[keycloak-user] Setting up a Keycloak Domain Cluster

Stian Thorgersen sthorger at redhat.com
Mon Sep 26 09:06:12 EDT 2016 

I think that's pretty self explanatory. Token is issued by '
http://slaveKCInstance.ourcompanyname.com:8230', while the adapter is
expecting 'http://masterKCInstance.ourcompanyname.com:8230'. You need a
load balancer in front of your nodes so the applications talk to "https//
kc.ourcompany.com".

On 22 September 2016 at 23:04, i.pop at centurylink.net <i.pop at centurylink.net>
wrote:

> Additional info to make my case cleared. This is what I get from my
> targeted microservice process log:
> org.keycloak.common.VerificationException: Token audience doesn't match
> domain. Token issuer is
>  http://slaveKCInstance.ourcompanyname.com:8230/auth/
> realms/SearchMicroservices,
> but URL from configuration is http://masterKCInstance.
> ourcompanyname.com:8230/auth/realms/SearchMicroservices
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
> at org.keycloak.adapters.BearerTokenRequestAuthenticato
> r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:65)
> at org.keycloak.adapters.springsecurity.filter.
> KeycloakAuthenticationProcessingFilter.attemptAuthentication(
> KeycloakAuthenticationProcessingFilter.java:137)
> at org.springframework.security.web.authentication.
> AbstractAuthenticationProcessingFilter.doFilter(
> AbstractAuthenticationProcessingFilter.java:217)
>
> Do I need to change the configuration of my SecurityConfig class( which
> has the current  implementation as public class SecurityConfig extends
> KeycloakWebSecurityConfigurerAdapter)?
> Thanks,
> ioan
>
> ------------------------------
> *From: *"i pop" <i.pop at centurylink.net>
> *To: *stian at redhat.com
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Sent: *Thursday, September 22, 2016 1:45:55 PM
>
> *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
>
>
> Thank you  Stian for your message. I have gotten the  cluster working in
> the domain mode(just two nodes: master&slave):
> MASTER NODE LOG:
> [Server:server-one] 12:33:37,761 INFO  [org.infinispan.remoting.
> transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one)
> ISPN000094: Received new cluster view for channel server:
> [master:server-one|1] (2) [master:server-one, slave1:server-two]
> [Server:server-one] 12:33:38,411 INFO  [org.infinispan.CLUSTER]
> (remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for
> cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns
> = 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns
> = 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]},
> unionCH=null, actualMembers=[master:server-one, slave1:server-two]}
> [Server:server-one] 12:33:38,419 INFO  [org.infinispan.CLUSTER]
> (remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for
> cache users, topology id = 1
> SLAVE NODE LOG:
> [Server:server-two] 12:33:38,179 INFO  [org.infinispan.remoting.
> transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094:
> Received new cluster view for channel server: [master:server-one|1] (2)
> [master:server-one, slave1:server-two]
> THE ISSUE IS NOW how to test this working cluster.It looks like the the
> content of the Keycloak string pattern generated by the master's Keycloak
> instance( and  added to each microservice's  keycloak.json file)  HAS NOT
> CHANGED : I still get  the same "auth-server-url" info  as before when I
> had  was not working cluster; no reference to the the other node members of
> the working cluster :
> {
>   "realm": "SearchMicroservices",
>   "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh",
>   "auth-server-url": "http://masterKCInstance.ourcompanyname.com:8230/auth
> ",
>   "ssl-required": "external",
>   "resource": "LDAPSearch-Microservice",
>   "credentials": {
>     "secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16"
>   },
>   "use-resource-role-mappings": true
> }
>
> If  I stop the Keycloak instance running on the master node(from the
> WildFly management interface) and, I send a client search request message
> to one of my running application registered in the realm as clients, I was
> expecting the request to be be  redirected  by the load-balancer to the
> running state slave Keycloak instance (node: "http://slaveKCInstance.
> ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my
> client request message(along with generated bearer token) sent  to my
> targeted  resource should  get a a response message. It does not happen
> like this.What I get is this :
> {"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable
> to authenticate bearer token","timestamp":1474566606034,"status":401}
> The same outcome as described in my initial message sent to you. Can you
> please tell me what is wrong in my testing procedure?
> Thanks,
> Ioan
>
> ------------------------------
> *From: *"Stian Thorgersen" <sthorger at redhat.com>
> *To: *"i pop" <i.pop at centurylink.net>
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Sent: *Tuesday, September 20, 2016 3:03:09 AM
> *Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
>
> Doesn't sound like you have working clustering setup. Please take a look
> at https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering.html.
>
> On 18 September 2016 at 04:15, i.pop at centurylink.net <
> i.pop at centurylink.net> wrote:
>
>> Hi ,
>> I work on POC to use Keycloak to secure a set of microservices( java
>> written SpringBooth&gradle projects).
>> I use Keycloak-2.1.0.Final release installed on 3 different VMs(master
>> running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have
>> installed a shared (MySql) db to replace the embedded H2 db.
>> I have configured a Keycloak Domain Mode cluster using keycloak
>> documentation "Server Installation and Configuration Guide".
>> 1. I have logged on the master keycloak server and configured my new
>> Realm that has my microservice processes  as clients.I have added
>> roles,users,groups, etc., The realm configuration of the master keycloak
>> instance  got replicated on the slave instances ( I can see the cluster
>> running when loging-on  WildFly Management Interface).
>> 2. I have added to all microservice java projects the  keycloak securing
>> code:
>>     2.1 Created a keycloak.json file who's content was generated my the
>> MASTER keycloak server(Client's "Installation" utility)
>>     2.2 Added to the  project's Application class a  system property, to
>> target the keycloak.json file generated by the MASTER keycloak
>> instance:System.setProperty("keycloak.configurationFile",
>> "classpath:keycloak.json");
>>     2.3 Created a new config's package class : public class
>> SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
>>     2.4  Added to the build.gradle file keycloak spring security adapter
>> compilation :
>>            compile group: 'org.keycloak', name:'keycloak-spring-
>> security-adapter',version:'2.1.0.Final
>>   Note. I have compared the content of the json format code generated by
>> the Client "Installation" utility of the slave instances against master
>> instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line
>> (having the specific node URL address)
>> 3. Now, I want to do the test of accessing particular resources of my
>> microservice applications(additional info: I did not implemented any
>> load-balancer in front of the keycloak cluster):
>>      I have created a simple java program that uses a Basic Authorization
>>  procedure to get an access token, and then use this token to sent request
>> messages to my microservice application and get the expected response
>> messages.
>>    - When I use the MASTER's instance authorization endpoint to get an
>> access token, I get the expected response message( because, I presume,  my
>> microservice application attached  keycloak.json file has HARDCODED content
>>  generated by the MASTER's instance & containing MASTERS's authorization
>> endpoint).
>>     - When I use either-one SLAVE keycloak instance authorization&token
>> generation endpoint to generate an access token, my request  fails with a
>> 401 error:"Unable to authenticate bearer token"
>> I believe or feel, I use a wrong approach to solve my problem. My
>> microservice applications (at this time)  DO NOT KNOW anything, whether I
>> use a domain mode cluster  or, a simple standalone keycloak
>> instanceattached keycloak.json file has ONLY one keycloak instance (
>> MASTER's )  "auth-server-url"  info ).
>> Here, I need your help to enlighten me. Is there another approach to
>> handle my problem? It should, otherwise why writing about Domain Mode in
>> Keycloak Release documentation. Unfortunately, I have not found (yet )
>>  detailed  info on how to configure a Keycloak Domain Cluster and how to do
>> test simulations with it. I would appreciate any help on this issue.
>> Thanks,
>> Ioan
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160926/f4c2b2f4/attachment-0001.html

More information about the keycloak-user mailing list