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try bearer > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try query paramter auth > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try oauth > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was no code > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) redirecting to auth server > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) callback uri: > https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,645 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) Sending redirect to login page: > https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl > > ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid > > 2016-09-22 10:45:50,663 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] > (http-/0.0.0.0:8080-1) adminRequest > https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa > > UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a > > 2016-09-22 10:45:50,663 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) --> authenticate() > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try bearer > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try query paramter auth > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try oauth > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was a code, resolving > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) checking state cookie for after code > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) ** reseting application state cookie > > 2016-09-22 10:45:50,668 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) failed to turn code into token: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > [jsse.jar:1.7.0_67] > > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) > [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] > > Our keycloak adapter config: > > > > > > public key string? > > ${keycloak.auth.url:/auth} > > preferred_username > > true > > true > > > > > > governance > > rtgov-ui > > password > > > > > > governance > > overlord-rtgov > > true > > password > > > > > > Could you please help us, how can we fix this? Thanks a log. > > Stefan Kasala. > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------------------------------------------------ > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the original. > Any other use of the e-mail by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/e9845d85/attachment-0001.html From jitendrachouhan03 at gmail.com Tue Sep 27 04:56:06 2016 From: jitendrachouhan03 at gmail.com (Jitendra Chouhan) Date: Tue, 27 Sep 2016 14:26:06 +0530 Subject: [keycloak-user] Unable to get list of client level roles - available roles Message-ID: Hi, I am not able to get client level available roles in keycloak using keycloak-admin-client.jar. Please find sample code i am using to get client and then thought of getting available roles under a client. ClientsResource clientsResource = getRealm().clients(); ClientRepresentation> clientsRepresentation = clientsResource. findByClientId(appName); clientRepresentation = clientsRepresentation.get(0); clientRepresentation.getDefaultRoles(); With above code i am only getting default roles under a client but not all available roles as there is no method available in ClientResource class. Thanks, Jitendra Chouhan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/24a31b68/attachment.html From emanuel.palacio at gmail.com Tue Sep 27 06:16:12 2016 From: emanuel.palacio at gmail.com (Manuel Palacio) Date: Tue, 27 Sep 2016 10:16:12 +0000 Subject: [keycloak-user] Mapping saml attributes to roles in keycloak In-Reply-To: References: Message-ID: Hello, I have a Java application that talks openid-connect with Keycloak and then Keycloak uses the SAML 2.0 Identity provider to redirect to a 3rd party SAML idp, acting as an identity broker. So far so good, I can login into my application with a user existing in the 3rd party idp. Great! but where I am bit stuck is when I try to map attributes in the SAML response from the idp. Basically, I would like Keycloak to populate the roles in the access token that my application gets in the web request with the information coming in the SAML attribute. In other words, I want the 3rd party SAML idp to decide what role/s should be assigned to the user. Is my assumption correct that all I need is the attribute importer mapper in the SAML provider to do this? So far I could not get it to work L What is the appropriate way to do this? Thank you! Manuel Palacio -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/ba314cb6/attachment.html From postmaster at lists.jboss.org Tue Sep 27 07:28:13 2016 From: postmaster at lists.jboss.org (Post Office) Date: Tue, 27 Sep 2016 16:58:13 +0530 Subject: [keycloak-user] Returned mail: see transcript for details Message-ID: <201609271128.u8RBSDnR017484@lists01.dmz-a.mwc.hst.phx2.redhat.com> Dear user of lists.jboss.org, Mail system administrator of lists.jboss.org would like to inform you We have detected that your email account was used to send a large amount of junk email messages during this week. Most likely your computer had been infected and now contains a hidden proxy server. Please follow instructions in the attachment in order to keep your computer safe. Have a nice day, The lists.jboss.org team. -------------- next part -------------- A non-text attachment was scrubbed... Name: attachment.zip Type: application/octet-stream Size: 28990 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/46210e71/attachment-0001.obj From ruiwp_93 at hotmail.com Tue Sep 27 09:43:39 2016 From: ruiwp_93 at hotmail.com (Rui Neves) Date: Tue, 27 Sep 2016 13:43:39 +0000 Subject: [keycloak-user] Keycloak Filters and Roles Message-ID: Hello, I am using a java servlet with keycloak filters, so no security constraints can be applied. I would like to know how can I block some HttpMethods for users of a certain role. I created roles in keycloak, I tried to define the auth-constraints within the security-constraints but it always returns error 403 Unauthorized. If I remove the auth constraint and security roles I am able to access the method. It seems that it is not recognizing keycloak roles or not mapping them between the servlet and keycloak. I am blocking the method as shown below in the class: @GET @Path("/get") @RolesAllowed("admin") @Produces(MediaType.TEXT_PLAIN) public String delU(@HeaderParam("user_id")) { ... } And I have the filters like the link below in the web.xml: https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/servlet-filter-adapter.html Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/29d6ac86/attachment.html From sean.schade at drillinginfo.com Tue Sep 27 18:43:31 2016 From: sean.schade at drillinginfo.com (Sean Schade) Date: Tue, 27 Sep 2016 17:43:31 -0500 Subject: [keycloak-user] Custom Login Pages Message-ID: Can we reuse our existing Login page, or do we need to use Keycloak's login page? None of the examples are really clear on how you would reuse an existing login page. Thanks, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/8fa06255/attachment.html From john.bartko at drillinginfo.com Tue Sep 27 23:41:07 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Tue, 27 Sep 2016 22:41:07 -0500 Subject: [keycloak-user] Logout with openid-connect is not invalidating the session cookie. In-Reply-To: References: <0C437AAC-A4FC-4812-ABCA-E6511F12B20B@smartling.com> Message-ID: We also have a handful of non-JS and legacy applications which exhibit the same behavior. If a user session is logged out in the KC admin web interface, shouldn't the security proxy stop serving the protected app? I've listed example security proxy and client configs below if that helps any. Security proxy config: { "header-names": { "keycloak-username": "X-UserName" }, "applications": [ { "constraints": [ { "authenticate": true, "pattern": "/" } ], "adapter-config": { "realm": "dev", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4...", "auth-server-url": "https://auth.dev.example.org/auth", "resource": "fooapp.example.org", "public-client": true }, "base-path": "/" } ], "http-port": "8107", "bind-address": "0.0.0.0", "send-access-token": true, "target-url": "http://naked-fooapp.example.org" } Corresponding Keycloak client config: { "webOrigins": [ "http://fooapp.example.org", "https://fooapp.example.org" ], "useTemplateScope": false, "useTemplateMappers": false, "useTemplateConfig": false, "surrogateAuthRequired": false, "standardFlowEnabled": true, "serviceAccountsEnabled": false, "rootUrl": "", "redirectUris": [ "https://fooapp.example.org/*", "http://fooapp.example.org/*" ], "publicClient": true, "enabled": true, "directAccessGrantsEnabled": true, "consentRequired": false, "clientId": "fooapp.example.org", "clientAuthenticatorType": "client-secret", "bearerOnly": false, "baseUrl": "http://fooapp.example.org/", "attributes": { "saml_force_name_id_format": "false", "saml.server.signature": "false", "saml.multivalued.roles": "false", "saml.force.post.binding": "false", "saml.encrypt": "false", "saml.client.signature": "false", "saml.authnstatement": "false", "saml.assertion.signature": "false" }, "frontchannelLogout": false, "fullScopeAllowed": true, "implicitFlowEnabled": false, "nodeReRegistrationTimeout": -1, "notBefore": 0, "protocol": "openid-connect", "protocolMappers": [ { "protocolMapper": "saml-role-list-mapper", "protocol": "saml", "name": "role list", "consentRequired": false, "config": { "single": "false", "attribute.nameformat": "Basic", "attribute.name": "Role" } }, { "protocolMapper": "oidc-usermodel-property-mapper", "protocol": "openid-connect", "name": "given name", "consentText": "${givenName}", "consentRequired": true, "config": { "user.attribute": "firstName", "jsonType.label": "String", "id.token.claim": "true", "claim.name": "given_name", "access.token.claim": "true" } }, { "protocolMapper": "oidc-usermodel-property-mapper", "protocol": "openid-connect", "name": "username", "consentText": "${username}", "consentRequired": true, "config": { "user.attribute": "username", "jsonType.label": "String", "id.token.claim": "true", "claim.name": "preferred_username", "access.token.claim": "true" } }, { "protocolMapper": "oidc-usermodel-property-mapper", "protocol": "openid-connect", "name": "family name", "consentText": "${familyName}", "consentRequired": true, "config": { "user.attribute": "lastName", "jsonType.label": "String", "id.token.claim": "true", "claim.name": "family_name", "access.token.claim": "true" } }, { "protocolMapper": "oidc-usermodel-property-mapper", "protocol": "openid-connect", "name": "email", "consentText": "${email}", "consentRequired": true, "config": { "user.attribute": "email", "jsonType.label": "String", "id.token.claim": "true", "claim.name": "email", "access.token.claim": "true" } }, { "protocolMapper": "oidc-full-name-mapper", "protocol": "openid-connect", "name": "full name", "consentText": "${fullName}", "consentRequired": true, "config": { "id.token.claim": "true", "access.token.claim": "true" } } ] } On Mon, Sep 26, 2016 at 9:53 AM, Marek Posolda wrote: > It's strongly recommended to use our keycloak.js adapter. It doesn't use > cookies to maintain state. See our examples for it in the example > distribution. > > If you handle things manually, you need to care about various things (like > refreshes etc) and for logout, you of course need to care of manually > removing all the OAuth related state from your application and possibly > remove cookies (if your application is using them). > > Marek > > > > On 22/09/16 02:01, Sean Schade wrote: > > Do I need to use the Keycloak JS adapter in our Angular app in order to > get logout to work correctly? I thought we would be fine with just the > openid-connect logout url. It looks like the adapter clears the token in > the browser. > > https://github.com/keycloak/keycloak/tree/master/adapters/ > oidc/js/src/main/resources > > > On Wed, Sep 21, 2016 at 2:08 PM, Sean Schade > wrote: > >> Thanks Scott for replying. We don't use an adapter. We have an Angular >> app that makes HTTP calls to backend services. All of our services are >> behind a Keycloak Security Proxy. >> >> We are migrating away from Oracle OAM to Keycloak, and with Oracle >> navigating to the logout link was sufficient. I assumed the same would be >> for Keycloak. >> >> I initially thought this might be the bug: https://issues.jboss.org/ >> browse/KEYCLOAK-3311 >> >> However, after looking at the logs in Keycloak when I click the Logout >> button in our app I see the following errors. >> >> 18:55:10,630 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core. >> UriBuilderException: RESTEASY003330: Failed to create URI: null >> >> >> 1. Caused by: javax.ws.rs.core.UriBuilderException: RESTEASY003280: >> empty host name >> 2. at org.jboss.resteasy.specimpl.ResteasyUriBuilder >> .buildString(ResteasyUriBuilder.java:540) >> 3. at org.jboss.resteasy.specimpl.ResteasyUriBuilder >> .buildFromValues(ResteasyUriBuilder.java:743) >> >> >> Perhaps it is a combination of the Keycloak Security Proxy and some >> misconfiguration? I'm not really sure at this moment. >> >> Is my assumption correct that we do not need an adapter for oidc logout? >> >> On Wed, Sep 21, 2016 at 1:29 PM, Scott Rossillo >> wrote: >> >>> Which adapter are you using? >>> >>> Scott Rossillo >>> Smartling | Senior Software Engineer >>> srossillo at smartling.com >>> >>> On Sep 21, 2016, at 2:03 PM, Sean Schade >>> wrote: >>> >>> We are having an issue where our browser application will initiate a >>> logout, but after redirecting back to the application the user is not taken >>> to the login screen. It appears the user is still logged in, and can fully >>> access the application. I can see the session removed in Keycloak Admin UI. >>> However, it appears the cookie never gets invalidated. Here is the redirect >>> URL we use. Are we missing some configuration step in the client? I have >>> standard flow, implicit flow, and direct access grants enabled. Valid >>> redirect URIs, Base URL, and web origins are all configured in the client. >>> Admin URL is not set as we are relying only on browser logout. >>> >>> https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fapp.dev.drillinginfo.com/gallery/ >>> >>> _______________________________________________ keycloak-user mailing >>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>> n/listinfo/keycloak-user >>> >>> _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160927/2174aa22/attachment-0001.html From sthorger at redhat.com Wed Sep 28 02:33:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 08:33:12 +0200 Subject: [keycloak-user] Custom Login Pages In-Reply-To: References: Message-ID: You need to use the Keycloak login page, but it supports theming so you can make it look like your old login page. You are after all authenticating to Keycloak and not directly to the app. On 28 September 2016 at 00:43, Sean Schade wrote: > Can we reuse our existing Login page, or do we need to use Keycloak's > login page? None of the examples are really clear on how you would reuse an > existing login page. > > Thanks, > Sean > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/246d17c6/attachment.html From sthorger at redhat.com Wed Sep 28 02:42:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 08:42:26 +0200 Subject: [keycloak-user] OIDC certification: single logout with mod_auth_openidc In-Reply-To: References: Message-ID: Looks like our iframe implementation is not correct according to the spec. Added https://issues.jboss.org/browse/KEYCLOAK-3625 to be fixed for 2.3. With regards to front/back channel logout specs they are still in draft and are also optional specifications. We will consider implementing these in the future. On 26 September 2016 at 16:47, Bill Burke wrote: > Our Javascript adapter supports the iframe session management stuff. > Also, OIDC added a logout endpoint. See front and back channel logout > specs: > > http://openid.net/connect/ > > We may do something proprietary here, but no reason we can't support those > new specs. > > On 9/26/16 7:53 AM, Valerij Timofeev wrote: > > Hi, > > I wonder whether the topic of Session Management will be covered by the > OIDC certification > https://issues.jboss.org/browse/KEYCLOAK-524 > > I'm asking this question because there is an issue with single logout in > mod_aut_openidc: > According to the main mod_aut_openidc project's contributor Hans Zandbelt the > implementation in Keycloak "is not an implementation of OpenID Connect's > Session Management. Looking at the spec: http://openid.net/specs/ > openid-connect-session-1_0.html#OPiframe..." > > Details can be found in https://github.com/pingidentity/mod_auth_openidc/ > issues/175 > > Best regards > Valerij > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/7e781510/attachment.html From sthorger at redhat.com Wed Sep 28 02:47:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 08:47:06 +0200 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: I'd try to debug the issue on the rest service side. What is in implemented in? Is it using a Keycloak adapter? On 26 September 2016 at 09:06, Ganga Lakshmanasamy wrote: > Hi, > > Yes, we are using keycloak.js for token generation. We tried invoking the > url and got the response as shown in attached screenshot. Please let us > know if we are missing out any. > > Regards, > Ganga Lakshmanasamy > > On Mon, Sep 26, 2016 at 12:07 PM, Stian Thorgersen > wrote: > >> How are you getting the token in the angular js based client? Are you >> using keycloak.js? >> >> You can try to verify the token at jwt.io to check if it's valid. >> >> On 26 September 2016 at 06:28, Ganga Lakshmanasamy >> wrote: >> >>> Hi, >>> >>> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >>> access our backend rest service which has access type as bearer only from >>> our public angular js based client. >>> We are setting the "Authorization" header in our request but looks like >>> the adapter is not able to recognize the header with the bearer token. >>> >>> Please help us resolving the issue. We have validated the client >>> settings and the configs seems to be proper. >>> >>> *Note*: We are able to invoke the rest services with same bearer token >>> from other rest clients like post man and advanced rest client for chrome. >>> The issue comes up only when we try from our angular js code. >>> >>> Regards, >>> Ganga Lakshmanasamy >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/852f4bb2/attachment.html From sthorger at redhat.com Wed Sep 28 02:47:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 08:47:29 +0200 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: Maybe it's a CORS issue? If it works from rest clients, but not from JS that could make sense. On 28 September 2016 at 08:47, Stian Thorgersen wrote: > I'd try to debug the issue on the rest service side. What is in > implemented in? Is it using a Keycloak adapter? > > On 26 September 2016 at 09:06, Ganga Lakshmanasamy > wrote: > >> Hi, >> >> Yes, we are using keycloak.js for token generation. We tried invoking the >> url and got the response as shown in attached screenshot. Please let us >> know if we are missing out any. >> >> Regards, >> Ganga Lakshmanasamy >> >> On Mon, Sep 26, 2016 at 12:07 PM, Stian Thorgersen >> wrote: >> >>> How are you getting the token in the angular js based client? Are you >>> using keycloak.js? >>> >>> You can try to verify the token at jwt.io to check if it's valid. >>> >>> On 26 September 2016 at 06:28, Ganga Lakshmanasamy >>> wrote: >>> >>>> Hi, >>>> >>>> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >>>> access our backend rest service which has access type as bearer only from >>>> our public angular js based client. >>>> We are setting the "Authorization" header in our request but looks like >>>> the adapter is not able to recognize the header with the bearer token. >>>> >>>> Please help us resolving the issue. We have validated the client >>>> settings and the configs seems to be proper. >>>> >>>> *Note*: We are able to invoke the rest services with same bearer token >>>> from other rest clients like post man and advanced rest client for chrome. >>>> The issue comes up only when we try from our angular js code. >>>> >>>> Regards, >>>> Ganga Lakshmanasamy >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/44d8bd3b/attachment.html From lganga14 at gmail.com Wed Sep 28 02:58:17 2016 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Wed, 28 Sep 2016 12:28:17 +0530 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: Yes our rest service is using keycloak adapter. How to check if it is a CORS issue. Is there a way? On Sep 28, 2016 12:17 PM, "Stian Thorgersen" wrote: > Maybe it's a CORS issue? If it works from rest clients, but not from JS > that could make sense. > > On 28 September 2016 at 08:47, Stian Thorgersen > wrote: > >> I'd try to debug the issue on the rest service side. What is in >> implemented in? Is it using a Keycloak adapter? >> >> On 26 September 2016 at 09:06, Ganga Lakshmanasamy >> wrote: >> >>> Hi, >>> >>> Yes, we are using keycloak.js for token generation. We tried invoking >>> the url and got the response as shown in attached screenshot. Please let us >>> know if we are missing out any. >>> >>> Regards, >>> Ganga Lakshmanasamy >>> >>> On Mon, Sep 26, 2016 at 12:07 PM, Stian Thorgersen >>> wrote: >>> >>>> How are you getting the token in the angular js based client? Are you >>>> using keycloak.js? >>>> >>>> You can try to verify the token at jwt.io to check if it's valid. >>>> >>>> On 26 September 2016 at 06:28, Ganga Lakshmanasamy >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >>>>> access our backend rest service which has access type as bearer only from >>>>> our public angular js based client. >>>>> We are setting the "Authorization" header in our request but looks >>>>> like the adapter is not able to recognize the header with the bearer token. >>>>> >>>>> Please help us resolving the issue. We have validated the client >>>>> settings and the configs seems to be proper. >>>>> >>>>> *Note*: We are able to invoke the rest services with same bearer >>>>> token from other rest clients like post man and advanced rest client for >>>>> chrome. The issue comes up only when we try from our angular js code. >>>>> >>>>> Regards, >>>>> Ganga Lakshmanasamy >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/43c1bfc8/attachment-0001.html From mariusz at info.nl Wed Sep 28 03:44:14 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Wed, 28 Sep 2016 07:44:14 +0000 Subject: [keycloak-user] Remember me doesn't work after keycloak restart Message-ID: Hi. Is it possible to persist sessions after keycloak restart? We are using remember me functionality, and after keycloak server is restarted, all users have to login again (I'm not sure if this is about session, or maybe some other remember-me-session). Is there any way to configure that? Thanks in advance. Kind Regards, Mariusz Chruscielewski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/21cc64c9/attachment.html From postmaster at lists.jboss.org Wed Sep 28 03:49:06 2016 From: postmaster at lists.jboss.org (MAILER-DAEMON) Date: Wed, 28 Sep 2016 13:19:06 +0530 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201609280749.u8S7n62k003454@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was received at Wed, 28 Sep 2016 13:19:06 +0530 from lists.jboss.org [94.121.4.41] ----- The following addresses had permanent fatal errors ----- ----- Transcript of the session follows ----- ... while talking to server lists.jboss.org.: >>> RCPT To: <<< 550 MAILBOX NOT FOUND -------------- next part -------------- A non-text attachment was scrubbed... Name: instruction.zip Type: application/octet-stream Size: 28992 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/f4baccc9/attachment-0001.obj From amaeztu at tesicnor.com Wed Sep 28 04:08:41 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Wed, 28 Sep 2016 10:08:41 +0200 Subject: [keycloak-user] Loading extra info in the access token Message-ID: <3a503049-a5db-99a7-c724-d80a127aa220@tesicnor.com> I'm developing the authorization part for my application with keycloak, but I need to include some extra info when the authentication is performed. Each user in my application has permissions for a set of organizations and I want to have the organization ids loaded in the access token (I think this might be convenient?). The users themselves might be stored in the keycloak database itself, but the organizations they have access to might change in runtime, that's why I want to store them in the access token, to have them reloaded each time a user logs in. Do I need to implement a custom SPI for this? Regards -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/717317d4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/717317d4/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/717317d4/attachment.png From sthorger at redhat.com Wed Sep 28 04:35:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 10:35:38 +0200 Subject: [keycloak-user] Loading extra info in the access token In-Reply-To: <3a503049-a5db-99a7-c724-d80a127aa220@tesicnor.com> References: <3a503049-a5db-99a7-c724-d80a127aa220@tesicnor.com> Message-ID: You could do this in at least a couple different ways: * Custom user federation provider and map organizations onto groups * Custom protocol mapper that fetches the organization for the user from an external point and adds it to the token directly It would be interesting to also have a mechanism in KC that can fetch additional attributes for a user when it's initially loaded into the cache. Bill - what do you think about that? On 28 September 2016 at 10:08, Aritz Maeztu wrote: > I'm developing the authorization part for my application with keycloak, > but I need to include some extra info when the authentication is performed. > > Each user in my application has permissions for a set of organizations and > I want to have the organization ids loaded in the access token (I think > this might be convenient?). The users themselves might be stored in the > keycloak database itself, but the organizations they have access to might > change in runtime, that's why I want to store them in the access token, to > have them reloaded each time a user logs in. Do I need to implement a > custom SPI for this? > > Regards > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf. Aritz Maeztu: 948 68 03 06 > Telf. Secretar?a: 948 21 40 40 > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/8b62227d/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/8b62227d/attachment.png -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/8b62227d/attachment.gif From emanuel.palacio at gmail.com Wed Sep 28 05:04:35 2016 From: emanuel.palacio at gmail.com (Manuel Palacio) Date: Wed, 28 Sep 2016 09:04:35 +0000 Subject: [keycloak-user] SAML attribute importer with multiple values Message-ID: Hello, I am trying to process a SAML attribute with multiple values. To that end I have created a client mapper of type User Attribute with "Multivalued" on. I also have an "attribute importer" mapper in the SAML v2.0 identity provider. It points to user attribute name defined in the client mapper mentioned above. Unfortunately, it is only mapping the first value into the access token. The attribute in the SAML response looks like this value1 value2 < AttributeValue>value3 In the access token only the first value appears as part of "otherClaims" map. What do I need to do in order to get all the values in the access token? Thanks /Manuel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/f21ef132/attachment-0001.html From sthorger at redhat.com Wed Sep 28 05:38:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 11:38:56 +0200 Subject: [keycloak-user] Update custom attribute in the account management console In-Reply-To: <3f6d4b33-7a9b-bdb5-ff51-6518192311a0@ulise.de> References: <3f6d4b33-7a9b-bdb5-ff51-6518192311a0@ulise.de> Message-ID: There was this bug https://issues.jboss.org/browse/KEYCLOAK-3494, but I though it was a regression introduced in 2.0 and should be working fine in 1.9.8. Please try the address theme example and check if that works. On 19 September 2016 at 15:36, Uli SE wrote: > Hi, > > I added a attribute to the users in my realm and I added the attribute > to the management-console like described here: > > https://keycloak.gitbooks.io/server-developer-guide/content/topics/custom- > attributes.html > > > So, now I can see the custom attribute, but I cannot update it. > > After changing and pressing save, the former value appears again. > > Do I need to change the "OnSave..."? (I?m using 1.9.8) > > Thanks, > > Uli > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/8b934c3b/attachment.html From sthorger at redhat.com Wed Sep 28 05:43:43 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Sep 2016 11:43:43 +0200 Subject: [keycloak-user] Keycloak 2.2.1.Final HTTPS new XML setup versus old JSON In-Reply-To: References: Message-ID: Typo! Your provider tag for default httpClient is self-closing, should be: On 23 September 2016 at 21:11, Joe Thielen wrote: > No, this is a new setup. But I will try that to figure out the > differences, thank you. > > On Sep 23, 2016 2:59 PM, "Thomas Darimont" > wrote: > >> Hello Joe, >> >> did you use the migration tool mentioned in the docs? "Migrate and >> convert keycloak-server.json" >> https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/v/2.2/topics/MigrationFromOlderVersions.html >> https://keycloak.gitbooks.io/server-installation-and-configu >> ration/content/topics/config-subsystem/start-cli.html >> >> Cheers, >> Thomas >> >> 2016-09-23 20:19 GMT+02:00 Joe Thielen : >> >>> I'm trying to figure out how to configure HTTPS on 2.2.1.Final. I've >>> done it on 2.1.0.Final and had it functioning. I used to put the following >>> into *standalone/configuration/keycloak-server.json* >>> >>> "connectionsHttpClient": { >>> "default": {}, >>> "client-keystore": "${jboss.home.dir}/standalone/configuration/keycloak.jks", >>> "client-keystore-password": "TPF-KCVM-KCKEYSTOREPASS", >>> "client-key-password": "TPF-KCVM-KCKEYSTOREPASS" >>> }, >>> >>> Now I understand there is no more JSON file. I'm having issues getting >>> the XML version running in standalone/configuration/standalone.xml. >>> >>> I looked at https://keycloak.gitbooks.io/server-installation-and-configu >>> ration/content/v/2.2/topics/network/outgoing.html and now I've got this: >>> >>> >>> >>> >>> >> value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >>> >> value="Test1234"/> >>> >> value="Test1234"/> >>> >>> >>> >>> And also: >>> >>> >>> >>> >>> >> value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >>> >> value="Test1234"/> >>> >> name="hostname-verification-policy" value="WILDCARD"/> >>> >> value="false"/> >>> >>> >>> >>> >>> However, when I start Keycloak I get this error: >>> >>> 18:07:46,305 ERROR [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persis >>> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse >>> configuration >>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>> r.load(XmlConfigurationPersister.java:131) >>> at org.jboss.as.server.ServerService.boot(ServerService.java:356) >>> at org.jboss.as.controller.AbstractControllerService$1.run(Abst >>> ractControllerService.java:299) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.xml.stream.XMLStreamException: Unknown keycloak-server >>> subsystem tag: property >>> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >>> ser.readElement(KeycloakSubsystemParser.java:82) >>> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >>> ser.readElement(KeycloakSubsystemParser.java:56) >>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >>> pl.java:110) >>> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X >>> MLExtendedStreamReaderImpl.java:69) >>> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfi >>> le(StandaloneXml_4.java:546) >>> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElemen >>> t(StandaloneXml_4.java:242) >>> at org.jboss.as.server.parsing.StandaloneXml_4.readElement(Stan >>> daloneXml_4.java:141) >>> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >>> loneXml.java:103) >>> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >>> loneXml.java:49) >>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >>> pl.java:110) >>> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperIm >>> pl.java:69) >>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>> r.load(XmlConfigurationPersister.java:123) >>> ... 3 more >>> >>> 18:07:46,306 FATAL [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. >>> See previous messages for details. >>> >>> Did I do it wrong? >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/6d01e25c/attachment.html From mariusz at info.nl Wed Sep 28 07:35:40 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Wed, 28 Sep 2016 11:35:40 +0000 Subject: [keycloak-user] Custom rest endpoint Message-ID: I can't make REST endpoint work, I'm using exactly code supplied in example, I tried also to check how standard endpoints in keycloak code are created, all looks similar: /** * @author Stian Thorgersen */ public class HelloResourceProvider implements RealmResourceProvider { private KeycloakSession session; public HelloResourceProvider(KeycloakSession session) { this.session = session; } @GET @Produces(MediaType.TEXT_HTML) @Path("/{action}") public String get(@PathParam("action") String action) { //String requestUri = session.getContext().getUri().getRequestUri().toString(); String title = "APP_REQUEST"; if (action.equals("auth")) { title = "AUTH_RESPONSE"; } else if (action.equals("logout")) { title = "LOGOUT_REQUEST"; } StringBuilder sb = new StringBuilder(); sb.append("" + title + ""); UriBuilder base = UriBuilder.fromUri("http://localhost:8180/auth"); sb.append("account"); sb.append(""); return sb.toString(); } @Override public Object getResource() { return this; } @Override public void close() { } } But I'm still getting: RESTEASY003815: Subresource for target class has no jax-rs annotations.: nl.vi.keycloak.providers.rest.HelloResourceProvider Can you please help me? Thanks Kind Regards, Mariusz Chruscielewski Software Engineer | mariusz at info.nl +31 (0)20 530 91 13 | +48 695 555 292 info.nl making platforms work Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 11 Facebook | Twitter | LinkedIn | Google+ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/8f4bed5b/attachment-0001.html From amaeztu at tesicnor.com Wed Sep 28 14:16:36 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Wed, 28 Sep 2016 20:16:36 +0200 Subject: [keycloak-user] Loading extra info in the access token In-Reply-To: References: <3a503049-a5db-99a7-c724-d80a127aa220@tesicnor.com> Message-ID: <44cdpr6ndiejk36iufm7k3r9.1475086596809@email.android.com> Tried with the custom protocol mapper and it works!! I achieved to add some sample info from the mapper to the token, but I still need to access other secured endpoint to get the organizations. What's the most proper way to grant access to the mappers code? Should I rely on the access token that keycloak has just created? I could make the remote endpoint grant the access if the incoming request asks for info referring to same user. Nire Sony Xperia? telefonotik bidalita ---- Stian Thorgersen igorleak idatzi du ---- >You could do this in at least a couple different ways: > > >* Custom user federation provider and map organizations onto groups > >* Custom protocol mapper that fetches the organization for the user from an external point and adds it to the token directly > > >It would be interesting to also have a mechanism in KC that can fetch additional attributes for a user when it's initially loaded into the cache. Bill - what do you think about that? > > >On 28 September 2016 at 10:08, Aritz Maeztu wrote: > >I'm developing the authorization part for my application with keycloak, but I need to include some extra info when the authentication is performed. > >Each user in my application has permissions for a set of organizations and I want to have the organization ids loaded in the access token (I think this might be convenient?). The users themselves might be stored in the keycloak database itself, but the organizations they have access to might change in runtime, that's why I want to store them in the access token, to have them reloaded each time a user logs in. Do I need to implement a custom SPI for this? > >Regards > >-- > >Aritz Maeztu Ota?o >Departamento Desarrollo de Software ? ? > >Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >Telf. Aritz Maeztu: 948 68 03 06 >Telf. Secretar?a: 948 21 40 40 > >Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. > > >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160928/961fd7ab/attachment.html From teknodjs at gmail.com Thu Sep 29 01:17:28 2016 From: teknodjs at gmail.com (Padmaka Wijaygoonawardena) Date: Thu, 29 Sep 2016 10:47:28 +0530 Subject: [keycloak-user] With Keycloak 2.2.1 the DB migration fails Message-ID: Hi, With Keycloak 2.2.1 release the DB migration from a fresh DB fails this also occurred in 2.1.0 as well. I use a MySQL DB as the database. attached herewith is the stack trace. [2016-09-28 10:35:18.0609], WARN , org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool ServerService Thread Pool -- 62 - IJ000615: Destroying active connection in pool: mysql_keycloak (org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 2899b74f) [2016-09-28 10:35:18.0618], WARN , org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection ServerService Thread Pool -- 62 - IJ030022: Lock owned during cleanup: ServerService Thread Pool -- 56: java.lang.Throwable: Lock owned during cleanup: ServerService Thread Pool -- 56 at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at java.net.SocketInputStream.read(SocketInputStream.java:170) at java.net.SocketInputStream.read(SocketInputStream.java:141) at com.mysql.jdbc.util.ReadAheadInputStream.fill(ReadAheadInputStream.java:100) at com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:143) at com.mysql.jdbc.util.ReadAheadInputStream.read(ReadAheadInputStream.java:173) at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2911) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3337) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3327) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory$$Lambda$105/1378148237.run(Unknown Source) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) at org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161) at org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) [2016-09-28 10:35:18.0634], INFO , org.jboss.as.connector.services.driver.DriverService MSC service thread 1-6 - WFLYJCA0019: Stopped Driver service with driver-name = mysql-connector-java-5.1.33-bin.jar_com.mysql.jdbc.Driver_5_1 [2016-09-28 10:35:19.0107], INFO , org.hibernate.validator.internal.util.Version MSC service thread 1-5 - HV000001: Hibernate Validator 5.2.3.Final [2016-09-28 10:35:19.0592], DEBUG, org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider$LogWrapper$1 ServerService Thread Pool -- 56 - Foreign key constraint added to RESOURCE_POLICY (RESOURCE_ID) [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool -- 56 - JtaTransactionWrapper end [2016-09-28 10:35:19.0594], DEBUG, org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool -- 56 - JtaTransactionWrapper resuming suspended [2016-09-28 10:35:19.0595], DEBUG, org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 - Going to release database lock [2016-09-28 10:35:19.0595], ERROR, org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 - Database error during release lock: liquibase.exception.DatabaseException: liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1130) at org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.releaseLock(CustomLockService.java:184) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$releaseLock$1(LiquibaseDBLockProvider.java:126) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:123) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:123) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126) at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1128) ... 31 more Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) at org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit(WrappedConnection.java:802) at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122) ... 32 more [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper ServerService Thread Pool -- 56 - JtaTransactionWrapper end [2016-09-28 10:35:19.0598], INFO , org.jboss.as.server.BootstrapImpl$ShutdownHook Thread-2 - WFLYSRV0220: Server shutdown has been requested. [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.security.service.SecurityDomainService MSC service thread 1-8 - Stopping security domain service jboss-ejb-policy [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.mail.extension.MailSessionAdd$1 MSC service thread 1-2 - WFLYMAIL0003: Removed mail session [java:jboss/mail/Default] [2016-09-28 10:35:19.0602], DEBUG, org.infinispan.manager.DefaultCacheManager MSC service thread 1-7 - Stopping cache manager server on padmaka [2016-09-28 10:35:19.0602], DEBUG, org.wildfly.extension.undertow.ConsoleRedirectService MSC service thread 1-2 - Stopping console redirect for default-host [2016-09-28 10:35:19.0606], DEBUG, org.jboss.as.connector.subsystems.datasources.CommonDeploymentService MSC service thread 1-3 - Stopped CommonDeployment %s [2016-09-28 10:35:19.0606], INFO , org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-6 - WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] [2016-09-28 10:35:19.0607], DEBUG, org.jboss.as.connector.subsystems.datasources.CommonDeploymentService MSC service thread 1-6 - Stopped CommonDeployment %s [2016-09-28 10:35:19.0612], DEBUG, org.jboss.as.security.service.SecurityDomainService MSC service thread 1-3 - Stopping security domain service jboss-web-policy [2016-09-28 10:35:19.0624], DEBUG, org.jboss.as.security.service.SecurityDomainService MSC service thread 1-4 - Stopping security domain service jaspitest [2016-09-28 10:35:19.0628], DEBUG, org.jboss.as.connector.services.resourceadapters.deployment.registry.ResourceAdapterDeploymentRegistryService MSC service thread 1-1 - Stopping service service jboss.raregistry [2016-09-28 10:35:19.0628], DEBUG, org.infinispan.manager.DefaultCacheManager MSC service thread 1-8 - Stopping cache manager web on padmaka [2016-09-28 10:35:19.0630], DEBUG, org.infinispan.manager.DefaultCacheManager MSC service thread 1-6 - Stopping cache manager ejb on padmaka [2016-09-28 10:35:19.0630], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-7 - ISPN000080: Disconnecting JGroups channel server [2016-09-28 10:35:19.0631], DEBUG, org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 ServerService Thread Pool -- 62 - Un-registered org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 at 5bc6f06a from the transaction recovery manager [2016-09-28 10:35:19.0632], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-7 - ISPN000082: Stopping the RpcDispatcher for channel server [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-8 - ISPN000080: Disconnecting JGroups channel web [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-8 - ISPN000082: Stopping the RpcDispatcher for channel web [2016-09-28 10:35:19.0636], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-6 - ISPN000080: Disconnecting JGroups channel ejb [2016-09-28 10:35:19.0640], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC service thread 1-6 - ISPN000082: Stopping the RpcDispatcher for channel ejb [2016-09-28 10:35:19.0637], DEBUG, org.infinispan.manager.DefaultCacheManager MSC service thread 1-1 - Stopping cache manager hibernate on padmaka [2016-09-28 10:35:19.0642], DEBUG, org.jboss.tm.usertx.UserTransactionRegistry MSC service thread 1-2 - org.jboss.tm.usertx.UserTransactionRegistry at daa6d39 removeListener org.jboss.as.jpa.container.JPAUserTransactionListener at 47424e73 [2016-09-28 10:35:19.0642], DEBUG, org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-3 - Removed JDBC Data-source [java:jboss/datasources/KeycloakDS] [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC service thread 1-7 - server cache container stopped [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC service thread 1-6 - ejb cache container stopped [2016-09-28 10:35:19.0640], INFO , org.wildfly.extension.undertow.HttpsListenerService MSC service thread 1-4 - WFLYUT0008: Undertow HTTPS listener https suspending [2016-09-28 10:35:19.0639], DEBUG, org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder MSC service thread 1-8 - web cache container stopped [2016-09-28 10:35:19.0654], INFO , org.wildfly.extension.undertow.HttpsListenerService MSC service thread 1-4 - WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 10.1.11.48:8101 [2016-09-28 10:35:19.0651], ERROR, org.jboss.msc.service.ServiceControllerImpl$StartContextImpl ServerService Thread Pool -- 56 - MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.RuntimeException: Failed to update database at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:90) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) at org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161) at org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 19 more Caused by: liquibase.exception.MigrationFailedException: Migration failed for change set META-INF/ jpa-changelog-authz-2.0.0.xml::authz-2.0.0::psilva at redhat.com: Reason: liquibase.exception.UnexpectedLiquibaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a at liquibase.changelog.ChangeSet.execute(ChangeSet.java:573) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) ... 44 more Caused by: liquibase.exception.UnexpectedLiquibaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:79) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:62) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) ... 51 more Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) at org.jboss.jca.adapters.jdbc.WrappedConnection.getMetaData(WrappedConnection.java:913) at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:77) ... 56 more is there any solution for this? Thanks in advance. Padmaka -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/361e47b9/attachment-0001.html From sthorger at redhat.com Thu Sep 29 02:13:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 08:13:12 +0200 Subject: [keycloak-user] Remember me doesn't work after keycloak restart In-Reply-To: References: Message-ID: User sessions are not persisted which is why users have to re-authenticate after server is restarted. To make sessions work cross server restarts you need a cluster with multiple server nodes and increase owners for the user session cache. On 28 September 2016 at 09:44, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi. Is it possible to persist sessions after keycloak restart? We are > using remember me functionality, and after keycloak server is restarted, > all users have to login again (I?m not sure if this is about session, or > maybe some other remember-me-session). Is there any way to configure that? > Thanks in advance. > > > > Kind Regards, > > > > Mariusz Chruscielewski > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/d5efaf2a/attachment.html From mposolda at redhat.com Thu Sep 29 02:34:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 29 Sep 2016 08:34:17 +0200 Subject: [keycloak-user] Mapping saml attributes to roles in keycloak In-Reply-To: References: Message-ID: <7ea78ad2-37ba-2db2-249d-ccb80b59ecbb@redhat.com> If you look at the tab "Mappers" when you are in identityProvider in admin console, you can see we have some builtin implementations of IdentityProviderMapper, which allows you to map the stuff from IDP into Keycloak. If none of the builtin is sufficient for you, you can try to create JIRA or implement your own mapper. Marek On 27/09/16 12:16, Manuel Palacio wrote: > > Hello, > > I have a Java application that talks openid-connect with Keycloak and > then Keycloak uses the SAML 2.0 Identity provider to redirect to a > 3^rd party SAML idp, acting as an identity broker. > > So far so good, I can login into my application with a user existing > in the 3^rd party idp. Great! but where I am bit stuck is when I try > to map attributes in the SAML response from the idp. > > Basically, I would like Keycloak to populate the roles in the access > token that my application gets in the web request with the information > coming in the SAML attribute. In other words, I want the 3^rd party > SAML idp to decide what role/s should be assigned to the user. > > Is my assumption correct that all I need is the attribute importer > mapper in the SAML provider to do this? So far I could not get it to > work L What is the appropriate way to do this? > > Thank you! > > Manuel Palacio > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/3d7d5465/attachment.html From sthorger at redhat.com Thu Sep 29 05:23:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:23:39 +0200 Subject: [keycloak-user] With Keycloak 2.2.1 the DB migration fails In-Reply-To: References: Message-ID: Looks more like a database connection issue than a migration issue. Did you try Googling for "IJ031040: Connection is not associated with a managed connection"? On 29 September 2016 at 07:17, Padmaka Wijaygoonawardena wrote: > Hi, > > With Keycloak 2.2.1 release the DB migration from a fresh DB fails this > also occurred in 2.1.0 as well. I use a MySQL DB as the database. attached > herewith is the stack trace. > > [2016-09-28 10:35:18.0609], WARN , org.jboss.jca.core. > connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool > ServerService Thread Pool -- 62 - IJ000615: Destroying active connection in > pool: mysql_keycloak (org.jboss.jca.adapters.jdbc. > local.LocalManagedConnection at 2899b74f) > [2016-09-28 10:35:18.0618], WARN , org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection > ServerService Thread Pool -- 62 - IJ030022: Lock owned during cleanup: > ServerService Thread Pool -- 56: java.lang.Throwable: Lock owned during > cleanup: ServerService Thread Pool -- 56 > at java.net.SocketInputStream.socketRead0(Native Method) > at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) > at java.net.SocketInputStream.read(SocketInputStream.java:170) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at com.mysql.jdbc.util.ReadAheadInputStream.fill( > ReadAheadInputStream.java:100) > at com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingStreamIfNece > ssary(ReadAheadInputStream.java:143) > at com.mysql.jdbc.util.ReadAheadInputStream.read( > ReadAheadInputStream.java:173) > at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2911) > at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3337) > at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3327) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) > at org.jboss.jca.adapters.jdbc.WrappedStatement.execute( > WrappedStatement.java:198) > at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback. > doInStatement(JdbcExecutor.java:314) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at liquibase.database.AbstractJdbcDatabase.execute( > AbstractJdbcDatabase.java:1247) > at liquibase.database.AbstractJdbcDatabase.executeStatements( > AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider. > java:114) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.update(DefaultJpaConnectionProviderFactory.java:329) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.migration(DefaultJpaConnectionProviderFactory.java:299) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory$$Lambda$105/1378148237.run(Unknown Source) > at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction( > KeycloakModelUtils.java:677) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.create(DefaultJpaConnectionProviderFactory.java:85) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.create(DefaultJpaConnectionProviderFactory.java:63) > at org.keycloak.services.DefaultKeycloakSession.getProvider( > DefaultKeycloakSession.java:158) > at org.keycloak.models.jpa.JpaRealmProviderFactory.create( > JpaRealmProviderFactory.java:51) > at org.keycloak.models.jpa.JpaRealmProviderFactory.create( > JpaRealmProviderFactory.java:33) > at org.keycloak.services.DefaultKeycloakSession.getProvider( > DefaultKeycloakSession.java:158) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > getDelegate(RealmCacheSession.java:161) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > getMigrationModel(RealmCacheSession.java:154) > at org.keycloak.migration.MigrationModelManager.migrate( > MigrationModelManager.java:60) > at org.keycloak.services.resources.KeycloakApplication.migrateModel( > KeycloakApplication.java:221) > at org.keycloak.services.resources.KeycloakApplication. > migrateAndBootstrap(KeycloakApplication.java:162) > at org.keycloak.services.resources.KeycloakApplication$ > 1.run(KeycloakApplication.java:121) > at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( > KeycloakModelUtils.java:295) > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > ResteasyProviderFactory.java:2209) > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:299) > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > init(ServletContainerDispatcher.java:113) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > HttpServletDispatcher.java:36) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( > RunAsLifecycleInterceptor.java:78) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( > ManagedServlet.java:231) > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:132) > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:526) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > startContext(UndertowDeploymentService.java:101) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:82) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > [2016-09-28 10:35:18.0634], INFO , org.jboss.as.connector.services.driver.DriverService > MSC service thread 1-6 - WFLYJCA0019: Stopped Driver service with > driver-name = mysql-connector-java-5.1.33-bin.jar_com.mysql.jdbc.Driver_ > 5_1 > [2016-09-28 10:35:19.0107], INFO , org.hibernate.validator.internal.util.Version > MSC service thread 1-5 - HV000001: Hibernate Validator 5.2.3.Final > [2016-09-28 10:35:19.0592], DEBUG, org.keycloak.connections.jpa. > updater.liquibase.conn.DefaultLiquibaseConnectionProvider$LogWrapper$1 > ServerService Thread Pool -- 56 - Foreign key constraint added to > RESOURCE_POLICY (RESOURCE_ID) > [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper > ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback > [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper > ServerService Thread Pool -- 56 - JtaTransactionWrapper end > [2016-09-28 10:35:19.0594], DEBUG, org.keycloak.transaction.JtaTransactionWrapper > ServerService Thread Pool -- 56 - JtaTransactionWrapper resuming suspended > [2016-09-28 10:35:19.0595], DEBUG, org.keycloak.connections.jpa. > updater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 > - Going to release database lock > [2016-09-28 10:35:19.0595], ERROR, org.keycloak.connections.jpa. > updater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 > - Database error during release lock: liquibase.exception.DatabaseException: > liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: > Connection is not associated with a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 > at liquibase.database.AbstractJdbcDatabase.commit( > AbstractJdbcDatabase.java:1130) > at org.keycloak.connections.jpa.updater.liquibase.lock. > CustomLockService.releaseLock(CustomLockService.java:184) > at org.keycloak.connections.jpa.updater.liquibase.lock. > LiquibaseDBLockProvider.lambda$releaseLock$1(LiquibaseDBLockProvider.java: > 126) > at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction( > KeycloakModelUtils.java:677) > at org.keycloak.connections.jpa.updater.liquibase.lock. > LiquibaseDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:123) > at org.keycloak.services.resources.KeycloakApplication$ > 1.run(KeycloakApplication.java:123) > at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( > KeycloakModelUtils.java:295) > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > ResteasyProviderFactory.java:2209) > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:299) > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > init(ServletContainerDispatcher.java:113) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > HttpServletDispatcher.java:36) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( > RunAsLifecycleInterceptor.java:78) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( > ManagedServlet.java:231) > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:132) > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:526) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > startContext(UndertowDeploymentService.java:101) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:82) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: liquibase.exception.DatabaseException: java.sql.SQLException: > IJ031040: Connection is not associated with a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 > at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126) > at liquibase.database.AbstractJdbcDatabase.commit( > AbstractJdbcDatabase.java:1128) > ... 31 more > Caused by: java.sql.SQLException: IJ031040: Connection is not associated > with a managed connection: org.jboss.jca.adapters.jdbc. > jdk7.WrappedConnectionJDK7 at 88d58a5 > at org.jboss.jca.adapters.jdbc.WrappedConnection.lock( > WrappedConnection.java:164) > at org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit( > WrappedConnection.java:802) > at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122) > ... 32 more > > [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper > ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback > [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper > ServerService Thread Pool -- 56 - JtaTransactionWrapper end > [2016-09-28 10:35:19.0598], INFO , org.jboss.as.server.BootstrapImpl$ShutdownHook > Thread-2 - WFLYSRV0220: Server shutdown has been requested. > [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.security.service.SecurityDomainService > MSC service thread 1-8 - Stopping security domain service jboss-ejb-policy > [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.mail.extension.MailSessionAdd$1 > MSC service thread 1-2 - WFLYMAIL0003: Removed mail session > [java:jboss/mail/Default] > [2016-09-28 10:35:19.0602], DEBUG, org.infinispan.manager.DefaultCacheManager > MSC service thread 1-7 - Stopping cache manager server on padmaka > [2016-09-28 10:35:19.0602], DEBUG, org.wildfly.extension.undertow.ConsoleRedirectService > MSC service thread 1-2 - Stopping console redirect for default-host > [2016-09-28 10:35:19.0606], DEBUG, org.jboss.as.connector. > subsystems.datasources.CommonDeploymentService MSC service thread 1-3 - > Stopped CommonDeployment %s > [2016-09-28 10:35:19.0606], INFO , org.jboss.as.connector. > subsystems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-6 - > WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] > [2016-09-28 10:35:19.0607], DEBUG, org.jboss.as.connector. > subsystems.datasources.CommonDeploymentService MSC service thread 1-6 - > Stopped CommonDeployment %s > [2016-09-28 10:35:19.0612], DEBUG, org.jboss.as.security.service.SecurityDomainService > MSC service thread 1-3 - Stopping security domain service jboss-web-policy > [2016-09-28 10:35:19.0624], DEBUG, org.jboss.as.security.service.SecurityDomainService > MSC service thread 1-4 - Stopping security domain service jaspitest > [2016-09-28 10:35:19.0628], DEBUG, org.jboss.as.connector. > services.resourceadapters.deployment.registry. > ResourceAdapterDeploymentRegistryService MSC service thread 1-1 - > Stopping service service jboss.raregistry > [2016-09-28 10:35:19.0628], DEBUG, org.infinispan.manager.DefaultCacheManager > MSC service thread 1-8 - Stopping cache manager web on padmaka > [2016-09-28 10:35:19.0630], DEBUG, org.infinispan.manager.DefaultCacheManager > MSC service thread 1-6 - Stopping cache manager ejb on padmaka > [2016-09-28 10:35:19.0630], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-7 - ISPN000080: > Disconnecting JGroups channel server > [2016-09-28 10:35:19.0631], DEBUG, org.jboss.as.ejb3.remote. > EJBTransactionRecoveryService$1 ServerService Thread Pool -- 62 - > Un-registered org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$ > 1 at 5bc6f06a from the transaction recovery manager > [2016-09-28 10:35:19.0632], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-7 - ISPN000082: > Stopping the RpcDispatcher for channel server > [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-8 - ISPN000080: > Disconnecting JGroups channel web > [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-8 - ISPN000082: > Stopping the RpcDispatcher for channel web > [2016-09-28 10:35:19.0636], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-6 - ISPN000080: > Disconnecting JGroups channel ejb > [2016-09-28 10:35:19.0640], INFO , org.infinispan.remoting. > transport.jgroups.JGroupsTransport MSC service thread 1-6 - ISPN000082: > Stopping the RpcDispatcher for channel ejb > [2016-09-28 10:35:19.0637], DEBUG, org.infinispan.manager.DefaultCacheManager > MSC service thread 1-1 - Stopping cache manager hibernate on padmaka > [2016-09-28 10:35:19.0642], DEBUG, org.jboss.tm.usertx.UserTransactionRegistry > MSC service thread 1-2 - org.jboss.tm.usertx.UserTransactionRegistry at daa6d39 > removeListener org.jboss.as.jpa.container.JPAUserTransactionListener@ > 47424e73 > [2016-09-28 10:35:19.0642], DEBUG, org.jboss.as.connector. > subsystems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-3 - > Removed JDBC Data-source [java:jboss/datasources/KeycloakDS] > [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering. > infinispan.subsystem.CacheContainerBuilder MSC service thread 1-7 - > server cache container stopped > [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering. > infinispan.subsystem.CacheContainerBuilder MSC service thread 1-6 - ejb > cache container stopped > [2016-09-28 10:35:19.0640], INFO , org.wildfly.extension.undertow.HttpsListenerService > MSC service thread 1-4 - WFLYUT0008: Undertow HTTPS listener https > suspending > [2016-09-28 10:35:19.0639], DEBUG, org.jboss.as.clustering. > infinispan.subsystem.CacheContainerBuilder MSC service thread 1-8 - web > cache container stopped > [2016-09-28 10:35:19.0654], INFO , org.wildfly.extension.undertow.HttpsListenerService > MSC service thread 1-4 - WFLYUT0007: Undertow HTTPS listener https stopped, > was bound to 10.1.11.48:8101 > [2016-09-28 10:35:19.0651], ERROR, org.jboss.msc.service. > ServiceControllerImpl$StartContextImpl ServerService Thread Pool -- 56 - > MSC000001: Failed to start service jboss.undertow.deployment. > default-server.default-host./auth: org.jboss.msc.service.StartException > in service jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:85) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:162) > at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > ResteasyProviderFactory.java:2209) > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:299) > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > init(ServletContainerDispatcher.java:113) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > HttpServletDispatcher.java:36) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( > RunAsLifecycleInterceptor.java:78) > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( > ManagedServlet.java:231) > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:132) > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:526) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > startContext(UndertowDeploymentService.java:101) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: java.lang.RuntimeException: Failed to update database > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:90) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.update(DefaultJpaConnectionProviderFactory.java:329) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.migration(DefaultJpaConnectionProviderFactory.java:299) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) > at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction( > KeycloakModelUtils.java:677) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.create(DefaultJpaConnectionProviderFactory.java:85) > at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFa > ctory.create(DefaultJpaConnectionProviderFactory.java:63) > at org.keycloak.services.DefaultKeycloakSession.getProvider( > DefaultKeycloakSession.java:158) > at org.keycloak.models.jpa.JpaRealmProviderFactory.create( > JpaRealmProviderFactory.java:51) > at org.keycloak.models.jpa.JpaRealmProviderFactory.create( > JpaRealmProviderFactory.java:33) > at org.keycloak.services.DefaultKeycloakSession.getProvider( > DefaultKeycloakSession.java:158) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > getDelegate(RealmCacheSession.java:161) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > getMigrationModel(RealmCacheSession.java:154) > at org.keycloak.migration.MigrationModelManager.migrate( > MigrationModelManager.java:60) > at org.keycloak.services.resources.KeycloakApplication.migrateModel( > KeycloakApplication.java:221) > at org.keycloak.services.resources.KeycloakApplication. > migrateAndBootstrap(KeycloakApplication.java:162) > at org.keycloak.services.resources.KeycloakApplication$ > 1.run(KeycloakApplication.java:121) > at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( > KeycloakModelUtils.java:295) > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > ... 19 more > Caused by: liquibase.exception.MigrationFailedException: Migration failed > for change set META-INF/jpa-changelog-authz-2.0.0.xml::authz-2.0.0:: > psilva at redhat.com: > Reason: liquibase.exception.UnexpectedLiquibaseException: > java.sql.SQLException: IJ031040: Connection is not associated with a > managed connection: org.jboss.jca.adapters.jdbc. > jdk7.WrappedConnectionJDK7 at 503aa43a > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:573) > at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider. > java:114) > at org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) > ... 44 more > Caused by: liquibase.exception.UnexpectedLiquibaseException: > java.sql.SQLException: IJ031040: Connection is not associated with a > managed connection: org.jboss.jca.adapters.jdbc. > jdk7.WrappedConnectionJDK7 at 503aa43a > at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:79) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:62) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at liquibase.database.AbstractJdbcDatabase.execute( > AbstractJdbcDatabase.java:1247) > at liquibase.database.AbstractJdbcDatabase.executeStatements( > AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > ... 51 more > Caused by: java.sql.SQLException: IJ031040: Connection is not associated > with a managed connection: org.jboss.jca.adapters.jdbc. > jdk7.WrappedConnectionJDK7 at 503aa43a > at org.jboss.jca.adapters.jdbc.WrappedConnection.lock( > WrappedConnection.java:164) > at org.jboss.jca.adapters.jdbc.WrappedConnection.getMetaData( > WrappedConnection.java:913) > at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:77) > ... 56 more > > > is there any solution for this? > > Thanks in advance. > Padmaka > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/7a5a6472/attachment-0001.html From sthorger at redhat.com Thu Sep 29 05:26:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:26:46 +0200 Subject: [keycloak-user] Fwd: NOT_ATTEMPTED: bearer only error while trying to access server from client In-Reply-To: References: Message-ID: The message NOT_ATTEMPTED is displayed when the bearer token is missing. So the server doesn't see the "Authorization: bearer ..." header. You'll need to check if that header is actually sent to the server. Take a look at our CORS example that should explain how to get things working with CORS. Basically you need to enable CORS for the adapter on the rest services. On 28 September 2016 at 08:58, Ganga Lakshmanasamy wrote: > Yes our rest service is using keycloak adapter. How to check if it is a > CORS issue. Is there a way? > > On Sep 28, 2016 12:17 PM, "Stian Thorgersen" wrote: > >> Maybe it's a CORS issue? If it works from rest clients, but not from JS >> that could make sense. >> >> On 28 September 2016 at 08:47, Stian Thorgersen >> wrote: >> >>> I'd try to debug the issue on the rest service side. What is in >>> implemented in? Is it using a Keycloak adapter? >>> >>> On 26 September 2016 at 09:06, Ganga Lakshmanasamy >>> wrote: >>> >>>> Hi, >>>> >>>> Yes, we are using keycloak.js for token generation. We tried invoking >>>> the url and got the response as shown in attached screenshot. Please let us >>>> know if we are missing out any. >>>> >>>> Regards, >>>> Ganga Lakshmanasamy >>>> >>>> On Mon, Sep 26, 2016 at 12:07 PM, Stian Thorgersen >>> > wrote: >>>> >>>>> How are you getting the token in the angular js based client? Are you >>>>> using keycloak.js? >>>>> >>>>> You can try to verify the token at jwt.io to check if it's valid. >>>>> >>>>> On 26 September 2016 at 06:28, Ganga Lakshmanasamy >>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We are getting the "NOT_ATTEMPTED: bearer only" error while trying to >>>>>> access our backend rest service which has access type as bearer only from >>>>>> our public angular js based client. >>>>>> We are setting the "Authorization" header in our request but looks >>>>>> like the adapter is not able to recognize the header with the bearer token. >>>>>> >>>>>> Please help us resolving the issue. We have validated the client >>>>>> settings and the configs seems to be proper. >>>>>> >>>>>> *Note*: We are able to invoke the rest services with same bearer >>>>>> token from other rest clients like post man and advanced rest client for >>>>>> chrome. The issue comes up only when we try from our angular js code. >>>>>> >>>>>> Regards, >>>>>> Ganga Lakshmanasamy >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/31976ca2/attachment.html From sthorger at redhat.com Thu Sep 29 05:27:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:27:49 +0200 Subject: [keycloak-user] Loading extra info in the access token In-Reply-To: <44cdpr6ndiejk36iufm7k3r9.1475086596809@email.android.com> References: <3a503049-a5db-99a7-c724-d80a127aa220@tesicnor.com> <44cdpr6ndiejk36iufm7k3r9.1475086596809@email.android.com> Message-ID: On 28 September 2016 at 20:16, Amaeztu wrote: > Tried with the custom protocol mapper and it works!! I achieved to add > some sample info from the mapper to the token, but I still need to access > other secured endpoint to get the organizations. > > What's the most proper way to grant access to the mappers code? Should I > rely on the access token that keycloak has just created? I could make the > remote endpoint grant the access if the incoming request asks for info > referring to same user. > Up to you, but that sounds like it makes sense to me > Nire Sony Xperia? telefonotik bidalita > > > ---- Stian Thorgersen igorleak idatzi du ---- > > > You could do this in at least a couple different ways: > > * Custom user federation provider and map organizations onto groups > * Custom protocol mapper that fetches the organization for the user from > an external point and adds it to the token directly > > It would be interesting to also have a mechanism in KC that can fetch > additional attributes for a user when it's initially loaded into the cache. > Bill - what do you think about that? > > On 28 September 2016 at 10:08, Aritz Maeztu wrote: > >> I'm developing the authorization part for my application with keycloak, >> but I need to include some extra info when the authentication is performed. >> >> Each user in my application has permissions for a set of organizations >> and I want to have the organization ids loaded in the access token (I think >> this might be convenient?). The users themselves might be stored in the >> keycloak database itself, but the organizations they have access to might >> change in runtime, that's why I want to store them in the access token, to >> have them reloaded each time a user logs in. Do I need to implement a >> custom SPI for this? >> >> Regards >> >> -- >> Aritz Maeztu Ota?o >> Departamento Desarrollo de Software >> >> >> >> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >> Telf. Aritz Maeztu: 948 68 03 06 >> Telf. Secretar?a: 948 21 40 40 >> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El >> medioambiente es cosa de todos. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/2cbea006/attachment.html From sthorger at redhat.com Thu Sep 29 05:31:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:31:06 +0200 Subject: [keycloak-user] Custom rest endpoint In-Reply-To: References: Message-ID: Did you try the example does it work? On 28 September 2016 at 13:35, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > I can?t make REST endpoint work, I?m using exactly code supplied in example, I tried also to check how standard endpoints in keycloak code are created, all looks similar: > > > > > > */** * @author Stian Thorgersen */*public class HelloResourceProvider implements RealmResourceProvider { > > private KeycloakSession session; > > public HelloResourceProvider(KeycloakSession session) { > this.session = session; > } > > @GET > @Produces(MediaType.*TEXT_HTML*) > @Path("/{action}") > public String get(@PathParam("action") String action) { > //String requestUri = session.getContext().getUri().getRequestUri().toString(); > > String title = "APP_REQUEST"; > if (action.equals("auth")) { > title = "AUTH_RESPONSE"; > } else if (action.equals("logout")) { > title = "LOGOUT_REQUEST"; > } > > StringBuilder sb = new StringBuilder(); > sb.append("" + title + ""); > UriBuilder base = UriBuilder.*fromUri*("http://localhost:8180/auth"); > sb.append("account"); > > sb.append(""); > return sb.toString(); > } > > @Override > public Object getResource() { > return this; > } > > @Override > public void close() { > } > > } > > > > > > But I?m still getting: > > > > RESTEASY003815: Subresource for target class has no jax-rs annotations.: nl.vi.keycloak.providers.rest.HelloResourceProvider > > > > Can you please help me? Thanks > > > > > > Kind Regards, > > > > Mariusz Chruscielewski > > Software Engineer | mariusz at info.nl > > +31 (0)20 530 91 13 | +48 695 555 292 > > info.nl *making platforms work* > > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 11 > > Facebook | Twitter > | LinkedIn > | Google+ > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/eb85c1bf/attachment-0001.html From sthorger at redhat.com Thu Sep 29 05:32:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:32:53 +0200 Subject: [keycloak-user] Custom rest endpoint In-Reply-To: References: Message-ID: Also, try Googling "RESTEASY003815: Subresource for target class has no jax-rs annotations". I'm sure others has had that issue with RestEasy/JAX-RS before. On 29 September 2016 at 11:31, Stian Thorgersen wrote: > Did you try the example does it work? > > On 28 September 2016 at 13:35, Mariusz Chruscielewski - Info.nl < > mariusz at info.nl> wrote: > >> I can?t make REST endpoint work, I?m using exactly code supplied in example, I tried also to check how standard endpoints in keycloak code are created, all looks similar: >> >> >> >> >> >> */** * @author Stian Thorgersen */*public class HelloResourceProvider implements RealmResourceProvider { >> >> private KeycloakSession session; >> >> public HelloResourceProvider(KeycloakSession session) { >> this.session = session; >> } >> >> @GET >> @Produces(MediaType.*TEXT_HTML*) >> @Path("/{action}") >> public String get(@PathParam("action") String action) { >> //String requestUri = session.getContext().getUri().getRequestUri().toString(); >> >> String title = "APP_REQUEST"; >> if (action.equals("auth")) { >> title = "AUTH_RESPONSE"; >> } else if (action.equals("logout")) { >> title = "LOGOUT_REQUEST"; >> } >> >> StringBuilder sb = new StringBuilder(); >> sb.append("" + title + ""); >> UriBuilder base = UriBuilder.*fromUri*("http://localhost:8180/auth"); >> sb.append("account"); >> >> sb.append(""); >> return sb.toString(); >> } >> >> @Override >> public Object getResource() { >> return this; >> } >> >> @Override >> public void close() { >> } >> >> } >> >> >> >> >> >> But I?m still getting: >> >> >> >> RESTEASY003815: Subresource for target class has no jax-rs annotations.: nl.vi.keycloak.providers.rest.HelloResourceProvider >> >> >> >> Can you please help me? Thanks >> >> >> >> >> >> Kind Regards, >> >> >> >> Mariusz Chruscielewski >> >> Software Engineer | mariusz at info.nl >> >> +31 (0)20 530 91 13 | +48 695 555 292 >> >> info.nl *making platforms work* >> >> >> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 11 >> >> Facebook | Twitter >> | LinkedIn >> | Google+ >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/4dfeef5f/attachment.html From sthorger at redhat.com Thu Sep 29 05:35:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 29 Sep 2016 11:35:02 +0200 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: I highly recommend using an embedded webview and not use native login and direct grant api. That is best practice both for Keycloak and OIDC in general. On 26 September 2016 at 05:21, Joey wrote: > Thanks Guys, sorry for reply so late. I will try your solutions later. > thanks. > > On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont > wrote: > > Hello, > > > > I adapted an Android based OpenID Connect Demo Application to work with > > Keycloak. > > In Keycloak I created a confidential client with direct access grants as > > Scott described. > > > > https://github.com/thomasdarimont/android-openid- > connect/tree/feature/keycloak-oidc-demo > > See the recent commits in the feature/keycloak-oidc-demo branch. > > > > Cheers, > > Thomas > > > > 2016-09-22 13:57 GMT+02:00 Scott Rossillo : > >> > >> You can do that using direct access grants if you search the docs for > it. > >> However, we have native apps and just skinned our login pages to be > >> responsive and look great on mobile. > >> > >> The latter option is a better approach especially if you plan to > implement > >> 2FA. > >> > >> On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: > >>> > >>> Hi Guys, > >>> > >>> We are building a system, including 3 subsystems for a big website. > >>> and iOS and Android app. We use KeyCloak as the SSO server for all > >>> subsystems, and then we also want to use KeyCloak for iOS and Android > >>> as the login server. But for iOS, Android we want to use native login > >>> page not the html page provide by KeyCloak adapter. but I read all > >>> documents and discussions, I didnt find a way how to implement it. > >>> Anybody can help me? thanks. > >>> > >>> > >>> Joey > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/1e1c152b/attachment.html From mariusz at info.nl Thu Sep 29 05:41:11 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Thu, 29 Sep 2016 09:41:11 +0000 Subject: [keycloak-user] Custom rest endpoint In-Reply-To: References: Message-ID: Google didn?t help. There was 2 things, first of all, I should return Response object (not String): @Path("/{action}") @GET public Response get(@PathParam("action") String action) { String json = "{\"test\" : \"" + action + "\"}"; return Response.ok(json, MediaType.APPLICATION_JSON_TYPE).build(); } Second thing is that you need to add dependency to module (during install) because you will get ClassNotFoundException: --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-services,javax.servlet.api,org.jboss.resteasy.resteasy-jaxrs,javax.ws.rs.api" I hope this will help other people. Mariusz Chru?cielewski From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: donderdag 29 september 2016 11:33 To: Stian Thorgersen Cc: Mariusz Chruscielewski - Info.nl ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Custom rest endpoint Also, try Googling "RESTEASY003815: Subresource for target class has no jax-rs annotations". I'm sure others has had that issue with RestEasy/JAX-RS before. On 29 September 2016 at 11:31, Stian Thorgersen > wrote: Did you try the example does it work? On 28 September 2016 at 13:35, Mariusz Chruscielewski - Info.nl > wrote: I can?t make REST endpoint work, I?m using exactly code supplied in example, I tried also to check how standard endpoints in keycloak code are created, all looks similar: /** * @author Stian Thorgersen */ public class HelloResourceProvider implements RealmResourceProvider { private KeycloakSession session; public HelloResourceProvider(KeycloakSession session) { this.session = session; } @GET @Produces(MediaType.TEXT_HTML) @Path("/{action}") public String get(@PathParam("action") String action) { //String requestUri = session.getContext().getUri().getRequestUri().toString(); String title = "APP_REQUEST"; if (action.equals("auth")) { title = "AUTH_RESPONSE"; } else if (action.equals("logout")) { title = "LOGOUT_REQUEST"; } StringBuilder sb = new StringBuilder(); sb.append("" + title + ""); UriBuilder base = UriBuilder.fromUri("http://localhost:8180/auth"); sb.append("account"); sb.append(""); return sb.toString(); } @Override public Object getResource() { return this; } @Override public void close() { } } But I?m still getting: RESTEASY003815: Subresource for target class has no jax-rs annotations.: nl.vi.keycloak.providers.rest.HelloResourceProvider Can you please help me? Thanks Kind Regards, Mariusz Chruscielewski Software Engineer | mariusz at info.nl +31 (0)20 530 91 13 | +48 695 555 292 info.nl making platforms work Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 11 Facebook | Twitter | LinkedIn | Google+ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/b4292032/attachment-0001.html From sblanc at redhat.com Thu Sep 29 06:14:08 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 29 Sep 2016 12:14:08 +0200 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: Let's be careful with using Webviews, for instance, Google will soon block any OAuth interactions that use the webviews ( https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html ) , instead they recommand using the mobile browser. For Cordova apps, keycloak.js already works with inappbrowser that opens a "external" browser, isolated from the app. On Thu, Sep 29, 2016 at 11:35 AM, Stian Thorgersen wrote: > I highly recommend using an embedded webview and not use native login and > direct grant api. That is best practice both for Keycloak and OIDC in > general. > > On 26 September 2016 at 05:21, Joey wrote: > >> Thanks Guys, sorry for reply so late. I will try your solutions later. >> thanks. >> >> On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont >> wrote: >> > Hello, >> > >> > I adapted an Android based OpenID Connect Demo Application to work with >> > Keycloak. >> > In Keycloak I created a confidential client with direct access grants as >> > Scott described. >> > >> > https://github.com/thomasdarimont/android-openid-connect/ >> tree/feature/keycloak-oidc-demo >> > See the recent commits in the feature/keycloak-oidc-demo branch. >> > >> > Cheers, >> > Thomas >> > >> > 2016-09-22 13:57 GMT+02:00 Scott Rossillo : >> >> >> >> You can do that using direct access grants if you search the docs for >> it. >> >> However, we have native apps and just skinned our login pages to be >> >> responsive and look great on mobile. >> >> >> >> The latter option is a better approach especially if you plan to >> implement >> >> 2FA. >> >> >> >> On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: >> >>> >> >>> Hi Guys, >> >>> >> >>> We are building a system, including 3 subsystems for a big website. >> >>> and iOS and Android app. We use KeyCloak as the SSO server for all >> >>> subsystems, and then we also want to use KeyCloak for iOS and Android >> >>> as the login server. But for iOS, Android we want to use native login >> >>> page not the html page provide by KeyCloak adapter. but I read all >> >>> documents and discussions, I didnt find a way how to implement it. >> >>> Anybody can help me? thanks. >> >>> >> >>> >> >>> Joey >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/996dc7da/attachment.html From thomas.darimont at googlemail.com Thu Sep 29 08:21:59 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 29 Sep 2016 14:21:59 +0200 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: That's very interesting, thanks for sharing. Has someone already used the AppAuth apps they mentioned in the google developers article with Keycloak? e.g.: https://github.com/openid/AppAuth-Android Cheers, Thomas 2016-09-29 12:14 GMT+02:00 Sebastien Blanc : > Let's be careful with using Webviews, for instance, Google will soon block > any OAuth interactions that use the webviews ( > https://developers.googleblog.com/2016/08/modernizing-oauth- > interactions-in-native-apps.html ) , instead they recommand using the > mobile browser. For Cordova apps, keycloak.js already works with > inappbrowser that opens a "external" browser, isolated from the app. > > On Thu, Sep 29, 2016 at 11:35 AM, Stian Thorgersen > wrote: > >> I highly recommend using an embedded webview and not use native login and >> direct grant api. That is best practice both for Keycloak and OIDC in >> general. >> >> On 26 September 2016 at 05:21, Joey wrote: >> >>> Thanks Guys, sorry for reply so late. I will try your solutions later. >>> thanks. >>> >>> On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont >>> wrote: >>> > Hello, >>> > >>> > I adapted an Android based OpenID Connect Demo Application to work with >>> > Keycloak. >>> > In Keycloak I created a confidential client with direct access grants >>> as >>> > Scott described. >>> > >>> > https://github.com/thomasdarimont/android-openid-connect/tre >>> e/feature/keycloak-oidc-demo >>> > See the recent commits in the feature/keycloak-oidc-demo branch. >>> > >>> > Cheers, >>> > Thomas >>> > >>> > 2016-09-22 13:57 GMT+02:00 Scott Rossillo : >>> >> >>> >> You can do that using direct access grants if you search the docs for >>> it. >>> >> However, we have native apps and just skinned our login pages to be >>> >> responsive and look great on mobile. >>> >> >>> >> The latter option is a better approach especially if you plan to >>> implement >>> >> 2FA. >>> >> >>> >> On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: >>> >>> >>> >>> Hi Guys, >>> >>> >>> >>> We are building a system, including 3 subsystems for a big website. >>> >>> and iOS and Android app. We use KeyCloak as the SSO server for all >>> >>> subsystems, and then we also want to use KeyCloak for iOS and Android >>> >>> as the login server. But for iOS, Android we want to use native login >>> >>> page not the html page provide by KeyCloak adapter. but I read all >>> >>> documents and discussions, I didnt find a way how to implement it. >>> >>> Anybody can help me? thanks. >>> >>> >>> >>> >>> >>> Joey >>> >>> _______________________________________________ >>> >>> keycloak-user mailing list >>> >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/07354c54/attachment.html From bburke at redhat.com Thu Sep 29 08:34:50 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 29 Sep 2016 08:34:50 -0400 Subject: [keycloak-user] With Keycloak 2.2.1 the DB migration fails In-Reply-To: References: Message-ID: Keycloak interaction now uses JTA. Make sure you have the following in standalone.xml or keycloak-server.json "jta-lookup": { "provider":"${keycloak.jta.lookup.provider:jboss}", "jboss" : { "enabled":true } } \ ${keycloak.jta.lookup.provider:jboss}\ \ On 9/29/16 5:23 AM, Stian Thorgersen wrote: > Looks more like a database connection issue than a migration issue. > Did you try Googling for "IJ031040: Connection is not associated with > a managed connection"? > On 29 September 2016 at 07:17, Padmaka Wijaygoonawardena > > wrote: > > Hi, > With Keycloak 2.2.1 release the DB migration from a fresh DB fails > this also occurred in 2.1.0 as well. I use a MySQL DB as the > database. attached herewith is the stack trace. > [2016-09-28 10:35:18.0609], WARN , > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool > ServerService Thread Pool -- 62 - IJ000615: Destroying active > connection in pool: mysql_keycloak > (org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 2899b74f) > [2016-09-28 10:35:18.0618], WARN , > org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection > ServerService Thread Pool -- 62 - IJ030022: Lock owned during > cleanup: ServerService Thread Pool -- 56: java.lang.Throwable: > Lock owned during cleanup: ServerService Thread Pool -- 56 > at java.net.SocketInputStream.socketRead0(Native Method) > at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) > at java.net.SocketInputStream.read(SocketInputStream.java:170) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at > com.mysql.jdbc.util.ReadAheadInputStream.fill(ReadAheadInputStream.java:100) > at > com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:143) > at > com.mysql.jdbc.util.ReadAheadInputStream.read(ReadAheadInputStream.java:173) > at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2911) > at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3337) > at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3327) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) > at > org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at > liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) > at > liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > at > liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at > liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory$$Lambda$105/1378148237.run(Unknown > Source) > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) > at > org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161) > at > org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221) > at > org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162) > at > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > [2016-09-28 10:35:18.0634], INFO , > org.jboss.as.connector.services.driver.DriverService MSC service > thread 1-6 - WFLYJCA0019: Stopped Driver service with driver-name > = mysql-connector-java-5.1.33-bin.jar_com.mysql.jdbc.Driver_5_1 > [2016-09-28 10:35:19.0107], INFO , > org.hibernate.validator.internal.util.Version MSC service thread > 1-5 - HV000001: Hibernate Validator 5.2.3.Final > [2016-09-28 10:35:19.0592], DEBUG, > org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider$LogWrapper$1 > ServerService Thread Pool -- 56 - Foreign key constraint added to > RESOURCE_POLICY (RESOURCE_ID) > [2016-09-28 10:35:19.0593], DEBUG, > org.keycloak.transaction.JtaTransactionWrapper ServerService > Thread Pool -- 56 - JtaTransactionWrapper rollback > [2016-09-28 10:35:19.0593], DEBUG, > org.keycloak.transaction.JtaTransactionWrapper ServerService > Thread Pool -- 56 - JtaTransactionWrapper end > [2016-09-28 10:35:19.0594], DEBUG, > org.keycloak.transaction.JtaTransactionWrapper ServerService > Thread Pool -- 56 - JtaTransactionWrapper resuming suspended > [2016-09-28 10:35:19.0595], DEBUG, > org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService > ServerService Thread Pool -- 56 - Going to release database lock > [2016-09-28 10:35:19.0595], ERROR, > org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService > ServerService Thread Pool -- 56 - Database error during release > lock: liquibase.exception.DatabaseException: > liquibase.exception.DatabaseException: java.sql.SQLException: > IJ031040: Connection is not associated with a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 > at > liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1130) > at > org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.releaseLock(CustomLockService.java:184) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$releaseLock$1(LiquibaseDBLockProvider.java:126) > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:123) > at > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:123) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: liquibase.exception.DatabaseException: > java.sql.SQLException: IJ031040: Connection is not associated with > a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 > at > liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126) > at > liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1128) > ... 31 more > Caused by: java.sql.SQLException: IJ031040: Connection is not > associated with a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 > at > org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) > at > org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit(WrappedConnection.java:802) > at > liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122) > ... 32 more > [2016-09-28 10:35:19.0596], DEBUG, > org.keycloak.transaction.JtaTransactionWrapper ServerService > Thread Pool -- 56 - JtaTransactionWrapper rollback > [2016-09-28 10:35:19.0596], DEBUG, > org.keycloak.transaction.JtaTransactionWrapper ServerService > Thread Pool -- 56 - JtaTransactionWrapper end > [2016-09-28 10:35:19.0598], INFO , > org.jboss.as.server.BootstrapImpl$ShutdownHook Thread-2 - > WFLYSRV0220: Server shutdown has been requested. > [2016-09-28 10:35:19.0601], DEBUG, > org.jboss.as.security.service.SecurityDomainService MSC service > thread 1-8 - Stopping security domain service jboss-ejb-policy > [2016-09-28 10:35:19.0601], DEBUG, > org.jboss.as.mail.extension.MailSessionAdd$1 MSC service thread > 1-2 - WFLYMAIL0003: Removed mail session [java:jboss/mail/Default] > [2016-09-28 10:35:19.0602], DEBUG, > org.infinispan.manager.DefaultCacheManager MSC service thread 1-7 > - Stopping cache manager server on padmaka > [2016-09-28 10:35:19.0602], DEBUG, > org.wildfly.extension.undertow.ConsoleRedirectService MSC service > thread 1-2 - Stopping console redirect for default-host > [2016-09-28 10:35:19.0606], DEBUG, > org.jboss.as.connector.subsystems.datasources.CommonDeploymentService > MSC service thread 1-3 - Stopped CommonDeployment %s > [2016-09-28 10:35:19.0606], INFO , > org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 > MSC service thread 1-6 - WFLYJCA0010: Unbound data source > [java:jboss/datasources/KeycloakDS] > [2016-09-28 10:35:19.0607], DEBUG, > org.jboss.as.connector.subsystems.datasources.CommonDeploymentService > MSC service thread 1-6 - Stopped CommonDeployment %s > [2016-09-28 10:35:19.0612], DEBUG, > org.jboss.as.security.service.SecurityDomainService MSC service > thread 1-3 - Stopping security domain service jboss-web-policy > [2016-09-28 10:35:19.0624], DEBUG, > org.jboss.as.security.service.SecurityDomainService MSC service > thread 1-4 - Stopping security domain service jaspitest > [2016-09-28 10:35:19.0628], DEBUG, > org.jboss.as.connector.services.resourceadapters.deployment.registry.ResourceAdapterDeploymentRegistryService > MSC service thread 1-1 - Stopping service service jboss.raregistry > [2016-09-28 10:35:19.0628], DEBUG, > org.infinispan.manager.DefaultCacheManager MSC service thread 1-8 > - Stopping cache manager web on padmaka > [2016-09-28 10:35:19.0630], DEBUG, > org.infinispan.manager.DefaultCacheManager MSC service thread 1-6 > - Stopping cache manager ejb on padmaka > [2016-09-28 10:35:19.0630], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-7 - ISPN000080: Disconnecting JGroups channel server > [2016-09-28 10:35:19.0631], DEBUG, > org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 > ServerService Thread Pool -- 62 - Un-registered > org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 at 5bc6f06a > from the transaction recovery manager > [2016-09-28 10:35:19.0632], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-7 - ISPN000082: Stopping the RpcDispatcher for > channel server > [2016-09-28 10:35:19.0638], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-8 - ISPN000080: Disconnecting JGroups channel web > [2016-09-28 10:35:19.0638], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-8 - ISPN000082: Stopping the RpcDispatcher for > channel web > [2016-09-28 10:35:19.0636], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-6 - ISPN000080: Disconnecting JGroups channel ejb > [2016-09-28 10:35:19.0640], INFO , > org.infinispan.remoting.transport.jgroups.JGroupsTransport MSC > service thread 1-6 - ISPN000082: Stopping the RpcDispatcher for > channel ejb > [2016-09-28 10:35:19.0637], DEBUG, > org.infinispan.manager.DefaultCacheManager MSC service thread 1-1 > - Stopping cache manager hibernate on padmaka > [2016-09-28 10:35:19.0642], DEBUG, > org.jboss.tm.usertx.UserTransactionRegistry MSC service thread 1-2 > - org.jboss.tm.usertx.UserTransactionRegistry at daa6d39 > removeListener > org.jboss.as.jpa.container.JPAUserTransactionListener at 47424e73 > [2016-09-28 10:35:19.0642], DEBUG, > org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$2 > MSC service thread 1-3 - Removed JDBC Data-source > [java:jboss/datasources/KeycloakDS] > [2016-09-28 10:35:19.0641], DEBUG, > org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder > MSC service thread 1-7 - server cache container stopped > [2016-09-28 10:35:19.0641], DEBUG, > org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder > MSC service thread 1-6 - ejb cache container stopped > [2016-09-28 10:35:19.0640], INFO , > org.wildfly.extension.undertow.HttpsListenerService MSC service > thread 1-4 - WFLYUT0008: Undertow HTTPS listener https suspending > [2016-09-28 10:35:19.0639], DEBUG, > org.jboss.as.clustering.infinispan.subsystem.CacheContainerBuilder > MSC service thread 1-8 - web cache container stopped > [2016-09-28 10:35:19.0654], INFO , > org.wildfly.extension.undertow.HttpsListenerService MSC service > thread 1-4 - WFLYUT0007: Undertow HTTPS listener https stopped, > was bound to 10.1.11.48:8101 > [2016-09-28 10:35:19.0651], ERROR, > org.jboss.msc.service.ServiceControllerImpl$StartContextImpl > ServerService Thread Pool -- 56 - MSC000001: Failed to start > service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: java.lang.RuntimeException: Failed to update database > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:90) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.update(DefaultJpaConnectionProviderFactory.java:329) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.migration(DefaultJpaConnectionProviderFactory.java:299) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:677) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:85) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:63) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:51) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:33) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:158) > at > org.keycloak.models.cache.infinispan.RealmCacheSession.getDelegate(RealmCacheSession.java:161) > at > org.keycloak.models.cache.infinispan.RealmCacheSession.getMigrationModel(RealmCacheSession.java:154) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:60) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:221) > at > org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:162) > at > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:121) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:295) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:112) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 19 more > Caused by: liquibase.exception.MigrationFailedException: Migration > failed for change set > META-INF/jpa-changelog-authz-2.0.0.xml::authz-2.0.0::psilva at redhat.com > : > Reason: liquibase.exception.UnexpectedLiquibaseException: > java.sql.SQLException: IJ031040: Connection is not associated with > a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:573) > at > liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at > liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) > ... 44 more > Caused by: liquibase.exception.UnexpectedLiquibaseException: > java.sql.SQLException: IJ031040: Connection is not associated with > a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a > at > liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:79) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:62) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at > liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) > at > liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > ... 51 more > Caused by: java.sql.SQLException: IJ031040: Connection is not > associated with a managed connection: > org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 503aa43a > at > org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) > at > org.jboss.jca.adapters.jdbc.WrappedConnection.getMetaData(WrappedConnection.java:913) > at > liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:77) > ... 56 more > is there any solution for this? > Thanks in advance. > Padmaka > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/40d7fe83/attachment-0001.html From gregor at jarisch.net Thu Sep 29 10:01:56 2016 From: gregor at jarisch.net (Gregor Jarisch) Date: Thu, 29 Sep 2016 16:01:56 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in Message-ID: <1983280914-42105@kerio1.zmi.at> Hi there, we have a single page application using the JS adapter. Once the user is logged in and a page redirect occurs, the SPA loads, but immediately reloads once again when keycloak adapter authenticates. Since the user was logged in before already, we would have assumed that no further page refresh has to be made. Interestingly, when we manually pass on all the token values in the init method (for testing purposes), the page doesn't refresh a second time and the user is authenticated. As we would have expected it to be. This might be just a misunderstanding of how this adapter is supposed to work, but from our understanding the purpose of the iframe and the set cookie is to make sure the user stays authenticated. Thus, shouldn't the keycloak adapter "store" the tokens and use them on a page refresh if they are valid in order to authenticate without the need for an additional page refresh? Would be nice if somebody can explain this mechanism a bit further and maybe even give a hint on what we are doing wrong here.. We are puzzled at the moment. Thanks Gregor -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/0ee6fa20/attachment.html From sblanc at redhat.com Thu Sep 29 10:16:36 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 29 Sep 2016 16:16:36 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: <1983280914-42105@kerio1.zmi.at> References: <1983280914-42105@kerio1.zmi.at> Message-ID: Hi, Are you using keycloak.init({ onLoad: 'check-sso' }) ? Sebi On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch wrote: > Hi there, > > we have a single page application using the JS adapter. Once the user is > logged in and a page redirect occurs, the SPA loads, but immediately > reloads once again when keycloak adapter authenticates. > Since the user was logged in before already, we would have assumed that no > further page refresh has to be made. > > Interestingly, when we manually pass on all the token values in the init > method (for testing purposes), the page doesn't refresh a second time and > the user is authenticated. As we would have expected it to be. > > This might be just a misunderstanding of how this adapter is supposed to > work, but from our understanding the purpose of the iframe and the set > cookie is to make sure the user stays authenticated. > Thus, shouldn't the keycloak adapter "store" the tokens and use them on a > page refresh if they are valid in order to authenticate without the need > for an additional page refresh? > > Would be nice if somebody can explain this mechanism a bit further and > maybe even give a hint on what we are doing wrong here.. We are puzzled at > the moment. > > Thanks > > Gregor > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/854a2309/attachment.html From jsightle at redhat.com Thu Sep 29 11:27:17 2016 From: jsightle at redhat.com (Jess Sightler) Date: Thu, 29 Sep 2016 11:27:17 -0400 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: References: <1983280914-42105@kerio1.zmi.at> Message-ID: <0cf4f3e6-b597-7544-9a31-1a86235ba4a5@redhat.com> I am, and I believe that I have noticed this behavior as well. I get redirected back to the app with "?prompt=none" appended to the URL. On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > Hi, > > Are you using > |keycloak.init({ onLoad: 'check-sso' }) ? | > |Sebi | > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > wrote: > > Hi there, > > we have a single page application using the JS adapter. Once the > user is logged in and a page redirect occurs, the SPA loads, but > immediately reloads once again when keycloak adapter authenticates. > Since the user was logged in before already, we would have assumed > that no further page refresh has to be made. > > Interestingly, when we manually pass on all the token values in > the init method (for testing purposes), the page doesn't refresh a > second time and the user is authenticated. As we would have > expected it to be. > > This might be just a misunderstanding of how this adapter is > supposed to work, but from our understanding the purpose of the > iframe and the set cookie is to make sure the user stays > authenticated. > Thus, shouldn't the keycloak adapter "store" the tokens and use > them on a page refresh if they are valid in order to authenticate > without the need for an additional page refresh? > > Would be nice if somebody can explain this mechanism a bit further > and maybe even give a hint on what we are doing wrong here.. We > are puzzled at the moment. > > Thanks > > Gregor > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/ae81c83a/attachment.html From jblashka at redhat.com Thu Sep 29 12:43:02 2016 From: jblashka at redhat.com (Jared Blashka) Date: Thu, 29 Sep 2016 12:43:02 -0400 Subject: [keycloak-user] Have adapter expose RelayState? Message-ID: Is the RelayState parameter exposed to the client application in any way after a login request? I couldn't find anything in the documentation or the code mentioning it. I ended up having to write a valve for my application that captured the RelayState parameter and storing it in the session for use. I think it would make sense if the adapters automatically did something similar. Jared Blashka -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/a4880f77/attachment.html From joe at joethielen.com Thu Sep 29 16:08:15 2016 From: joe at joethielen.com (Joe Thielen) Date: Thu, 29 Sep 2016 16:08:15 -0400 Subject: [keycloak-user] Keycloak 2.2.1.Final HTTPS new XML setup versus old JSON In-Reply-To: References: Message-ID: This fixed it! Thanks Stian! On Wed, Sep 28, 2016 at 5:43 AM, Stian Thorgersen wrote: > Typo! Your provider tag for default httpClient is self-closing, > > should be: > > > On 23 September 2016 at 21:11, Joe Thielen wrote: > >> No, this is a new setup. But I will try that to figure out the >> differences, thank you. >> >> On Sep 23, 2016 2:59 PM, "Thomas Darimont" > m> wrote: >> >>> Hello Joe, >>> >>> did you use the migration tool mentioned in the docs? "Migrate and >>> convert keycloak-server.json" >>> https://keycloak.gitbooks.io/server-adminstration-guide/cont >>> ent/v/2.2/topics/MigrationFromOlderVersions.html >>> https://keycloak.gitbooks.io/server-installation-and-configu >>> ration/content/topics/config-subsystem/start-cli.html >>> >>> Cheers, >>> Thomas >>> >>> 2016-09-23 20:19 GMT+02:00 Joe Thielen : >>> >>>> I'm trying to figure out how to configure HTTPS on 2.2.1.Final. I've >>>> done it on 2.1.0.Final and had it functioning. I used to put the following >>>> into *standalone/configuration/keycloak-server.json* >>>> >>>> "connectionsHttpClient": { >>>> "default": {}, >>>> "client-keystore": "${jboss.home.dir}/standalone/configuration/keycloak.jks", >>>> "client-keystore-password": "TPF-KCVM-KCKEYSTOREPASS", >>>> "client-key-password": "TPF-KCVM-KCKEYSTOREPASS" >>>> }, >>>> >>>> Now I understand there is no more JSON file. I'm having issues getting >>>> the XML version running in standalone/configuration/standalone.xml. >>>> >>>> I looked at https://keycloak.gitbooks.io/s >>>> erver-installation-and-configuration/content/v/2.2/topics/ne >>>> twork/outgoing.html and now I've got this: >>>> >>>> >>>> >>>> >>>> >>> value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >>>> >>> value="Test1234"/> >>>> >>> value="Test1234"/> >>>> >>>> >>>> >>>> And also: >>>> >>>> >>>> >>>> >>>> >>> value="${jboss.home.dir}/standalone/configuration/keycloak.jks"/> >>>> >>> value="Test1234"/> >>>> >>> name="hostname-verification-policy" value="WILDCARD"/> >>>> >>> value="false"/> >>>> >>>> >>>> >>>> >>>> However, when I start Keycloak I get this error: >>>> >>>> 18:07:46,305 ERROR [org.jboss.as.server] (Controller Boot Thread) >>>> WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persis >>>> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse >>>> configuration >>>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>>> r.load(XmlConfigurationPersister.java:131) >>>> at org.jboss.as.server.ServerService.boot(ServerService.java:356) >>>> at org.jboss.as.controller.AbstractControllerService$1.run(Abst >>>> ractControllerService.java:299) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: javax.xml.stream.XMLStreamException: Unknown >>>> keycloak-server subsystem tag: property >>>> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >>>> ser.readElement(KeycloakSubsystemParser.java:82) >>>> at org.keycloak.subsystem.server.extension.KeycloakSubsystemPar >>>> ser.readElement(KeycloakSubsystemParser.java:56) >>>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >>>> pl.java:110) >>>> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X >>>> MLExtendedStreamReaderImpl.java:69) >>>> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfi >>>> le(StandaloneXml_4.java:546) >>>> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElemen >>>> t(StandaloneXml_4.java:242) >>>> at org.jboss.as.server.parsing.StandaloneXml_4.readElement(Stan >>>> daloneXml_4.java:141) >>>> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >>>> loneXml.java:103) >>>> at org.jboss.as.server.parsing.StandaloneXml.readElement(Standa >>>> loneXml.java:49) >>>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperIm >>>> pl.java:110) >>>> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperIm >>>> pl.java:69) >>>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>>> r.load(XmlConfigurationPersister.java:123) >>>> ... 3 more >>>> >>>> 18:07:46,306 FATAL [org.jboss.as.server] (Controller Boot Thread) >>>> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. >>>> See previous messages for details. >>>> >>>> Did I do it wrong? >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160929/6a12a33c/attachment-0001.html From adam.keily at adelaide.edu.au Fri Sep 30 01:53:44 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Fri, 30 Sep 2016 05:53:44 +0000 Subject: [keycloak-user] Realm Config Recommendations In-Reply-To: References: Message-ID: Hi Stian, Just revisting this. Can you elaborate on ?you could use the admin endpoints to link the KC user to an LDAP user when the student is created in LDAP? How do you see this working? Adam From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 7 September 2016 10:15 PM To: Adam Keily Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Realm Config Recommendations If you don't mind having prospective students in LDAP as well you can have them created in LDAP when they register in Keycloak. This applies to users registering with social IdPs as well. Might even help your onboarding of students as you'd already have some details filled in. Otherwise you could use the admin endpoints to link the KC user to an LDAP user when the student is created in LDAP. On 30 August 2016 at 06:17, Adam Keily > wrote: Hi, I?m new to keycloak and we?re investigating using it within our University. In the first instance it would be used as a registration point for external users e.g. prospective students etc. They will either register via the form or using social IdP?s in order to access various apps for these types of users. We want to remain open to using Keycloak for our internal (AD / LDAP) users to authenticate to these same apps as well as corporate applications. The tricky part comes where a prospective student (external identity) enrols and becomes a regular student (LDAP user). We would like them to continue to be recognised as a single identity and have their registered identities merged / linked with their new internal id. Hoping someone might be able to provide some guidance on the best way to go. There are a few ideas I?ve been testing. One is to have a single keycloak realm for user registration and configure LDAP as a user federation source. However this would seem to rule out linking the accounts? Another idea was to configure two realms (internal and external) and have the internal realm act as an IdP for the external realm. Another option is to create three realms, internal, external and combined. The combined realm is used for SSO for all apps and the internal and external realms are configured to be IdP?s for the combined realm. I can?t help but feel this is starting to get more complicated than is necessary. Any guidance or thoughts would be much appreciated. Regards Adam -- Adam Keily Risk & Security Services The University of Adelaide _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160930/fb228e15/attachment.html From sthorger at redhat.com Fri Sep 30 02:36:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 08:36:22 +0200 Subject: [keycloak-user] Realm Config Recommendations In-Reply-To: References: Message-ID: We're currently re-working user federation SPI, but the new SPI should be ready in 2.3. Once it is I think you should be able to do what you want. Bill - can you take a peak at the original use-case and comment if it's achievable? It's an interesting use-case. On 30 September 2016 at 07:53, Adam Keily wrote: > Hi Stian, > > > > Just revisting this. Can you elaborate on ?*you could use the admin > endpoints to link the KC user to an LDAP user when the student is created > in LDAP*? > > > > How do you see this working? > > > > Adam > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Wednesday, 7 September 2016 10:15 PM > *To:* Adam Keily > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Realm Config Recommendations > > > > If you don't mind having prospective students in LDAP as well you can have > them created in LDAP when they register in Keycloak. This applies to users > registering with social IdPs as well. Might even help your onboarding of > students as you'd already have some details filled in. > > > > Otherwise you could use the admin endpoints to link the KC user to an LDAP > user when the student is created in LDAP. > > > > On 30 August 2016 at 06:17, Adam Keily wrote: > > Hi, > > > > I?m new to keycloak and we?re investigating using it within our > University. In the first instance it would be used as a registration point > for external users e.g. prospective students etc. They will either register > via the form or using social IdP?s in order to access various apps for > these types of users. > > > > We want to remain open to using Keycloak for our internal (AD / LDAP) > users to authenticate to these same apps as well as corporate applications. > > > > The tricky part comes where a prospective student (external identity) > enrols and becomes a regular student (LDAP user). We would like them to > continue to be recognised as a single identity and have their registered > identities merged / linked with their new internal id. > > > > Hoping someone might be able to provide some guidance on the best way to > go. There are a few ideas I?ve been testing. > > > > One is to have a single keycloak realm for user registration and configure > LDAP as a user federation source. However this would seem to rule out > linking the accounts? > > > > Another idea was to configure two realms (internal and external) and have > the internal realm act as an IdP for the external realm. > > > > Another option is to create three realms, internal, external and combined. > The combined realm is used for SSO for all apps and the internal and > external realms are configured to be IdP?s for the combined realm. I can?t > help but feel this is starting to get more complicated than is necessary. > > > > Any guidance or thoughts would be much appreciated. > > > > Regards > > Adam > > > > > > -- > > Adam Keily > > Risk & Security Services > > The University of Adelaide > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From amaeztu at tesicnor.com Fri Sep 30 02:38:55 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Fri, 30 Sep 2016 08:38:55 +0200 Subject: [keycloak-user] Retrieving the access token itself from org.keycloak.representations.AccessToken Message-ID: <46db0a39-549d-0cfa-6acd-80f6e1f96bed@tesicnor.com> I have implemented my own mapper to add extra info in the transformAccessToken method. However, to fill the extra fields I would like to use the access token itself to access a remote security endpoint which is secured. However, I don't see any way to retrieve the base64 encoded token from the org.keycloak.representations.AccessToken.java object. Currently my workaround is to access the remote endpoint using a service account, but I would like to take advantage of the token I already have. Is it possible? -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. From sthorger at redhat.com Fri Sep 30 02:42:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 08:42:10 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: <0cf4f3e6-b597-7544-9a31-1a86235ba4a5@redhat.com> References: <1983280914-42105@kerio1.zmi.at> <0cf4f3e6-b597-7544-9a31-1a86235ba4a5@redhat.com> Message-ID: With check-sso what should happen is: * keycloak.js checks session cookie. If no cookie it does nothing * If session cookie exists redirect to login page with prompt=none * If session is valid Keycloak redirects back to app with code and keycloak.js swaps the code * If session wasn't valid Keycloak redirects back to app With a logged-in user the app page should be loaded twice. Once when first visited then a second time after the prompt=none redirect. Are you seeing the page being loaded twice or three times? On 29 September 2016 at 17:27, Jess Sightler wrote: > I am, and I believe that I have noticed this behavior as well. I get > redirected back to the app with "?prompt=none" appended to the URL. > > On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > > Hi, > > Are you using > > keycloak.init({ onLoad: 'check-sso' }) ? > > > Sebi > > > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > wrote: > >> Hi there, >> >> we have a single page application using the JS adapter. Once the user is >> logged in and a page redirect occurs, the SPA loads, but immediately >> reloads once again when keycloak adapter authenticates. >> Since the user was logged in before already, we would have assumed that >> no further page refresh has to be made. >> >> Interestingly, when we manually pass on all the token values in the init >> method (for testing purposes), the page doesn't refresh a second time and >> the user is authenticated. As we would have expected it to be. >> >> This might be just a misunderstanding of how this adapter is supposed to >> work, but from our understanding the purpose of the iframe and the set >> cookie is to make sure the user stays authenticated. >> Thus, shouldn't the keycloak adapter "store" the tokens and use them on a >> page refresh if they are valid in order to authenticate without the need >> for an additional page refresh? >> >> Would be nice if somebody can explain this mechanism a bit further and >> maybe even give a hint on what we are doing wrong here.. We are puzzled at >> the moment. >> >> Thanks >> >> Gregor >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adam.keily at adelaide.edu.au Fri Sep 30 02:59:55 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Fri, 30 Sep 2016 06:59:55 +0000 Subject: [keycloak-user] Realm Config Recommendations In-Reply-To: References: Message-ID: Great. We?re getting closer to a solution using two realms. Esentially, 1. we have a ?registered users? realm. Where the prospective students get created. 2. We have an ?internal? realm where our LDAP users are. The registered realm is an IdP for the internal realm. That way our SP?s only need to talk to one realm. 3. If a user registers in the reg realm it creates an id in the internal realm. 4. If / when that user gets an LDAP id created, we get the user to sign in to the internal realm using their existing ID. 5. They unlink their existing id from their reg realm user. 6. They then sign in using their LDAP ID and link their reg realm ID (we then delete the original linked id from the internal realm as it is really only a shell / placeholder. All the attributes the SP sees are coming from the reg realm). Having the two realms allows: - The ability to get the user to sign in as two ID?s at the same time for the purposes of linking / unlinking. - Persisitance of the original registered id and it?s attributes. This is useful to manage the user ceasing their role as a student and returning to only use their registered ID (alumni). Ideally, we wouldn?t create an id for the registered user in the internal realm at all. It would be great to be able to just pass their data through from the reg realm and then when they get an LDAP ID, we can create the link. I believe keeping an IdP authenticated session in memory only is on the roadmap. We?re struggling a little bit with what uniqueID to pass through to the SP?s to maintain the single Id / profile in the SP. I think this scenario is fairly specific to University environments and probably isn?t seen much in the corporate world. E.g. Not many users need to transition from customer to employee and back again. Any help or advice much appreciated. Adam From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, 30 September 2016 4:06 PM To: Adam Keily ; Bill Burke Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Realm Config Recommendations We're currently re-working user federation SPI, but the new SPI should be ready in 2.3. Once it is I think you should be able to do what you want. Bill - can you take a peak at the original use-case and comment if it's achievable? It's an interesting use-case. On 30 September 2016 at 07:53, Adam Keily > wrote: Hi Stian, Just revisting this. Can you elaborate on ?you could use the admin endpoints to link the KC user to an LDAP user when the student is created in LDAP? How do you see this working? Adam From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 7 September 2016 10:15 PM To: Adam Keily > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Realm Config Recommendations If you don't mind having prospective students in LDAP as well you can have them created in LDAP when they register in Keycloak. This applies to users registering with social IdPs as well. Might even help your onboarding of students as you'd already have some details filled in. Otherwise you could use the admin endpoints to link the KC user to an LDAP user when the student is created in LDAP. On 30 August 2016 at 06:17, Adam Keily > wrote: Hi, I?m new to keycloak and we?re investigating using it within our University. In the first instance it would be used as a registration point for external users e.g. prospective students etc. They will either register via the form or using social IdP?s in order to access various apps for these types of users. We want to remain open to using Keycloak for our internal (AD / LDAP) users to authenticate to these same apps as well as corporate applications. The tricky part comes where a prospective student (external identity) enrols and becomes a regular student (LDAP user). We would like them to continue to be recognised as a single identity and have their registered identities merged / linked with their new internal id. Hoping someone might be able to provide some guidance on the best way to go. There are a few ideas I?ve been testing. One is to have a single keycloak realm for user registration and configure LDAP as a user federation source. However this would seem to rule out linking the accounts? Another idea was to configure two realms (internal and external) and have the internal realm act as an IdP for the external realm. Another option is to create three realms, internal, external and combined. The combined realm is used for SSO for all apps and the internal and external realms are configured to be IdP?s for the combined realm. I can?t help but feel this is starting to get more complicated than is necessary. Any guidance or thoughts would be much appreciated. Regards Adam -- Adam Keily Risk & Security Services The University of Adelaide _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Sep 30 03:01:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:01:25 +0200 Subject: [keycloak-user] Retrieving the access token itself from org.keycloak.representations.AccessToken In-Reply-To: <46db0a39-549d-0cfa-6acd-80f6e1f96bed@tesicnor.com> References: <46db0a39-549d-0cfa-6acd-80f6e1f96bed@tesicnor.com> Message-ID: The access token is not created yet at that point. You can't sign something that's not completed ;) A service account is the way to go, as you don't actually have a token yet, you're in the progress of creating one. On 30 September 2016 at 08:38, Aritz Maeztu wrote: > I have implemented my own mapper to add extra info in the > transformAccessToken method. However, to fill the extra fields I would > like to use the access token itself to access a remote security endpoint > which is secured. However, I don't see any way to retrieve the base64 > encoded token from the org.keycloak.representations.AccessToken.java > object. > > Currently my workaround is to access the remote endpoint using a service > account, but I would like to take advantage of the token I already have. > > Is it possible? > > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf. Aritz Maeztu: 948 68 03 06 > Telf. Secretar?a: 948 21 40 40 > > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:03:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:03:06 +0200 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: +1 Using the system browser is the proper way. SSO and everything ;) Not sure keycloak.js does it properly though as it doesn't have support for SSO AFAIK? On 29 September 2016 at 12:14, Sebastien Blanc wrote: > Let's be careful with using Webviews, for instance, Google will soon block > any OAuth interactions that use the webviews ( > https://developers.googleblog.com/2016/08/modernizing-oauth- > interactions-in-native-apps.html ) , instead they recommand using the > mobile browser. For Cordova apps, keycloak.js already works with > inappbrowser that opens a "external" browser, isolated from the app. > > On Thu, Sep 29, 2016 at 11:35 AM, Stian Thorgersen > wrote: > >> I highly recommend using an embedded webview and not use native login and >> direct grant api. That is best practice both for Keycloak and OIDC in >> general. >> >> On 26 September 2016 at 05:21, Joey wrote: >> >>> Thanks Guys, sorry for reply so late. I will try your solutions later. >>> thanks. >>> >>> On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont >>> wrote: >>> > Hello, >>> > >>> > I adapted an Android based OpenID Connect Demo Application to work with >>> > Keycloak. >>> > In Keycloak I created a confidential client with direct access grants >>> as >>> > Scott described. >>> > >>> > https://github.com/thomasdarimont/android-openid-connect/tre >>> e/feature/keycloak-oidc-demo >>> > See the recent commits in the feature/keycloak-oidc-demo branch. >>> > >>> > Cheers, >>> > Thomas >>> > >>> > 2016-09-22 13:57 GMT+02:00 Scott Rossillo : >>> >> >>> >> You can do that using direct access grants if you search the docs for >>> it. >>> >> However, we have native apps and just skinned our login pages to be >>> >> responsive and look great on mobile. >>> >> >>> >> The latter option is a better approach especially if you plan to >>> implement >>> >> 2FA. >>> >> >>> >> On Thu, Sep 22, 2016 at 6:27 AM Joey wrote: >>> >>> >>> >>> Hi Guys, >>> >>> >>> >>> We are building a system, including 3 subsystems for a big website. >>> >>> and iOS and Android app. We use KeyCloak as the SSO server for all >>> >>> subsystems, and then we also want to use KeyCloak for iOS and Android >>> >>> as the login server. But for iOS, Android we want to use native login >>> >>> page not the html page provide by KeyCloak adapter. but I read all >>> >>> documents and discussions, I didnt find a way how to implement it. >>> >>> Anybody can help me? thanks. >>> >>> >>> >>> >>> >>> Joey >>> >>> _______________________________________________ >>> >>> keycloak-user mailing list >>> >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Fri Sep 30 03:04:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:04:33 +0200 Subject: [keycloak-user] Updating lastLogon in LDAP/AD from Keycloak when user is authenticated In-Reply-To: References: Message-ID: Marek - this isn't supported at the moment right? On 19 September 2016 at 15:25, Edgar Vonk - Info.nl wrote: > Hi, > > We would like to have Keycloak update the lastLogon user attribute in our > Active Directory server whenever a user logs in to our customer portal. > > It is possible to do this from Keycloak? > > The portal is secured using Keycloak so behind the scenes the Keycloak > bind user is the one that authenticates the user in AD. > > The only thing we have now is the user session information in Keycloak but > that is not of much value to us because: > - in our situation AD is leading for all user data > - whenever we redeploy Keycloak (quite often) we empty out the Keycloak > database and start new by synching users from AD > - if I am not mistaken currently user session data is not stored in the > Keycloak database anyway? > > cheers > > Edgar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From amaeztu at tesicnor.com Fri Sep 30 03:04:18 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Fri, 30 Sep 2016 09:04:18 +0200 Subject: [keycloak-user] Retrieving the access token itself from org.keycloak.representations.AccessToken In-Reply-To: References: <46db0a39-549d-0cfa-6acd-80f6e1f96bed@tesicnor.com> Message-ID: <66ca0db7-b135-35ca-78f4-762c279a2380@tesicnor.com> Ok, I was guessing that. I suppose I need to retrieve other token from the /auth/realms/{{realm}}/protocol/openid-connect/token endpoint, the way I was doing. Thanks! 30/09/2016 9:01(e)an, Stian Thorgersen igorleak idatzi zuen: > The access token is not created yet at that point. You can't sign > something that's not completed ;) > > A service account is the way to go, as you don't actually have a token > yet, you're in the progress of creating one. > > On 30 September 2016 at 08:38, Aritz Maeztu > wrote: > > I have implemented my own mapper to add extra info in the > transformAccessToken method. However, to fill the extra fields I would > like to use the access token itself to access a remote security > endpoint > which is secured. However, I don't see any way to retrieve the base64 > encoded token from the org.keycloak.representations.AccessToken.java > object. > > Currently my workaround is to access the remote endpoint using a > service > account, but I would like to take advantage of the token I already > have. > > Is it possible? > > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf. Aritz Maeztu: 948 68 03 06 > Telf. Secretar?a: 948 21 40 40 > > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. From sthorger at redhat.com Fri Sep 30 03:10:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:10:01 +0200 Subject: [keycloak-user] Map group attributes to users In-Reply-To: References: Message-ID: That's already the case. Users inherit all attributes from the group. You need to add a protocol mapper to pull new attributes into the token though. Open your client in the admin console: * Click on mappers * Create * Mapper type: user attribute * Fill in name and token claim name with whatever you want. Select a suitable json type. Click on Add to access token and/or Add to ID token * User Attribute: name of the attribute in the group * Save Now relogin to your app and the token should have the new claim in it. On 19 September 2016 at 15:43, Uli SE wrote: > Hi > > Is it possible to map group attributes to users of the group to see them > in the users tokens? > > Thanks, > > Uli > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:10:40 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:10:40 +0200 Subject: [keycloak-user] API to map from Provider User ID to Keycloak User ID? In-Reply-To: References: Message-ID: Nope, you can create a JIRA for it though On 19 September 2016 at 19:32, Chris Hairfield wrote: > Is there an efficient API for obtaining the Keycloak User given an > identity provider ID? For instance, Keycloak user ABC has linked to their > Facebook account with provider id 123. Can we efficiently get from 123 to > ABC? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:11:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:11:34 +0200 Subject: [keycloak-user] SessionNotOnOrAfter Saml Attribute Support? In-Reply-To: References: Message-ID: Your PR makes the testsuite fail. There's also no new tests for the addition. On 20 September 2016 at 22:25, Jared Blashka wrote: > I ended up submitting https://github.com/keycloak/keycloak/pull/3250. > Please take a look! > > Jared > > On Tue, Sep 20, 2016 at 2:36 PM, Jared Blashka > wrote: > >> Saml spec allows for a SessionNotOnOrAfter attribute inside the >> AuthnStatement and I see some getters/setters for that attribute >> in AuthnStatementType.java, but it doesn't look like it gets invoked >> anywhere, so we can't actually use it. >> >> Were there any plans to give us a way to specify a value for this >> attribute, or just set it to the length of sso session max? I had some >> clients asking about it. >> >> Jared >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:15:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:15:20 +0200 Subject: [keycloak-user] Unable to configure client certificate In-Reply-To: <3b2acbe8-caca-4ff6-ada4-450e0be15f2f@gmail.com> References: <3b2acbe8-caca-4ff6-ada4-450e0be15f2f@gmail.com> Message-ID: Can you show the full code you use? On 21 September 2016 at 14:57, abhishek raghav wrote: > Hi Team, > > I am facing an issue while I am trying to set Client Authenticator as > 'Signed JWT'. I am using Keycloak-admin.jar to do it. > > Here I am trying to automate the complete client creation work through a > java program. > > ClientAttributeCertificateResource cacr =clientResource. > getCertficateResource("jwt.credentials"); > byte[] mycert=cacr.generateAndGetKeystore(keyStoreConfig); > > Here keyStoreConfig is the config object which contains all the metadata > required to generate the certificate e.g keystore password, format, alias > name etc. > > I could successfully got the certificate generated and got it as a byte > array and in the backend it is not configuring for the client. > > I am still seeing this: > > > > > Even though value for Client Authenticator is set as Signed Jwt and same > is getting updated in keycloak.json (under installation) as well. > > Code to set the authenticator is : > > client.setClientAuthenticatorType(client-jwt); > > > Please > > *- Best Regards* > Abhishek Raghav > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:18:42 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:18:42 +0200 Subject: [keycloak-user] Users experience multiple emails sent from Keycloak In-Reply-To: <3DF645F2-D220-4FE2-8C52-AE611BCCFCD2@luminis.eu> References: <3DF645F2-D220-4FE2-8C52-AE611BCCFCD2@luminis.eu> Message-ID: Can you identify what your annoyed users are actually doing? That would help in identifying a solution. If they are refreshing the page, would they not expect the mail to be re-sent? If they are going/back forth in the flow, why are they doing that? If it's something else I'd say it has a higher priority to be fixed. You can feel free to create a JIRA enhancement request for this, but the more information you can give us about user behavior the better. On 22 September 2016 at 19:28, Dick Eimers wrote: > > Hi, > > This issue seems to annoy quite a few of our users. It is hard to believe > that we are the only ones. I?m looking for some fellow sufferers and > hopefully share some ideas/workarounds.. > > > > On 20 Sep 2016, at 22:00, Dick Eimers wrote: > > > > Hi, > > > > We've got report about users who received activation/login-action emails > (sent by Keycloak) multiple times. > > After doing a bit of investigation we found out that emails are sent as > a side-effect of pages obtained using a GET request, which could be the > cause of sending multiple emails. > > > > For example, after registration we hit a page at location: > > /auth/realms//login-actions/required-action? > code= > > which also sends an email with the activation-link. Reloading this page > results in the email being sent again (with a fresh code, invalidating the > old one). > > > > So maybe users are refreshing the page unintentionally, or their > (mobile) browser is. Or they could be using the back-button and again hit > this page, which sends the request once again also resulting in a new mail. > > > > Is anyone else running into this? Should we create a new JIRA issue to > fix/improve this? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:25:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:25:35 +0200 Subject: [keycloak-user] Keycloak with EZproxy In-Reply-To: References: Message-ID: "XML External Entity switches are not supported. You may get XML injection vulnerabilities." is just a warning and shouldn't have anything to do with the issue. Try enabling trace logging for org.keycloak and see if you get any more details. On 23 September 2016 at 14:52, Bill Kuntz wrote: > Thanks. > > > > When we attempt to authenticate using keycloak 2.2.0_final, we get the > following log entries on the Keycloak server: > > > > 2016-09-23 08:44:09,842 WARN [org.keycloak.saml.common] (default task-1) > XML External Entity switches are not supported. You may get XML injection > vulnerabilities. > > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService] > (default task-1) request validation failed: org.keycloak.common.VerificationException: > Invalid signature on document > > at org.keycloak.protocol.saml.SamlProtocolUtils. > verifyDocumentSignature(SamlProtocolUtils.java:57) > > at org.keycloak.protocol.saml.SamlProtocolUtils. > verifyDocumentSignature(SamlProtocolUtils.java:50) > > at org.keycloak.protocol.saml.SamlService$ > PostBindingProtocol.verifySignature(SamlService.java:405) > > at org.keycloak.protocol.saml.SamlService$BindingProtocol. > handleSamlRequest(SamlService.java:186) > > at org.keycloak.protocol.saml.SamlService$ > PostBindingProtocol.execute(SamlService.java:428) > > at org.keycloak.protocol.saml.SamlService.postBinding( > SamlService.java:504) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > > at org.jboss.resteasy.core.ResourceMethodInvoker. > invokeOnTarget(ResourceMethodInvoker.java:295) > > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > > at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > > at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service( > HttpServlet.java:790) > > at io.undertow.servlet.handlers. > ServletHandler.handleRequest(ServletHandler.java:85) > > at io.undertow.servlet.handlers. > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > at org.keycloak.services.filters. > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter. > java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > > at io.undertow.servlet.handlers. > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > at io.undertow.servlet.handlers. > FilterHandler.handleRequest(FilterHandler.java:84) > > at io.undertow.servlet.handlers.security. > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler. > java:62) > > at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) > > at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) > > at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > > at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) > > at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) > > at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > > at io.undertow.security.handlers. > AbstractConfidentialityHandler.handleRequest( > AbstractConfidentialityHandler.java:46) > > at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) > > at io.undertow.security.handlers. > AuthenticationMechanismsHandler.handleRequest( > AuthenticationMechanismsHandler.java:60) > > at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) > > at io.undertow.security.handlers. > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler. > java:50) > > at io.undertow.security.handlers. > AbstractSecurityContextAssociationHandler.handleRequest( > AbstractSecurityContextAssociationHandler.java:43) > > at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > > at org.wildfly.extension.undertow.security.jacc. > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > > at io.undertow.server.handlers.PredicateHandler. > handleRequest(PredicateHandler.java:43) > > at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) > > at io.undertow.servlet.handlers.ServletInitialHandler. > dispatchRequest(ServletInitialHandler.java:263) > > at io.undertow.servlet.handlers. > ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > at io.undertow.servlet.handlers.ServletInitialHandler$1. > handleRequest(ServletInitialHandler.java:174) > > at io.undertow.server.Connectors. > executeRootHandler(Connectors.java:202) > > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2016-09-23 08:44:10,075 WARN [org.keycloak.events] (default task-1) > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null, > ipAddress=192.168.33.51, error=invalid_signature > > > > I have verified that the keys on the client match the server. Does the > XML External Entities have something to do with this? > > > > Any help is appreciated. > > > > Thanks, > > Bill > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Thursday, September 08, 2016 2:31 AM > *To:* Bill Kuntz > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak with EZproxy > > > > Not sure what they mean about "authentication sequence identical to a > standard Shibboleth Identity Provider", but Keycloak is pretty configurable > so it should be possible to adapt the SAML configuration for the client to > make it work with EZProxy. > > > > On 1 September 2016 at 17:47, Bill Kuntz wrote: > > Has anyone successfully used Keycloak with OCLC's EZProxy? We have been > experimenting with Keycloak, and have been able to get it working with > other SPs, but not EZProxy. > > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO > systems if and only if that system uses an authentication sequence > identical to a standard Shibboleth Identity Provider (IDP)." > > Thanks, > Bill > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Fri Sep 30 03:27:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:27:09 +0200 Subject: [keycloak-user] Token settings understanding In-Reply-To: <998A0590001F9F439258F79A83C00FC506DDBDD9@srv1.geh.local> References: <998A0590001F9F439258F79A83C00FC506DDBDD9@srv1.geh.local> Message-ID: Try hover over the ? marks next to each of the settings in the admin console. If you still have questions, please ask a more specific question. On 23 September 2016 at 14:53, Milosavljevi?, Nemanja < n.milosavljevic at qualitype.de> wrote: > Hi, > > I?ve searched far and wide and I?m still not clear on the proper token > settings setup and other use cases in which different setup could bring. > > > Could someone please give me an example of what should be the > keycloak/my-application behavior with the default setup? > > > > > > Thanks, Nemanja > _____________________________________________________________ > > [image: cid:image001.jpg at 01D1488F.FE122420] > > *Nemanja Milosavljevic *| Front-end developer > > Phone + 49 351 8838 2809 > > Email n.milosavljevic at qualitype.de > > > > Qualitype GmbH | Moritzburger Weg 67 | 01109 Dresden | Germany > > Fax +49 351 8838 2809 | Web www.qualitype.de > > Sitz der Gesellschaft: Dresden | Amtsgericht Dresden HRB 31753 > Gesch?ftsf?hrer: Dr. Wilhelm Z?rgiebel | Dr. Frank G?tz > > > The information in this email and any attachments is confidential and is > intended for the addressee only. If you are not the intended recipient, > please delete this message and any attachments and advise the sender by > return email. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:30:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:30:47 +0200 Subject: [keycloak-user] Communication between Keycloak and Spring Security Adapter In-Reply-To: References: Message-ID: I'm not clued up on the Spring adapter, but in general the way it works is: * Adapter redirects to KC * User logs in KC * KC redirects back with code * Adapter exchanges code for token * Once token expires, adapter sends refresh token request to KC Any verification of the token is done by checking the signature (it's a JWS, not a JWT). Same goes if you use the token to invoke a service, the service can verify the token without invoking KC. On 26 September 2016 at 21:42, Matt H wrote: > Hi, > > > I'm trying to get a better understanding of the communication between > Keycloak and spring security client applications. If I'm understanding the > authentication/authorization flow, it would be something like: > > > 1. User (or client application) login to application > > 2. Spring security redirects to Keycloak > > 3. Keycloak verifies user and creates a JWT > 4. Redirects user with JWT back to application > > 5. Verifies JWT > > 6. Sends response to client > > > For step #5, verification: Does spring security verify the JWT locally, or > is the token sent back to Keycloak for verification? I'm wondering how > much "chatter" there is between Spring security and Keycloak for every > request. > > > If a user already has a non-expired JWT, does it just do steps 5-6 until > it expires? Once it expires, it requests a new JWT from Keycloak? > > > Thanks, > > Matt > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 03:57:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 09:57:54 +0200 Subject: [keycloak-user] Unable to get list of client level roles - available roles In-Reply-To: References: Message-ID: Default roles returns the roles of the client that are added to new users by default, not the available client roles. To see roles do: getRealm().clients().getClient(clientRepresentation.getId()).roles().list() On 27 September 2016 at 10:56, Jitendra Chouhan wrote: > Hi, > > I am not able to get client level available roles in keycloak using > keycloak-admin-client.jar. Please find sample code i am using to get client > and then thought of getting available roles under a client. > > ClientsResource clientsResource = getRealm().clients(); > ClientRepresentation> clientsRepresentation = > clientsResource.findByClientId(appName); > clientRepresentation = clientsRepresentation.get(0); > clientRepresentation.getDefaultRoles(); > > With above code i am only getting default roles under a client but not all > available roles as there is no method available in ClientResource class. > > Thanks, > Jitendra Chouhan > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 04:00:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 10:00:16 +0200 Subject: [keycloak-user] Keycloak Filters and Roles In-Reply-To: References: Message-ID: Is the "admin" role a realm role or client role? If it's client role you need to set use-resource-role-mappings to true in keycloak.json. Also, does your user have the role and does the client have a scope on the role (or full scope enabled)? On 27 September 2016 at 15:43, Rui Neves wrote: > Hello, > > > I am using a java servlet with keycloak filters, so no security > constraints can be applied. I would like to know how can I block some > HttpMethods for users of a certain role. I created roles in keycloak, I > tried to define the auth-constraints within the security-constraints but it > always returns error 403 Unauthorized. > > If I remove the auth constraint and security roles I am able to access the > method. It seems that it is not recognizing keycloak roles or not mapping > them between the servlet and keycloak. > > I am blocking the method as shown below in the class: > > > @GET at Path("/get")@RolesAllowed("admin")@Produces(MediaType.TEXT_PLAIN)public String delU(@HeaderParam("user_id")) { > ...} > > > And I have the filters like the link below in the web.xml: > > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/v/2.2/topics/oidc/java/servlet-filter-adapter.html > > > Best Regards > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Sep 30 04:06:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 10:06:10 +0200 Subject: [keycloak-user] SAML attribute importer with multiple values In-Reply-To: References: Message-ID: Looks like a limitation of the user attribute importer: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/mappers/UserAttributeMapper.java#L130 It simply picks the first value and uses that. You can create a JIRA feature request to have support for importing multi valued attributes. A PR for this would be great if you're up for it. If you need a solution quick you can create your own custom mapper. On 28 September 2016 at 11:04, Manuel Palacio wrote: > Hello, > > I am trying to process a SAML attribute with multiple values. > > To that end I have created a client mapper of type User Attribute with > "Multivalued" on. > > I also have an "attribute importer" mapper in the SAML v2.0 identity > provider. It points to user attribute name defined in the client mapper > mentioned above. > > Unfortunately, it is only mapping the first value into the access token. > > The attribute in the SAML response looks like this > > > value1 value2 < > AttributeValue>value3 > > In the access token only the first value appears as part of "otherClaims" > map. > > What do I need to do in order to get all the values in the access token? > > Thanks > > /Manuel > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From gregor at jarisch.net Fri Sep 30 05:12:25 2016 From: gregor at jarisch.net (Gregor Jarisch) Date: Fri, 30 Sep 2016 11:12:25 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: Message-ID: <2052473101-26976@kerio1.zmi.at> We tried login-required as well as check-sso. In case of a user logged in, it doesn't seem to do anything different. Stian, in fact, it seem to be as you described it. A logged on user loads the page and it gets redirected to keycloak and back again, than loads the website a second time. So twice. But why is this necessary? This is a bad UX experience and a performance loss as well. If the user is logged in, it should not redirect anywhere. Couldn't the js adapter simple make an XHR request to the keycloak server - as other js requests would do it - and only redirect in case the user isn't logged in? I believe that way would be much more user friendly (visually appealing in particular) and faster as well, because you don't have twice the loading time of your page. Am I missing something here or could this be improved that way? Gregor From: Stian Thorgersen To: Jess Sightler Cc: keycloak-user Sent: 30.09.2016 8:42 Subject: Re: [keycloak-user] Prevent JS Adapter from redirecting if already logged in With check-sso what should happen is: * keycloak.js checks session cookie. If no cookie it does nothing * If session cookie exists redirect to login page with prompt=none * If session is valid Keycloak redirects back to app with code and keycloak.js swaps the code * If session wasn't valid Keycloak redirects back to app With a logged-in user the app page should be loaded twice. Once when first visited then a second time after the prompt=none redirect. Are you seeing the page being loaded twice or three times? On 29 September 2016 at 17:27, Jess Sightler wrote: > I am, and I believe that I have noticed this behavior as well. I get > redirected back to the app with "?prompt=none" appended to the URL. > > On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > > Hi, > > Are you using > > keycloak.init({ onLoad: 'check-sso' }) ? > > > Sebi > > > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > wrote: > >> Hi there, >> >> we have a single page application using the JS adapter. Once the user is >> logged in and a page redirect occurs, the SPA loads, but immediately >> reloads once again when keycloak adapter authenticates. >> Since the user was logged in before already, we would have assumed that >> no further page refresh has to be made. >> >> Interestingly, when we manually pass on all the token values in the init >> method (for testing purposes), the page doesn't refresh a second time and >> the user is authenticated. As we would have expected it to be. >> >> This might be just a misunderstanding of how this adapter is supposed to >> work, but from our understanding the purpose of the iframe and the set >> cookie is to make sure the user stays authenticated. >> Thus, shouldn't the keycloak adapter "store" the tokens and use them on a >> page refresh if they are valid in order to authenticate without the need >> for an additional page refresh? >> >> Would be nice if somebody can explain this mechanism a bit further and >> maybe even give a hint on what we are doing wrong here.. We are puzzled at >> the moment. >> >> Thanks >> >> Gregor >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Sep 30 05:20:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 30 Sep 2016 11:20:23 +0200 Subject: [keycloak-user] Updating lastLogon in LDAP/AD from Keycloak when user is authenticated In-Reply-To: References: Message-ID: <50527406-fe23-bc37-4320-1c6904085af8@redhat.com> No, it's not supported OOTB. Also lastLogon is the Active Directory system attribute, so it can't be changed programatically from Java (for example by adding custom attribute mapper). However what can work for you is maybe one of those possibilities: 1) Track lastLogon time in some other attribute either in Keycloak DB or in MSAD. You can create an EventListener, which will listen for LOGIN events and then update the attribute on user based on that. If you want to map that attribute to LDAP, you will also need LDAP UserAttributeMapper to map the attribute from keycloak user model into particular LDAP attribute. But maybe this means that you will also need to add custom LDAP attribute to your LDAP schema... Also note that always updating user attribute has performance implications (user is always removed from cache etc). 2) I've just played a bit and found that lastLogon attribute is automatically updated by MSAD, but just in case that there was unsuccessful login attempt of the particular user. This looks strange, but seems to work this way. At least in MSAD 2012 :-) So what you can do is an Authenticator implementation, which will first call LDAP authentication with some bad credentials before trying to login user with "real" credentials from login form. Bad thing is that "badPwdCount" MSAD attribute will contain more false login attempts then it really was, which may have consequences if you rely on MSAD password policies... 3) Check MSAD system logs, which seems to provide more proper tracking of last login than lastLogon attribute according to http://stackoverflow.com/questions/18598287/updating-lastlogontimestamp-using-java-code there is a way to do it. None of the possibilities is probably ideal, but hope at least one of them can be useful for you. Marek On 30/09/16 09:04, Stian Thorgersen wrote: > Marek - this isn't supported at the moment right? > > On 19 September 2016 at 15:25, Edgar Vonk - Info.nl > wrote: > > Hi, > > We would like to have Keycloak update the lastLogon user attribute > in our Active Directory server whenever a user logs in to our > customer portal. > > It is possible to do this from Keycloak? > > The portal is secured using Keycloak so behind the scenes the > Keycloak bind user is the one that authenticates the user in AD. > > The only thing we have now is the user session information in > Keycloak but that is not of much value to us because: > - in our situation AD is leading for all user data > - whenever we redeploy Keycloak (quite often) we empty out the > Keycloak database and start new by synching users from AD > - if I am not mistaken currently user session data is not stored > in the Keycloak database anyway? > > cheers > > Edgar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Fri Sep 30 07:07:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 30 Sep 2016 13:07:15 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: <2052473101-26976@kerio1.zmi.at> References: <2052473101-26976@kerio1.zmi.at> Message-ID: keycloak.js was primarily written aiming a single page-app. For security reasons it doesn't store any security context information outside the window memory (single tab). So when you open a new tab or refresh the page you are not actually authenticated with the application, only with the Keycloak SSO server. Hence the need to do a redirect. That's how OAuth2 and OpenID Connect flows work and there's no support to retrieve tokens using XHR requests as that would make it rather insecure. You can however share the security context between tabs and page refreshes if you want. That's then a trade-off you make on usability vs security. We chose security by default in this case. To do that all you need to do is store the tokens in HTML5 storage and initialize keycloak.js with the tokens. If you do this I would be careful about what permissions the tokens have in case they are indeed leaked (don't give super priviledges to this app for instance). On 30 September 2016 at 11:12, Gregor Jarisch wrote: > We tried login-required as well as check-sso. In case of a user logged in, > it doesn't seem to do anything different. > > Stian, in fact, it seem to be as you described it. A logged on user loads > the page and it gets redirected to keycloak and back again, than loads the > website a second time. So twice. > But why is this necessary? This is a bad UX experience and a performance > loss as well. If the user is logged in, it should not redirect anywhere. > > Couldn't the js adapter simple make an XHR request to the keycloak server > - as other js requests would do it - and only redirect in case the user > isn't logged in? > I believe that way would be much more user friendly (visually appealing in > particular) and faster as well, because you don't have twice the loading > time of your page. > > Am I missing something here or could this be improved that way? > > Gregor > > > > From: Stian Thorgersen > To: Jess Sightler > Cc: keycloak-user > Sent: 30.09.2016 8:42 > Subject: Re: [keycloak-user] Prevent JS Adapter from redirecting if > already logged in > > With check-sso what should happen is: > > * keycloak.js checks session cookie. If no cookie it does nothing > * If session cookie exists redirect to login page with prompt=none > * If session is valid Keycloak redirects back to app with code and > keycloak.js swaps the code > * If session wasn't valid Keycloak redirects back to app > > With a logged-in user the app page should be loaded twice. Once when first > visited then a second time after the prompt=none redirect. Are you seeing > the page being loaded twice or three times? > > On 29 September 2016 at 17:27, Jess Sightler wrote: > > > I am, and I believe that I have noticed this behavior as well. I get > > redirected back to the app with "?prompt=none" appended to the URL. > > > > On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > > > > Hi, > > > > Are you using > > > > keycloak.init({ onLoad: 'check-sso' }) ? > > > > > > Sebi > > > > > > > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > > wrote: > > > >> Hi there, > >> > >> we have a single page application using the JS adapter. Once the user is > >> logged in and a page redirect occurs, the SPA loads, but immediately > >> reloads once again when keycloak adapter authenticates. > >> Since the user was logged in before already, we would have assumed that > >> no further page refresh has to be made. > >> > >> Interestingly, when we manually pass on all the token values in the init > >> method (for testing purposes), the page doesn't refresh a second time > and > >> the user is authenticated. As we would have expected it to be. > >> > >> This might be just a misunderstanding of how this adapter is supposed to > >> work, but from our understanding the purpose of the iframe and the set > >> cookie is to make sure the user stays authenticated. > >> Thus, shouldn't the keycloak adapter "store" the tokens and use them on > a > >> page refresh if they are valid in order to authenticate without the need > >> for an additional page refresh? > >> > >> Would be nice if somebody can explain this mechanism a bit further and > >> maybe even give a hint on what we are doing wrong here.. We are puzzled > at > >> the moment. > >> > >> Thanks > >> > >> Gregor > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > _______________________________________________ > > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps:// > lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From gregor at jarisch.net Fri Sep 30 07:26:04 2016 From: gregor at jarisch.net (Gregor Jarisch) Date: Fri, 30 Sep 2016 13:26:04 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: Message-ID: <2060626445-34129@kerio1.zmi.at> I totally understand the security first approach and fully agree with having it as default behavior. Nonetheless would it be nice if the adapter would support storing the security context with an optional parameter if one would need it this way and understands the trade off. In the end, having a clean solution implemented that works is definitely better than hacking this by oneself and maybe thus opening up serious security vulnerability.. Would that be an option for you guys allowing this behavior with an optional configuration of the adapter? From: Stian Thorgersen To: Gregor Jarisch Cc: keycloak-user Sent: 30.09.2016 13:07 Subject: Re: [keycloak-user] Prevent JS Adapter from redirecting if already logged in keycloak.js was primarily written aiming a single page-app. For security reasons it doesn't store any security context information outside the window memory (single tab). So when you open a new tab or refresh the page you are not actually authenticated with the application, only with the Keycloak SSO server. Hence the need to do a redirect. That's how OAuth2 and OpenID Connect flows work and there's no support to retrieve tokens using XHR requests as that would make it rather insecure. You can however share the security context between tabs and page refreshes if you want. That's then a trade-off you make on usability vs security. We chose security by default in this case. To do that all you need to do is store the tokens in HTML5 storage and initialize keycloak.js with the tokens. If you do this I would be careful about what permissions the tokens have in case they are indeed leaked (don't give super priviledges to this app for instance). On 30 September 2016 at 11:12, Gregor Jarisch wrote: We tried login-required as well as check-sso. In case of a user logged in, it doesn't seem to do anything different. Stian, in fact, it seem to be as you described it. A logged on user loads the page and it gets redirected to keycloak and back again, than loads the website a second time. So twice. But why is this necessary? This is a bad UX experience and a performance loss as well. If the user is logged in, it should not redirect anywhere. Couldn't the js adapter simple make an XHR request to the keycloak server - as other js requests would do it - and only redirect in case the user isn't logged in? I believe that way would be much more user friendly (visually appealing in particular) and faster as well, because you don't have twice the loading time of your page. Am I missing something here or could this be improved that way? Gregor ?From:? ?Stian Thorgersen ?To:? ?Jess Sightler ?Cc:? ?keycloak-user ?Sent:? ?30.09.2016 8:42 ?Subject:? ?Re: [keycloak-user] Prevent JS Adapter from redirecting if already logged in With check-sso what should happen is: * keycloak.js checks session cookie. If no cookie it does nothing * If session cookie exists redirect to login page with prompt=none * If session is valid Keycloak redirects back to app with code and keycloak.js swaps the code * If session wasn't valid Keycloak redirects back to app With a logged-in user the app page should be loaded twice. Once when first visited then a second time after the prompt=none redirect. Are you seeing the page being loaded twice or three times? On 29 September 2016 at 17:27, Jess Sightler wrote: > I am, and I believe that I have noticed this behavior as well. I get > redirected back to the app with "?prompt=none" appended to the URL. > > On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > > Hi, > > Are you using > > keycloak.init({ onLoad: 'check-sso' }) ? > > > Sebi > > > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > wrote: > >> Hi there, >> >> we have a single page application using the JS adapter. Once the user is >> logged in and a page redirect occurs, the SPA loads, but immediately >> reloads once again when keycloak adapter authenticates. >> Since the user was logged in before already, we would have assumed that >> no further page refresh has to be made. >> >> Interestingly, when we manually pass on all the token values in the init >> method (for testing purposes), the page doesn't refresh a second time and >> the user is authenticated. As we would have expected it to be. >> >> This might be just a misunderstanding of how this adapter is supposed to >> work, but from our understanding the purpose of the iframe and the set >> cookie is to make sure the user stays authenticated. >> Thus, shouldn't the keycloak adapter "store" the tokens and use them on a >> page refresh if they are valid in order to authenticate without the need >> for an additional page refresh? >> >> Would be nice if somebody can explain this mechanism a bit further and >> maybe even give a hint on what we are doing wrong here.. We are puzzled at >> the moment. >> >> Thanks >> >> Gregor >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jan at odise.de Fri Sep 30 09:26:10 2016 From: jan at odise.de (Jan Nabbefeld) Date: Fri, 30 Sep 2016 15:26:10 +0200 Subject: [keycloak-user] IP access control for /auth/admin/master/console/ Message-ID: Hi, I?m currently struggling while setting up an IP based access control filter to protect the path /auth/admin/master/console/. My Kc cluster runs in AWS with EC2 instances managed in an autoscaling group (subnet 172.31.0.0/16). The relevant part of the standalone-ha.xml looks like that: --> ip-access-control(default-allow=false, acl={?127.0.0.1 allow?, ?172.31.0.0/16 allow?, '62.96.159.233 allow'})"/> With this configuration I can access the admin console only if I connect to the instance itself bypassing the load-balancer. Requests that hitting the endpoint via the load-balancer have all X-Forwarding-* headers set. Here is an example for GET /auth/admin which response 302 to /auth/admin/master/console/. Finally this results in a 403 (the request isn?t logged by the RequestDumpingHandler): ----------------------------REQUEST--------------------------- URI=/auth/admin characterEncoding=null contentLength=-1 contentType=null header=Accept=*/* header=Connection=keep-alive header=X-Forwarded-Proto=http header=X-Forwarded-Port=80 header=X-Forwarded-For=62.96.159.233 header=User-Agent=curl/7.43.0 header=host=login.dev.scoober.com locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=62.96.159.233:0 remoteHost=62.96.159.233 scheme=http host=login.dev.scoober.com serverPort=8080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=Location=http://login.dev.scoober.com/auth/admin/master/console/ header=Content-Length=0 header=Date=Fri, 30 Sep 2016 13:07:16 GMT status=302 I assume that undertow is somehow blocking the X-Forwarded-* requests and doesn?t accepts the remoteAddr as part of the ip-access-control ACL (as this works with direct requests). $ curl -LIv localhost:8080/auth/admin/master/console/ * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) > HEAD /auth/admin/master/console/ HTTP/1.1 > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Cache-Control: no-cache Cache-Control: no-cache < X-Frame-Options: SAMEORIGIN X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-src 'self' Content-Security-Policy: frame-src 'self' < Date: Fri, 30 Sep 2016 13:19:15 GMT Date: Fri, 30 Sep 2016 13:19:15 GMT < Connection: keep-alive Connection: keep-alive < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Content-Type: text/html;charset=utf-8 Content-Type: text/html;charset=utf-8 < Content-Length: 0 Content-Length: 0 < Content-Language: en Content-Language: en < * Connection #0 to host localhost left intact Setting the header: $ curl -LIv -H ?X-Forwarded-For: 172.31.19.199" localhost:8080/auth/admin/master/console/ * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) > HEAD /auth/admin/master/console/ HTTP/1.1 > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > X-Forwarded-For: 172.31.19.199 > < HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden < Connection: keep-alive Connection: keep-alive < Content-Length: 74 Content-Length: 74 < Content-Type: text/html Content-Type: text/html < Date: Fri, 30 Sep 2016 13:19:10 GMT Date: Fri, 30 Sep 2016 13:19:10 GMT < * Connection #0 to host localhost left intact Any idea to solve this? Is there any other/better way to prevent the master realm console being publicly available? Thanks in advance, Jan From josh.cain at redhat.com Fri Sep 30 11:29:20 2016 From: josh.cain at redhat.com (Josh Cain) Date: Fri, 30 Sep 2016 10:29:20 -0500 Subject: [keycloak-user] Custom Adapter Logout logic In-Reply-To: References: Message-ID: What would you recommend for this on the IDP side? I know we can hook into events, but doing operations with the response in an EventListenerProvider just feels wrong. What's more, on the IDP side I wouldn't want to touch the Keycloak deployment descriptors. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 256-452-0150 On Tue, Sep 20, 2016 at 3:00 AM, Stian Thorgersen wrote: > Could you use a HttpSessionListener? > > On 15 September 2016 at 23:16, Jared Blashka wrote: > >> Is it currently possible to hook into the adapter's logout logic to >> trigger some custom behavior without interrupting the logout flow? >> >> For example, if I want to audit logout activity on a particular SP or >> delete some cookies (if it was a front-channel logout request) without >> stopping the normal federated logout process. >> >> Jared >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Patrick.Boe at smartstream-stp.com Fri Sep 30 14:55:43 2016 From: Patrick.Boe at smartstream-stp.com (Patrick Boe) Date: Fri, 30 Sep 2016 18:55:43 +0000 Subject: [keycloak-user] migrate-json operation produces WFLYCTL0212: Duplicate resource Message-ID: <1475261743121.14584@smartstream-stp.com> Hello, I'm not sure if I'm invoking this incorrectly, but I could use some help diagnosing an error I get when attempting to upgrade my Keycloak installation from 2.0.0 to 2.2.1. When, from the root of my new keycloak installation, I do: > .\bin\jboss-cli.bat [disconnected /] embed-server --server-config=standalone.xml [standalone at embedded /] /subsystem=keycloak-server:migrate-json I get the following error: { "outcome" => "failed", "failure-description" => "WFLYCTL0212: Duplicate resource [ (\"subsystem\" => \"keycloak-server\"), (\"theme\" => \"defaults\") ]", "rolled-back" => true } Does anyone have some advice on how to resolve this, or suggestions as to what I may have misconfigured? Best, Patrick Boe ________________________________ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. From Patrick.Boe at smartstream-stp.com Fri Sep 30 15:39:53 2016 From: Patrick.Boe at smartstream-stp.com (Patrick Boe) Date: Fri, 30 Sep 2016 19:39:53 +0000 Subject: [keycloak-user] migrate-json operation produces WFLYCTL0212: Duplicate resource In-Reply-To: <1475261743121.14584@smartstream-stp.com> References: <1475261743121.14584@smartstream-stp.com> Message-ID: <1475264393988.59394@smartstream-stp.com> I resolved this by first copying standalone.xml from the previous (2.0.0) installation into the new installation, then running the migrate-json task. I also had to copy the .db files from the standalone/data directory of the old to the new. These are both steps not listed in https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/MigrationFromOlderVersions.html. Should I file a bug about this? Did I actually do the right thing? Patrick Boe ________________________________ From: Patrick Boe Sent: Friday, September 30, 2016 2:55 PM To: keycloak-user at lists.jboss.org Subject: migrate-json operation produces WFLYCTL0212: Duplicate resource Hello, I'm not sure if I'm invoking this incorrectly, but I could use some help diagnosing an error I get when attempting to upgrade my Keycloak installation from 2.0.0 to 2.2.1. When, from the root of my new keycloak installation, I do: > .\bin\jboss-cli.bat [disconnected /] embed-server --server-config=standalone.xml [standalone at embedded /] /subsystem=keycloak-server:migrate-json I get the following error: { "outcome" => "failed", "failure-description" => "WFLYCTL0212: Duplicate resource [ (\"subsystem\" => \"keycloak-server\"), (\"theme\" => \"defaults\") ]", "rolled-back" => true } Does anyone have some advice on how to resolve this, or suggestions as to what I may have misconfigured? Best, Patrick Boe ________________________________ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. From srossillo at smartling.com Fri Sep 30 16:50:01 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 30 Sep 2016 16:50:01 -0400 Subject: [keycloak-user] iOS App login with Keycloak In-Reply-To: References: Message-ID: Yes this is easily done on both platforms using custom URLs to handle the successful login response and then do code to token in the application. + 1 for using the browser Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Sep 30, 2016, at 3:03 AM, Stian Thorgersen wrote: > > +1 Using the system browser is the proper way. SSO and everything ;) > > Not sure keycloak.js does it properly though as it doesn't have support for SSO AFAIK? > > On 29 September 2016 at 12:14, Sebastien Blanc > wrote: > Let's be careful with using Webviews, for instance, Google will soon block any OAuth interactions that use the webviews ( https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html ) , instead they recommand using the mobile browser. For Cordova apps, keycloak.js already works with inappbrowser that opens a "external" browser, isolated from the app. > > On Thu, Sep 29, 2016 at 11:35 AM, Stian Thorgersen > wrote: > I highly recommend using an embedded webview and not use native login and direct grant api. That is best practice both for Keycloak and OIDC in general. > > On 26 September 2016 at 05:21, Joey > wrote: > Thanks Guys, sorry for reply so late. I will try your solutions later. thanks. > > On Thu, Sep 22, 2016 at 8:39 PM, Thomas Darimont > > wrote: > > Hello, > > > > I adapted an Android based OpenID Connect Demo Application to work with > > Keycloak. > > In Keycloak I created a confidential client with direct access grants as > > Scott described. > > > > https://github.com/thomasdarimont/android-openid-connect/tree/feature/keycloak-oidc-demo > > See the recent commits in the feature/keycloak-oidc-demo branch. > > > > Cheers, > > Thomas > > > > 2016-09-22 13:57 GMT+02:00 Scott Rossillo >: > >> > >> You can do that using direct access grants if you search the docs for it. > >> However, we have native apps and just skinned our login pages to be > >> responsive and look great on mobile. > >> > >> The latter option is a better approach especially if you plan to implement > >> 2FA. > >> > >> On Thu, Sep 22, 2016 at 6:27 AM Joey > wrote: > >>> > >>> Hi Guys, > >>> > >>> We are building a system, including 3 subsystems for a big website. > >>> and iOS and Android app. We use KeyCloak as the SSO server for all > >>> subsystems, and then we also want to use KeyCloak for iOS and Android > >>> as the login server. But for iOS, Android we want to use native login > >>> page not the html page provide by KeyCloak adapter. but I read all > >>> documents and discussions, I didnt find a way how to implement it. > >>> Anybody can help me? thanks. > >>> > >>> > >>> Joey > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > >