[keycloak-user] Setting up a Keycloak Domain Cluster
Stian Thorgersen
sthorger at redhat.com
Mon Sep 26 09:06:12 EDT 2016
I think that's pretty self explanatory. Token is issued by '
http://slaveKCInstance.ourcompanyname.com:8230', while the adapter is
expecting 'http://masterKCInstance.ourcompanyname.com:8230'. You need a
load balancer in front of your nodes so the applications talk to "https//
kc.ourcompany.com".
On 22 September 2016 at 23:04, i.pop at centurylink.net <i.pop at centurylink.net>
wrote:
> Additional info to make my case cleared. This is what I get from my
> targeted microservice process log:
> org.keycloak.common.VerificationException: Token audience doesn't match
> domain. Token issuer is
> http://slaveKCInstance.ourcompanyname.com:8230/auth/
> realms/SearchMicroservices,
> but URL from configuration is http://masterKCInstance.
> ourcompanyname.com:8230/auth/realms/SearchMicroservices
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
> at org.keycloak.adapters.BearerTokenRequestAuthenticato
> r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:65)
> at org.keycloak.adapters.springsecurity.filter.
> KeycloakAuthenticationProcessingFilter.attemptAuthentication(
> KeycloakAuthenticationProcessingFilter.java:137)
> at org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:217)
>
> Do I need to change the configuration of my SecurityConfig class( which
> has the current implementation as public class SecurityConfig extends
> KeycloakWebSecurityConfigurerAdapter)?
> Thanks,
> ioan
>
> ------------------------------
> *From: *"i pop" <i.pop at centurylink.net>
> *To: *stian at redhat.com
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Sent: *Thursday, September 22, 2016 1:45:55 PM
>
> *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
>
>
> Thank you Stian for your message. I have gotten the cluster working in
> the domain mode(just two nodes: master&slave):
> MASTER NODE LOG:
> [Server:server-one] 12:33:37,761 INFO [org.infinispan.remoting.
> transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one)
> ISPN000094: Received new cluster view for channel server:
> [master:server-one|1] (2) [master:server-one, slave1:server-two]
> [Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER]
> (remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for
> cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns
> = 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns
> = 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]},
> unionCH=null, actualMembers=[master:server-one, slave1:server-two]}
> [Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER]
> (remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for
> cache users, topology id = 1
> SLAVE NODE LOG:
> [Server:server-two] 12:33:38,179 INFO [org.infinispan.remoting.
> transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094:
> Received new cluster view for channel server: [master:server-one|1] (2)
> [master:server-one, slave1:server-two]
> THE ISSUE IS NOW how to test this working cluster.It looks like the the
> content of the Keycloak string pattern generated by the master's Keycloak
> instance( and added to each microservice's keycloak.json file) HAS NOT
> CHANGED : I still get the same "auth-server-url" info as before when I
> had was not working cluster; no reference to the the other node members of
> the working cluster :
> {
> "realm": "SearchMicroservices",
> "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh",
> "auth-server-url": "http://masterKCInstance.ourcompanyname.com:8230/auth
> ",
> "ssl-required": "external",
> "resource": "LDAPSearch-Microservice",
> "credentials": {
> "secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16"
> },
> "use-resource-role-mappings": true
> }
>
> If I stop the Keycloak instance running on the master node(from the
> WildFly management interface) and, I send a client search request message
> to one of my running application registered in the realm as clients, I was
> expecting the request to be be redirected by the load-balancer to the
> running state slave Keycloak instance (node: "http://slaveKCInstance.
> ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my
> client request message(along with generated bearer token) sent to my
> targeted resource should get a a response message. It does not happen
> like this.What I get is this :
> {"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable
> to authenticate bearer token","timestamp":1474566606034,"status":401}
> The same outcome as described in my initial message sent to you. Can you
> please tell me what is wrong in my testing procedure?
> Thanks,
> Ioan
>
> ------------------------------
> *From: *"Stian Thorgersen" <sthorger at redhat.com>
> *To: *"i pop" <i.pop at centurylink.net>
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Sent: *Tuesday, September 20, 2016 3:03:09 AM
> *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
>
> Doesn't sound like you have working clustering setup. Please take a look
> at https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering.html.
>
> On 18 September 2016 at 04:15, i.pop at centurylink.net <
> i.pop at centurylink.net> wrote:
>
>> Hi ,
>> I work on POC to use Keycloak to secure a set of microservices( java
>> written SpringBooth&gradle projects).
>> I use Keycloak-2.1.0.Final release installed on 3 different VMs(master
>> running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have
>> installed a shared (MySql) db to replace the embedded H2 db.
>> I have configured a Keycloak Domain Mode cluster using keycloak
>> documentation "Server Installation and Configuration Guide".
>> 1. I have logged on the master keycloak server and configured my new
>> Realm that has my microservice processes as clients.I have added
>> roles,users,groups, etc., The realm configuration of the master keycloak
>> instance got replicated on the slave instances ( I can see the cluster
>> running when loging-on WildFly Management Interface).
>> 2. I have added to all microservice java projects the keycloak securing
>> code:
>> 2.1 Created a keycloak.json file who's content was generated my the
>> MASTER keycloak server(Client's "Installation" utility)
>> 2.2 Added to the project's Application class a system property, to
>> target the keycloak.json file generated by the MASTER keycloak
>> instance:System.setProperty("keycloak.configurationFile",
>> "classpath:keycloak.json");
>> 2.3 Created a new config's package class : public class
>> SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
>> 2.4 Added to the build.gradle file keycloak spring security adapter
>> compilation :
>> compile group: 'org.keycloak', name:'keycloak-spring-
>> security-adapter',version:'2.1.0.Final
>> Note. I have compared the content of the json format code generated by
>> the Client "Installation" utility of the slave instances against master
>> instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line
>> (having the specific node URL address)
>> 3. Now, I want to do the test of accessing particular resources of my
>> microservice applications(additional info: I did not implemented any
>> load-balancer in front of the keycloak cluster):
>> I have created a simple java program that uses a Basic Authorization
>> procedure to get an access token, and then use this token to sent request
>> messages to my microservice application and get the expected response
>> messages.
>> - When I use the MASTER's instance authorization endpoint to get an
>> access token, I get the expected response message( because, I presume, my
>> microservice application attached keycloak.json file has HARDCODED content
>> generated by the MASTER's instance & containing MASTERS's authorization
>> endpoint).
>> - When I use either-one SLAVE keycloak instance authorization&token
>> generation endpoint to generate an access token, my request fails with a
>> 401 error:"Unable to authenticate bearer token"
>> I believe or feel, I use a wrong approach to solve my problem. My
>> microservice applications (at this time) DO NOT KNOW anything, whether I
>> use a domain mode cluster or, a simple standalone keycloak
>> instanceattached keycloak.json file has ONLY one keycloak instance (
>> MASTER's ) "auth-server-url" info ).
>> Here, I need your help to enlighten me. Is there another approach to
>> handle my problem? It should, otherwise why writing about Domain Mode in
>> Keycloak Release documentation. Unfortunately, I have not found (yet )
>> detailed info on how to configure a Keycloak Domain Cluster and how to do
>> test simulations with it. I would appreciate any help on this issue.
>> Thanks,
>> Ioan
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/f4c2b2f4/attachment-0001.html
More information about the keycloak-user
mailing list