From Anton.Arntz at planonsoftware.com Tue Aug 1 05:47:49 2017 From: Anton.Arntz at planonsoftware.com (Anton Arntz) Date: Tue, 1 Aug 2017 09:47:49 +0000 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive Message-ID: We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. Has anyone experienced the same with this KeyCloak version? Kind regards, Anton Arntz From horizn at wp.pl Tue Aug 1 10:27:57 2017 From: horizn at wp.pl (K K) Date: Tue, 01 Aug 2017 16:27:57 +0200 Subject: [keycloak-user] DB from MongoDB to PostgreSQL migration, how? Message-ID: <59808fed1bc021.19994583@wp.pl> Hi, I am struggling with Keycloak migration from version 1.9.8 to the latest one. Currently I am at 2.4.0 and still MongoDB. Is there any built-in tool to migrate MongoDB db to PostgreSQL? I have tried import and then export, but it doesn't work or I did mistake somewhere. From bburke at redhat.com Tue Aug 1 10:30:48 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 1 Aug 2017 10:30:48 -0400 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive In-Reply-To: References: Message-ID: <8e6fa6aa-b8a7-609f-e472-46513ef969ec@redhat.com> You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? On 8/1/17 5:47 AM, Anton Arntz wrote: > We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. > Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. > Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. > Has anyone experienced the same with this KeyCloak version? > > Kind regards, > Anton Arntz > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nhoult51 at gmail.com Tue Aug 1 12:06:40 2017 From: nhoult51 at gmail.com (Nathan Hoult) Date: Tue, 01 Aug 2017 16:06:40 +0000 Subject: [keycloak-user] kc_idp_hint working as expected in 3.2.0? Message-ID: According to the documentation here: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/params_forwarding.html with an identity provider named 'google' I should be able to call: /auth/realms//protocol/openid-connect/auth?client_id=&state=&redirect_uri=&scope=openid&response_type=code&kc_idp_hint=google and I shouldn't see the KC login page. After ~2 days of testing it seems kc_idp_hint works the first time as long as no cookies are set but once I visit the KC login page the kc_idp_hint no longer works. NOTE: setting a default Identity Provider Redirector works just fine it seems. Steps to reproduce: 1) go to /auth/realms//account 2) clear KC server cookies 3) append to the /auth URL: &kc_idp_hint= 4) logs you in or at least see the idp login page 5) log out of KC 6) without clearing cookies try step #3 7) see KC login page <- bug? My research (KC 3.2.0 git): Identity Provider Redirector checks for the kc_idp_hint at org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator:44 and is run from org.keycloak.authentication.DefaultAuthenticationFlow:200 but once KC has set a cookie it exits out of the DefaultAuthenticationFlow at line 156 because line 110 has the IdentityProviderAuthenticator set as AuthenticationSessionModel.ExecutionStatus.ATTEMPTED. It never ends up running the IdentityProviderAuthenticator:44 and instead goes into the login flow which returns HTML. My workaround: I added javascript to the login theme that looks for param "kc_idp_hint", if it exists hide the whole page, then onload() look for element id="zocial-". If the element is found: click(), else: reveals the page. I don't like this because 1) you can't hide idp, 2) takes a little longer 3) can't override default idp with blank 4) just seems like the wrong place to do it. So, is this a bug or am I misunderstanding kc_idp_hint? If it is a bug I find the code a little confusing though starting to make more sense but maybe someone more familiar with it could fix it much faster than me? Thank you! From bburke at redhat.com Tue Aug 1 12:17:17 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 1 Aug 2017 12:17:17 -0400 Subject: [keycloak-user] DB from MongoDB to PostgreSQL migration, how? In-Reply-To: <59808fed1bc021.19994583@wp.pl> References: <59808fed1bc021.19994583@wp.pl> Message-ID: <268780f8-0973-c694-666a-4a9520b15b47@redhat.com> export/import is the only way. Migrating from 1.9.8 to 2.5.5, then doing the export might be the trick. At least from a product perspective we'll need to support migration from 1.9.8->2.5.5->3.x so please post your export/import errors. On 8/1/17 10:27 AM, K K wrote: > Hi, > I am struggling with Keycloak migration from version 1.9.8 to the latest one. Currently I am at 2.4.0 and still MongoDB. Is there any built-in tool to migrate MongoDB db to PostgreSQL? > > I have tried import and then export, but it doesn't work or I did mistake somewhere. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From horizn at wp.pl Tue Aug 1 17:39:04 2017 From: horizn at wp.pl (K K) Date: Tue, 01 Aug 2017 23:39:04 +0200 Subject: [keycloak-user] Odp: Re: DB from MongoDB to PostgreSQL migration, how? Message-ID: <5980f4f858b4a4.58902822@wp.pl> OK, MongoDB version is 3.2.16, also tried with 3.6.4. This is my keycloak-server.json config: https://pastebin.com/vx8ip8Z1 It is working fine with 1.9.8, I am able to export both to single JSON file as well as to directory. Exported file/folder contain all realms and user accounts. Now, when I am trying to run 2.0.0 against the same config, it gives me following error during the startup: https://pastebin.com/BNjXQ5ac similar error appears with 2.1.0: https://pastebin.com/TJUE83Fa And then it is working back again with 2.4.0 (still against the same config file), but export DB grows from 3.7MB to 76MB. Events collection is the biggest one - 65MB. And then both 2.5.0 and 2.5.5 won't see realms, no matter which version of Mongo-java driver is used, bundled 3.2.0 or 3.2.1. https://pastebin.com/LqFHYcJu However, I can see user accounts and realms in .bson file. Any idea? brgds, Dnia Wtorek, 1 Sierpnia 2017 18:17 Bill Burke napisa?(a) > export/import is the only way. Migrating from 1.9.8 to 2.5.5, then > doing the export might be the trick. At least from a product > perspective we'll need to support migration from 1.9.8->2.5.5->3.x so > please post your export/import errors. > > > On 8/1/17 10:27 AM, K K wrote: > > Hi, > > I am struggling with Keycloak migration from version 1.9.8 to the latest one. Currently I am at 2.4.0 and still MongoDB. Is there any built-in tool to migrate MongoDB db to PostgreSQL? > > > > I have tried import and then export, but it doesn't work or I did mistake somewhere. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Aug 1 18:00:14 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 1 Aug 2017 19:00:14 -0300 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: <220032d0170a40aa890d4d39af67b6a7@FE-MBX1028.de.bosch.com> References: <220032d0170a40aa890d4d39af67b6a7@FE-MBX1028.de.bosch.com> Message-ID: Hi Brahim, Are you still considering Keycloak and our Authorization Services in your architecture ? Regards. Pedro Igor On Thu, Jul 13, 2017 at 4:41 AM, Schuster Sebastian (INST/ESY1) < Sebastian.Schuster at bosch-si.com> wrote: > Hi Pedro, > > Since I saw you referring to "https://docs.kantarainitiative.org/uma/ed/ > uma-core-2.0-08.html#seek-authorization": I think this is not latest > version of UMA2. They changed the naming of the spec parts and IMHO > https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2.0-04.html and > https://docs.kantarainitiative.org/uma/ed/oauth-uma-federated-authz-2.0- > 04.html form the current spec. Just in case you did not notice the change > of names... > > Best regards, > Sebastian > > Mit freundlichen Gr??en / Best regards > > Sebastian Schuster > > Engineering and Support (INST/ESY1) > Bosch Software Innovations GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | > GERMANY | www.bosch-si.com > Tel. +49 30 726112-485 | Fax +49 30 726112-100 | > Sebastian.Schuster at bosch-si.com > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B > Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn > > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Pedro Igor Silva > Sent: Mittwoch, 12. Juli 2017 19:19 > To: Brahim Ait elhaj > Cc: keycloak-user > Subject: Re: [keycloak-user] Authorization services without User Access > token (Mqtt Broker / IoT) > > On Wed, Jul 12, 2017 at 1:23 PM, Brahim Ait elhaj > wrote: > > > > >> If a device is actually an user, who are your clients ? The same > devices ? > >> > > > > My client is the MQTT Server in this use case (as the > > *photoz-restful-api* in the *photoz* example). > > I want to protect access to MQTT topics (paths/resources) of this MQTT > > server. > > > > I was initially asking myself whereas devices should be ? users ? or ? > > clients ? but we could end with a lot of clients in the latter scenario > ... > > also after playing with KC and reading through the mailing list > > questions/answers, i think that's a better approach to have devices be > > users and not clients. > > > > However, did you have something in mind when asking this question ? > > > > I was wondering if the users you mentioned were actually service accounts > associated with clients representing your devices. But yeah, the decision > on whether devices should be users or not I think depend on the > capabilities you want to support on them. > > > > > > > >> > >> > >>> > >>> For several reasons/constraints that i won't explain here, i can't > >>> have my devices connect first to Keycloak to obtain a token (using > >>> their X.509 certificates as KC supports it) and then connect to the > >>> MQTT Broker passing this token. They connect directly to the MQTT > >>> Broker, each device presenting its X.509 certificate to the Broker. > >>> After connection, the Broker doesn't know client private key. > >> > >> > >> Now I'm curious :) > >> > > > > Ok, the main reason is that the one thing that can be guaranteed about > > devices is that they have a certificate to authenticate themselves. > They're > > not necessarily http or even mqtt capable. They can be able to > communicate > > only via a low power wide area network (Lora / Sigfox ... ie. not > connected > > to internet directly) > > > > So we know how to deal with a user (be it a human or a device) that can > > authenticate and get an access token. > > My concern here is how to deal with a user (device) that can not. > > > > Ok, so that changes things a bit ... > > > > > >> However, I think we could support your use case with UMA 2.0 changes we > >> are planning. In the new version of the specs, the client don't actually > >> need an access token in order to obtain RPTs from AS. There is a > specific > >> OAuth2 Grant Type, which you can use just like any other grant type. The > >> tricky here is that instead of using an OAuth2 Access Token to gain > access > >> to our APIs, you basically authenticate the client using whatever client > >> authentication method we support. For instance, id/secret, jwt or even > >> using a bearer token (as it stands today). In addition to that, you are > >> allowed to send tokens with claims associated with a requesting party > >> (e.g.: your devices). That would allow you to send your devices > >> certificates. > >> > >> In a nutshell, in a single request to the server you would provide your > >> client credentials + device certificate. And we would need to support > >> extracting requesting party information (the user) from certificates. > >> > > > > Yes, it seems really interesting and corresponding to what i'd like to > > achieve. Since you talk about UMA, i understand this is the ? > Authorization > > API ? that is involved here. > > > > That is one of the changes introduced by UMA 2.0. The Authorization API was > replaced by a UMA Grant Type [1]. We are going to deprecate the > Authorization API and leave it there for a while. But remove it in future > releases. > > My statement above also applies to our Entitlement API, which we also want > to support scenarios where the identity is not really represented by an ID > or access token. > > [1] > https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-08.html#seek- > authorization > > > > > > Also, you said ? *In the new version of the specs, the client don't > > actually need an access token in order to obtain RPTs from AS* ?, can you > > please point me to the specs that talk about this specific part (if > > possible) ? I quickly went through the v2.0 without being able to clearly > > identity this specific part ... > > > > See link above. > > > > > > Do you have something (beta ...) that i can start playing with ? Is it > > already in the roadmap (maybe you have a specific ticket number in mind) > ? > > > > Nothing yet ... But this is my next task in Keycloak. At the moment I'm > stuck with tasks in other projects that I need to get it done. But the JIRA > is https://issues.jboss.org/browse/KEYCLOAK-3169. > > > > > > Depending on the estimated ? landing ? date, i can contribute in many > > ways. So, What's the next step :-) > > > > Sure thing. Maybe you can start providing some more background to what you > need in that JIRA. Although the title is related with UMA 2.0 it will also > involve changes to Entitlement API. > > The initial plan did not include what we are discussing here. But I think > we can consider your requirements during development once we agree on what > we really need to do. > > Maybe another approach to your problem is make your MQTT Broker both a PDP > and PEP. I mean, you would use some REST API in Keycloak to evaluate > policies based on a set of one or more resources/topics + enforce access > based on the permissions returned by the server. We do have an endpoint > that you can use to evaluate policies (see > https://github.com/keycloak/keycloak/blob/master/ > integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ > PoliciesResource.java#L70). > But it is basically accessing the API used by our Policy Evaluation Toll in > the admin console. Ideally, you should use Entitlement API, Authorization > API/UMA Grant Type. > > > > > >> > >> > >>> > >>> Best regards, > >>> Brahim > >>> > >> > > > > > > > >> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From gene at kultpower.de Tue Aug 1 18:05:13 2017 From: gene at kultpower.de (Sebastian Eichholz) Date: Wed, 2 Aug 2017 00:05:13 +0200 Subject: [keycloak-user] Using Keycloak within docker compose and spring boot application Message-ID: I am trying to use Keycloak with my spring boot application. It?s working nicely and now I want to use docker-compose to bundle keycloak-mysql with mysql and my spring boot app. My docker-compose.yml file: {{{ mysql: ?image: "mysql:5.7" ?container_name: "mysql-for-keycloak" ?environment: ? - MYSQL_DATABASE=keycloak ? - MYSQL_USER=keycloak ? - MYSQL_PASSWORD=keycloak ? - MYSQL_ROOT_PASSWORD=test ?volumes: ? - /Users/sebastian/git/oregami_docker_compose/mysql_data:/var/lib/mysql keycloak: ?image: "jboss/keycloak-mysql:3.2.0.Final" ?container_name: "keycloak-with-mysql" ?ports: ? - "8087:8080" ?links: ? - "mysql:mysql" ?environment: ? - PROXY_ADDRESS_FORWARDING=true? ? - MYSQL_DATABASE=keycloak? ? - MYSQL_USERNAME=keycloak? ? - MYSQL_PASSWORD=keycloak ? - KEYCLOAK_LOGLEVEL=DEBUG oregami: ?build: "./oregami-game-database-cqrs" ?ports: ? - "8080:8080" ?container_name: "oregami-docker" ?links: ? - "keycloak:keycloak" ?? }}} The Dockerfile for my spring boot application: {{{ # Base Alpine Linux based image with OpenJDK JRE only FROM openjdk:8-jre-alpine # copy application WAR (with libraries inside) COPY target/oregami-0.0.2-SNAPSHOT.jar /app.jar EXPOSE 8080 # specify default command CMD ["/usr/bin/java", "-jar", "-Dkeycloak.auth-server-url=http://keycloak:8087/auth", "/app.jar"] }}} Now when I navigate to a page of my app which needs authentication I am forwarded to http://keycloak/? (I edited my /etc/hosts file for this to work). But when I submit my user and password from the login form, I get this error: {{{ java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_131] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_131] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_131] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_131] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_131] at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_131] at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:120) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) ~[httpclient-4.5.2.jar!/:4.5.2] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) ~[httpclient-4.5.2.jar!/:4.5.2] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) ~[keycloak-adapter-core-3.2.0.Final.jar!/:3.2.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:330) ~[keycloak-adapter-core-3.2.0.Final.jar!/:3.2.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:275) ~[keycloak-adapter-core-3.2.0.Final.jar!/:3.2.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139) ~[keycloak-adapter-core-3.2.0.Final.jar!/:3.2.0.Final] }}} Can anybody help? Thanks! Sebastian From thomas at recloux.fr Wed Aug 2 01:18:49 2017 From: thomas at recloux.fr (Thomas Recloux) Date: Wed, 02 Aug 2017 07:18:49 +0200 Subject: [keycloak-user] Using Keycloak within docker compose and spring boot application In-Reply-To: References: Message-ID: <1501651129.3698122.1060365488.780C0B81@webmail.messagingengine.com> On Wed, Aug 2, 2017, at 00:05, Sebastian Eichholz wrote: Hi Sebastian, > keycloak: > ?image: "jboss/keycloak-mysql:3.2.0.Final" > ?container_name: "keycloak-with-mysql" > ?ports: > ? - "8087:8080" This means that keycloak is listening on port 8080 within the container put exposed on port 8080 of the host > oregami: > ?build: "./oregami-game-database-cqrs" > ?ports: > ? - "8080:8080" > ?container_name: "oregami-docker" > ?links: > ? - "keycloak:keycloak" ?? > CMD ["/usr/bin/java", "-jar", > "-Dkeycloak.auth-server-url=http://keycloak:8087/auth", "/app.jar"] With the container link, your spring boot app can access the container directly, then the port should be 8080, not 8087. I suggest to use public names and reverse proxy like Traefik (https://traefik.io/) Thomas From sblanc at redhat.com Wed Aug 2 03:07:04 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 2 Aug 2017 09:07:04 +0200 Subject: [keycloak-user] Keycloak 3.2.1.Final released In-Reply-To: <1948212717.2702778.1501457108852@mail.yahoo.com> References: <1948212717.2702778.1501457108852.ref@mail.yahoo.com> <1948212717.2702778.1501457108852@mail.yahoo.com> Message-ID: Hi ! Looks like 3.2.1 finally made it to central. Sebi On Mon, Jul 31, 2017 at 1:25 AM, Thomas Connolly wrote: > Hi > > Keycloak 3.2.1 appliance missing in the JBoss (and maven2) repo. > > https://repository.jboss.org/nexus/content/groups/public/ > org/keycloak/keycloak-server-dist/ > > Raising as our build pulls this down then uses the CLI to overlay > customisations. > > Regards Tom Connolly. > > Message: 3 > Date: Mon, 24 Jul 2017 16:21:47 +0200 > From: Marek Posolda > Subject: Re: [keycloak-user] Keycloak 3.2.1.Final released > To: "Federico Navarro Polo - Info.nl" , > "keycloak-user at lists.jboss.org" > Message-ID: <187ebc41-ec5a-bdd2-6d8d-c83a852e2935 at redhat.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > Thanks for the info! I missed one step during the release process though :) > > It is available now in jboss repository > https://repository.jboss.org/nexus/content/groups/public/ > org/keycloak/keycloak-core/ > . AFAIK in public maven repository on repo1.maven.org, it will be in > next 1-2 days. > > Sorry for trouble, > Marek > > Dne 24.7.2017 v 13:46 Federico Navarro Polo - Info.nl napsal(a): > > Hello Marek, > > > > Seems like dependencies for 3.2.1.Final are not in maven, latest > available dependencies are 3.2.0.Final > > > > https://repo.maven.apache.org/maven2/org/keycloak/keycloak-core/ > > > > > > Regards, > > Federico > > > > > > On 21/07/17 16:36, "keycloak-user-bounces at lists.jboss.org on behalf of > Marek Posolda" mposolda at redhat.com> wrote: > > > > Keycloak 3.2.1.Final has just been released. > > > > This release doesn't contain any new features. However there are few > > fixed bugs related to authorization services and new permissions for > > admin REST API. > > > > To download the release go to the Keycloak homepage > > . > > > > The full list of resolved issues is available in JIRA > > 20keycloak%20and%20fixVersion%20%3D%203.2.1.Final> > > . > > Upgrading > > > > Before you upgrade remember to backup your database and check the > migration > > guide > > MigrationFromOlderVersions.html> > > . > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From horizn at wp.pl Wed Aug 2 10:31:11 2017 From: horizn at wp.pl (Kamil Kapturkiewicz) Date: Wed, 2 Aug 2017 15:31:11 +0100 Subject: [keycloak-user] DB from MongoDB to PostgreSQL migration, how? In-Reply-To: <268780f8-0973-c694-666a-4a9520b15b47@redhat.com> References: <59808fed1bc021.19994583@wp.pl> <268780f8-0973-c694-666a-4a9520b15b47@redhat.com> Message-ID: <995c9a6b-1d39-5efd-3ccc-6572ba9ef059@wp.pl> I have exported Keycloak Mongo db from 1.9.8 and successfully imported to H2 db in the same 1.9.8 Keycloak version. Then I have tried to export it back again and import with PostgreSQL, but it failed at: 13:44:33,341 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 47) SQL Error: 0, SQLState: 42703 13:44:33,342 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 47) ERROR: column realmentit0_.certificate does not exist Position: 563 Also I have copied H2 db files (keycloak.h2.db keycloak.trace.db keycloak.trace.db.old) to the 2.0.0, but unfortunately it won't start: 14:19:17,717 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 46) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect 14:19:17,732 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread Pool -- 46) HHH000431: Unable to determine H2 database version, certain features may not work 14:19:17,799 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 46) Envers integration enabled? : true 14:19:18,900 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 46) HV000001: Hibernate Validator 5.2.3.Final 14:19:20,370 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 46) HHH000397: Using ASTQueryTranslatorFactory 14:19:24,582 ERROR [org.keycloak.services] (ServerService Thread Pool -- 46) KC-SERVICES0002: Failed to migrate datamodel: java.lang.NullPointerException On 01/08/17 17:17, Bill Burke wrote: > export/import is the only way. Migrating from 1.9.8 to 2.5.5, then > doing the export might be the trick. At least from a product > perspective we'll need to support migration from 1.9.8->2.5.5->3.x so > please post your export/import errors. > > > On 8/1/17 10:27 AM, K K wrote: >> Hi, >> I am struggling with Keycloak migration from version 1.9.8 to the latest one. Currently I am at 2.4.0 and still MongoDB. Is there any built-in tool to migrate MongoDB db to PostgreSQL? >> >> I have tried import and then export, but it doesn't work or I did mistake somewhere. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- skype. kamil.kapturkiewicz tel/signal. +44 758 306 8467 From Jesus.Bernal at checkit.net Wed Aug 2 12:33:12 2017 From: Jesus.Bernal at checkit.net (Jesus Bernal) Date: Wed, 2 Aug 2017 16:33:12 +0000 Subject: [keycloak-user] Getting offline token alongside refresh token Message-ID: <7941F227-ACEB-426C-99F8-AC5BDEE3345D@checkit.net> Hi, I am using Authorisation Code Flow in my web application. I would like to get a refresh token for the web app itself but also an offline token that I will save in the database so I can use it later on for an offline task. However I am struggling with that. I cannot use grant-type password because I don?t want to ask the user again to enter his credentials and also authorisation code is only one-time use so I cannot integrate it with the current flow. Is there any other way to generate an offline token from a different token? I have tried using grant type refresh-token with scope offline access but that didn?t work. Thanks in advance. Best Regards, Jesus Bernal Senior Software Engineer jesus.bernal at checkit.net Elektron Technology Broers Building, JJ Thomson Avenue, Cambridge, CB3 0FA, UK www.elektron-technology.com ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From thomas.hilaire at free.fr Wed Aug 2 15:39:18 2017 From: thomas.hilaire at free.fr (thomas.hilaire at free.fr) Date: Wed, 2 Aug 2017 21:39:18 +0200 (CEST) Subject: [keycloak-user] Does NodeJS adapter support basic auth? In-Reply-To: <1316520845.73418247.1501702429964.JavaMail.root@spooler6-g27.priv.proxad.net> Message-ID: <1710768797.73429586.1501702758802.JavaMail.root@spooler6-g27.priv.proxad.net> Hello, I use Keycloak for months now and it works like a charm, thanks for that! I did all requirements I found to add the BASIC authentication to my project with keycloak-nodejs-connect but I can't get it working. By looking at the library code, I don't see anything about this authentication method. Is the basic auth supported with this adapter? Is there any issue on your JIRA for this topic? Thanks to all contributors for Keycloak! From mevans at aconex.com Wed Aug 2 22:13:01 2017 From: mevans at aconex.com (Matt Evans) Date: Thu, 3 Aug 2017 02:13:01 +0000 Subject: [keycloak-user] When should auth_time claim be updated? In-Reply-To: References: <9d25ac7a-1fa5-48d5-f6b3-e3e8f2d5027c@redhat.com> <70d87168-c45a-9c65-8a7e-41e6c4392e50@redhat.com> , Message-ID: The issue with creating new jboss dev accounts has been fixed and I've raised https://issues.jboss.org/browse/KEYCLOAK-5248 for this issue. Thanks Matt -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Matt Evans Sent: Friday, 28 July 2017 10:32 PM To: Thomas Darimont Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] When should auth_time claim be updated? Hi Thomas, how do I do that? I pressed sign up in the top right corner and filled all that in... Then I did 'log in' but it never seemed to show I had logged in Matt Matt Evans Aconex ________________________________ From: Thomas Darimont Sent: Friday, July 28, 2017 9:35:31 PM To: Matt Evans Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] When should auth_time claim be updated? Hello Matt, you need to create a JBoss jira account. Cheers, Thomas 2017-07-28 8:32 GMT+02:00 Matt Evans >: I've been trying to raise a jira ticket. I've gone to https://issues.jboss.org/browse/KEYCLOAK , signed up, and logged in but I can't create issues. The Create button isn't visible. Do I need to do something else? Thanks Matt -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Thursday, 27 July 2017 8:48 PM To: Matt Evans >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] When should auth_time claim be updated? Looks like a bug. Could you please create JIRA for this? Thanks, Marek On 26/07/17 01:19, Matt Evans wrote: > After looking at the code it seems that this is controlled for each authentication attempt with the SSO_AUTH note, the CookieAuthenticator sets it as a client note if cookie authentication succeeds, and the AuthenticationManager checks it and if it's not true updates the auth_time. I can't see anywhere that clears it. I'm not sure how long client notes live, but I assume longer than the current authentication attempt, because once it's set, I can see that it stays true for all my "prompt=login" authentication attempts after that. > > I changed the CookieAuthenticator to clear the flag first and this seems to fix the problem for me, however, I'm not sure if that's the best approach? > > Matt > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Saturday, 22 July 2017 12:45 AM > To: Matt Evans >; keycloak-user > > Subject: Re: [keycloak-user] When should auth_time claim be updated? > > On 21/07/17 07:57, Matt Evans wrote: >> Hi >> >> We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a re-authentication for sensitive actions, and we use the auth_time claim to determine if this should occur. >> >> Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the auth_time is updated to the time that the authentication occurred. >> >> However, if we then redirect to the auth endpoint and the cookie is valid and used, any subsequent time after this authentication that we use the auth endpoint with 'prompt=login' the auth_time claim is not updated. >> >> Is this intended behaviour? > Yes. The claim "auth_time" points to the time of the active authentication. And the re-authentication with SSO cookie is not treated as "active" authentication, so this won't update auth_time. With "prompt=login" you need actively authenticate, so that will update auth_time. > > Marek >> Thanks >> >> Matt >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Kristiaan.Jansen at planonsoftware.com Thu Aug 3 03:56:29 2017 From: Kristiaan.Jansen at planonsoftware.com (Kristiaan Jansen) Date: Thu, 3 Aug 2017 07:56:29 +0000 Subject: [keycloak-user] openshift-keycloak-cartridge 3.2.1.Final and 3.2.0.Final Do not work Message-ID: <6636BA08-5CE8-4FA0-99EE-0F34C8B5D894@planonsoftware.com> Hi We are trying to use the keycloak openshift cartridge for latest version of openshift. We have been using older versions and they work fine for us. Reproduce scenario: Install openshift cartridge for 3.2.0.Final on openshift online following this manual https://github.com/keycloak/openshift-keycloak-cartridge/tree/base. The cartridge installs fine. But when we go to the administration console it shows internal server error in the server.log we see the Below Stacktrace. Expectation: The cartridge should work. Stacktrace ^[[0m^[[31m03:41:10,299 ERROR [freemarker.runtime] (default task-9) Error executing FreeMarker template: freemarker.core.InvalidReferenceException: The following has evaluated to null or missing: ==> consoleBaseUrl [in template "index.ftl" at line 20, column 33] ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: ${consoleBaseUrl} [in template "index.ftl" at line 20, column 31] ---- at freemarker.core.InvalidReferenceException.getInstance(InvalidReferenceException.java:131) at freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:355) at freemarker.core.Expression.evalAndCoerceToString(Expression.java:82) at freemarker.core.DollarVariable.accept(DollarVariable.java:41) at freemarker.core.Environment.visit(Environment.java:324) at freemarker.core.MixedContent.accept(MixedContent.java:54) at freemarker.core.Environment.visit(Environment.java:324) at freemarker.core.Environment.process(Environment.java:302) at freemarker.template.Template.process(Template.java:325) at org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:61) at org.keycloak.services.resources.admin.AdminConsole.getMainPage(AdminConsole.java:305) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) ^[[0m^[[31m03:41:10,340 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /auth/admin/master/console/: org.jboss.resteasy.spi.UnhandledException: org.keycloak.theme.FreeMarkerException: Failed to process template index.ftl at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.keycloak.theme.FreeMarkerException: Failed to process template index.ftl at org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:64) at org.keycloak.services.resources.admin.AdminConsole.getMainPage(AdminConsole.java:305) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more Caused by: freemarker.core.InvalidReferenceException: The following has evaluated to null or missing: ==> consoleBaseUrl [in template "index.ftl" at line 20, column 33] ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: ${consoleBaseUrl} [in template "index.ftl" at line 20, column 31] ---- at freemarker.core.InvalidReferenceException.getInstance(InvalidReferenceException.java:131) at freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:355) at freemarker.core.Expression.evalAndCoerceToString(Expression.java:82) at freemarker.core.DollarVariable.accept(DollarVariable.java:41) at freemarker.core.Environment.visit(Environment.java:324) at freemarker.core.MixedContent.accept(MixedContent.java:54) at freemarker.core.Environment.visit(Environment.java:324) at freemarker.core.Environment.process(Environment.java:302) at freemarker.template.Template.process(Template.java:325) at org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:61) ... 48 more From llivezking at gmail.com Thu Aug 3 04:34:05 2017 From: llivezking at gmail.com (Ilya Korol) Date: Thu, 3 Aug 2017 18:34:05 +1000 Subject: [keycloak-user] Possible bug in GroupModel implementations Message-ID: Hi. i'm working on some extensions for keycloak for our team purposes. Today i note that some instance of GroupModel(retrieved from keycloak) returned for me null from method getAttribute(String attrName). But javadoc from GroupModel states that this method never return null: /** * @param name * @return list of all attribute values or empty list if there are not any values. Never return null */ List getAttribute(String name); I checked implementations in keycloak-parent and found this in org.keycloak.models.cache.infinispan.GroupAdapter: @Override public List getAttribute(String name) { List values = cached.getAttributes().get(name); if (values == null) return null; <---- Attention return values; } Is it bug? From james.mk.green at gmail.com Thu Aug 3 05:22:06 2017 From: james.mk.green at gmail.com (James Green) Date: Thu, 3 Aug 2017 10:22:06 +0100 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment Message-ID: Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, have reason to be interested, so are deploying an instance into our test environment which happens to be Docker Swarm. Problem: The KeyCloak service is being restarted by Docker, presumably due to a crash. The logs indicate it gets so far within a liquibase script then fails. Here's the docker-compose.yml file that we are using for deployment purposes: https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 Here's the log from MySQL: https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce Here's an initial log from KeyCloak: https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef Here's an further log from KeyCloak once Docker has decided it needed to be restarted: https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 As you can see, the MySQL server starts and is configured due to there being no data already present. All looks good. KeyCloak eventually gets connected to MySQL and begins using Liquibase to roll through transitions but crashes (how?) and thus the container overall crashes forcing Docker to restart, which merely happens over and over. FWIW I earlier created a StackOverflow post which has us at a _different_ liquibase change but also failing: https://stackoverflow.com/questions/45466482/keycloak-will-not-start-due-to-liquibase-changelog-error?noredirect=1#comment77894983_45466482 What I've posted in the Gists above occurred after I shut everything down and wiped the MySQL data directory of it's contents in full. An aside - we have multiple projects working within Swarm using stack deployments with externally managed networks (as recommended by Docker) and GlusterFS volumes without issue. In this particular case the only tangible difference is the use of the latest MySQL version which other projects may not be using. We also do not have experience of WildFly-based software. Any ideas what I've done wrong? Thanks, James From t.ruiten at rdmedia.com Thu Aug 3 05:34:37 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Thu, 3 Aug 2017 11:34:37 +0200 Subject: [keycloak-user] illegal character in path when testing email setup In-Reply-To: References: Message-ID: I pinned this down: it's only an issue when running Keycloak behind an nginx proxy. My current stripped down nginx config: /etc/nginx/nginx.conf: include /usr/share/nginx/modules/*.conf; user nginx; error_log /var/log/nginx/error.log; pid /run/nginx.pid; worker_processes auto; worker_rlimit_nofile 30000; events { worker_connections 4096; multi_accept on; } http { log_format main '$http_host $remote_addr [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time'; access_log /var/log/nginx/access.log main; server_tokens off; include /etc/nginx/mime.types; include /etc/nginx/conf.d/*.conf; } /etc/nginx/conf.d/keycloak.conf server { listen 443 ssl; server_name REDACTED; ssl_certificate /etc/pki/tls/certs/REDACTED.cer; ssl_certificate_key /etc/pki/tls/private/REDACTED.key; location / { proxy_http_version 1.1; proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; } } Is there a recommended nginx configuration for Keycloak? On 14 July 2017 at 11:59, Stian Thorgersen wrote: > I've tried the same steps and we have tests that do the same steps. So > there's something more to it. You can create a JIRA sure, but we need to be > able to reproduce it. > > Ideal is that you can reproduce it with a fresh install of Keycloak > directly on your box with a fresh DB as well. > > On 14 July 2017 at 10:42, Tiemen Ruiten wrote: > >> Stian, does this help? Should I file a bug report? >> >> If anyone could give me some pointers for a workaround, that would also >> be much appreciated. >> >> >> On 12 July 2017 at 13:09, Tiemen Ruiten wrote: >> >>> OK, so I rolled a new Keycloak instance and it gives me the exact same >>> error. Reproducing is trivial: >>> >>> - login >>> - click Realm Settings >>> - click Email tab >>> - Fill in Host and From fields >>> - Hit 'Test connection' >>> >>> I can share the Ansible playbook I used to setup the VM privately if >>> you'd like. >>> >>> On 12 July 2017 at 11:43, Tiemen Ruiten wrote: >>> >>>> Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0 >>>> to 3.2.0), in fact the only changes in standalone.xml are related to the >>>> keystore and database. I'll see if I can setup another instance and >>>> reproduce there. >>>> >>>> On 11 July 2017 at 07:35, Stian Thorgersen wrote: >>>> >>>>> Tried to reproduce this, but can't and it's working just fine here. Do >>>>> you have steps to reproduce? >>>>> >>>>> On 10 July 2017 at 16:04, Tiemen Ruiten wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I get the following error when hitting the 'Test connection' button >>>>>> on the >>>>>> email tab in Realm settings: >>>>>> >>>>>> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot Thread) >>>>>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* >>>>>> started in >>>>>> >>>>>> 21731ms - Started 449 of 824 services (561 services are lazy, passive >>>>>> or >>>>>> on-demand) >>>>>> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_j >>>>>> axrs.i18n] >>>>>> (default task-11) RESTEASY002130: Failed to parse request.: >>>>>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to >>>>>> create URI: >>>>>> https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >>>>>> "port":null,"host":"mail.rdmedia.com >>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>>>>> at >>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>>>>> es(ResteasyUriBuilder.java:749) >>>>>> at >>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas >>>>>> yUriBuilder.java:721) >>>>>> at >>>>>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr >>>>>> iInfo.java:58) >>>>>> at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInf >>>>>> o.java:53) >>>>>> at >>>>>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac >>>>>> tUriInfo(ServletUtil.java:41) >>>>>> at >>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>> spatcher.service(ServletContainerDispatcher.java:200) >>>>>> at >>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>> her.service(HttpServletDispatcher.java:56) >>>>>> at >>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>> her.service(HttpServletDispatcher.java:51) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>>>>> rvletHandler.java:85) >>>>>> at >>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>>>> oFilter(FilterHandler.java:129) >>>>>> at >>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d >>>>>> oFilter(KeycloakSessionServletFilter.java:90) >>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>>>>> r.java:60) >>>>>> at >>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>>>> oFilter(FilterHandler.java:131) >>>>>> at >>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>>>>> terHandler.java:84) >>>>>> at >>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>>>>> eRequest(ServletDispatchingHandler.java:36) >>>>>> at >>>>>> org.wildfly.extension.undertow.security.SecurityContextAssoc >>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle >>>>>> r.java:78) >>>>>> at >>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>> redicateHandler.java:43) >>>>>> at >>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociat >>>>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>>> at >>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationC >>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>>> at >>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>> redicateHandler.java:43) >>>>>> at >>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler >>>>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>>>> at >>>>>> io.undertow.servlet.handlers.security.ServletConfidentiality >>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr >>>>>> aintHandler.java:64) >>>>>> at >>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandle >>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>> at >>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>>> at >>>>>> io.undertow.security.handlers.NotificationReceiverHandler.ha >>>>>> ndleRequest(NotificationReceiverHandler.java:50) >>>>>> at >>>>>> io.undertow.security.handlers.AbstractSecurityContextAssocia >>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>>>>> Handler.java:43) >>>>>> at >>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>> redicateHandler.java:43) >>>>>> at >>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>>>>> ndler.handleRequest(JACCContextIdHandler.java:61) >>>>>> at >>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>> redicateHandler.java:43) >>>>>> at >>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>> redicateHandler.java:43) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>>>>> stRequest(ServletInitialHandler.java:284) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>>>>> equest(ServletInitialHandler.java:263) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>>>>> 0(ServletInitialHandler.java:81) >>>>>> at >>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>>>>> equest(ServletInitialHandler.java:174) >>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>>>>> java:202) >>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>>>>> ge.java:793) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>> Executor.java:1142) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>> lExecutor.java:617) >>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>> Caused by: java.net.URISyntaxException: Illegal character in path at >>>>>> index >>>>>> 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConn >>>>>> ection/{ >>>>>> "port":null,"host":"mail.rdmedia.com >>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>>>>> at java.net.URI$Parser.fail(URI.java:2848) >>>>>> at java.net.URI$Parser.checkChars(URI.java:3021) >>>>>> at java.net.URI$Parser.parseHierarchical(URI.java:3105) >>>>>> at java.net.URI$Parser.parse(URI.java:3053) >>>>>> at java.net.URI.(URI.java:588) >>>>>> at >>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>>>>> es(ResteasyUriBuilder.java:744) >>>>>> ... 40 more >>>>>> >>>>>> The 67th character is the slash after testSMTPConnection. Is this a >>>>>> bug >>>>>> and/or is there a workaround/fix? >>>>>> >>>>>> -- >>>>>> Tiemen Ruiten >>>>>> Systems Engineer >>>>>> R&D Media >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Tiemen Ruiten >>>> Systems Engineer >>>> R&D Media >>>> >>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> > > -- Tiemen Ruiten Systems Engineer R&D Media From mstrukel at redhat.com Thu Aug 3 05:36:03 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 3 Aug 2017 11:36:03 +0200 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: There's your error in line 237 of the first log: 08:53:26,263 ERROR [org.keycloak.connections.jpa.updater.liquibase.conn. DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 52) Change Set META-INF/jpa-changelog-1.7.0.xml::1.7.0::bburke at redhat.com failed. Error: Table 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)]: liquibase.exception.DatabaseException: Table 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)] The question now is why that table exists already if you started with an empty database. On Thu, Aug 3, 2017 at 11:22 AM, James Green wrote: > Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, > have reason to be interested, so are deploying an instance into our test > environment which happens to be Docker Swarm. > > Problem: The KeyCloak service is being restarted by Docker, presumably due > to a crash. The logs indicate it gets so far within a liquibase script then > fails. > > Here's the docker-compose.yml file that we are using for deployment > purposes: > > https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 > > Here's the log from MySQL: > > https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce > > Here's an initial log from KeyCloak: > > https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef > > Here's an further log from KeyCloak once Docker has decided it needed to be > restarted: > > https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 > > As you can see, the MySQL server starts and is configured due to there > being no data already present. All looks good. KeyCloak eventually gets > connected to MySQL and begins using Liquibase to roll through transitions > but crashes (how?) and thus the container overall crashes forcing Docker to > restart, which merely happens over and over. > > FWIW I earlier created a StackOverflow post which has us at a _different_ > liquibase change but also failing: > > https://stackoverflow.com/questions/45466482/keycloak- > will-not-start-due-to-liquibase-changelog-error? > noredirect=1#comment77894983_45466482 > > What I've posted in the Gists above occurred after I shut everything down > and wiped the MySQL data directory of it's contents in full. > > An aside - we have multiple projects working within Swarm using stack > deployments with externally managed networks (as recommended by Docker) and > GlusterFS volumes without issue. In this particular case the only tangible > difference is the use of the latest MySQL version which other projects may > not be using. We also do not have experience of WildFly-based software. > > Any ideas what I've done wrong? > > Thanks, > > James > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From james.mk.green at gmail.com Thu Aug 3 05:41:18 2017 From: james.mk.green at gmail.com (James Green) Date: Thu, 3 Aug 2017 10:41:18 +0100 Subject: [keycloak-user] Fwd: Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: Gah! Intended for the list not the individual. ---------- Forwarded message ---------- From: James Green Date: 3 August 2017 at 10:40 Subject: Re: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment To: Marko Strukelj I'm aware of the liquibase error, the bit I'm struggling with is how that can happen on an empty database. I might try to launch the database separately - could be a race condition between initialising the two applications (clutching at straws). On 3 August 2017 at 10:36, Marko Strukelj wrote: > There's your error in line 237 of the first log: > 08:53:26,263 ERROR [org.keycloak.connections.jpa. > updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService > Thread Pool -- 52) Change Set META-INF/jpa-changelog-1.7.0.x > ml::1.7.0::bburke at redhat.com failed. Error: Table 'KEYCLOAK_GROUP' > already exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID > VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) > NULL, REALM_ID VARCHAR(36) NULL)]: liquibase.exception.DatabaseException: > Table 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE > keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, > PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)] > > The question now is why that table exists already if you started with an > empty database. > > On Thu, Aug 3, 2017 at 11:22 AM, James Green > wrote: > >> Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, >> have reason to be interested, so are deploying an instance into our test >> environment which happens to be Docker Swarm. >> >> Problem: The KeyCloak service is being restarted by Docker, presumably due >> to a crash. The logs indicate it gets so far within a liquibase script >> then >> fails. >> >> Here's the docker-compose.yml file that we are using for deployment >> purposes: >> >> https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 >> >> Here's the log from MySQL: >> >> https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce >> >> Here's an initial log from KeyCloak: >> >> https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef >> >> Here's an further log from KeyCloak once Docker has decided it needed to >> be >> restarted: >> >> https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 >> >> As you can see, the MySQL server starts and is configured due to there >> being no data already present. All looks good. KeyCloak eventually gets >> connected to MySQL and begins using Liquibase to roll through transitions >> but crashes (how?) and thus the container overall crashes forcing Docker >> to >> restart, which merely happens over and over. >> >> FWIW I earlier created a StackOverflow post which has us at a _different_ >> liquibase change but also failing: >> >> https://stackoverflow.com/questions/45466482/keycloak-will-n >> ot-start-due-to-liquibase-changelog-error?noredirect=1#comme >> nt77894983_45466482 >> >> What I've posted in the Gists above occurred after I shut everything down >> and wiped the MySQL data directory of it's contents in full. >> >> An aside - we have multiple projects working within Swarm using stack >> deployments with externally managed networks (as recommended by Docker) >> and >> GlusterFS volumes without issue. In this particular case the only tangible >> difference is the use of the latest MySQL version which other projects may >> not be using. We also do not have experience of WildFly-based software. >> >> Any ideas what I've done wrong? >> >> Thanks, >> >> James >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From mstrukel at redhat.com Thu Aug 3 06:01:02 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 3 Aug 2017 12:01:02 +0200 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: Hmm, grasping for straws I would try a previous version of Keycloak to rule out the possibility of a regression, then I would try with a different version of MySql, then I would try locally running instance of Keycloak against containerised MySql ... On Thu, Aug 3, 2017 at 11:36 AM, Marko Strukelj wrote: > There's your error in line 237 of the first log: > 08:53:26,263 ERROR [org.keycloak.connections.jpa. > updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService > Thread Pool -- 52) Change Set META-INF/jpa-changelog-1.7.0.x > ml::1.7.0::bburke at redhat.com failed. Error: Table 'KEYCLOAK_GROUP' > already exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID > VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) > NULL, REALM_ID VARCHAR(36) NULL)]: liquibase.exception.DatabaseException: > Table 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE > keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, > PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)] > > The question now is why that table exists already if you started with an > empty database. > > On Thu, Aug 3, 2017 at 11:22 AM, James Green > wrote: > >> Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, >> have reason to be interested, so are deploying an instance into our test >> environment which happens to be Docker Swarm. >> >> Problem: The KeyCloak service is being restarted by Docker, presumably due >> to a crash. The logs indicate it gets so far within a liquibase script >> then >> fails. >> >> Here's the docker-compose.yml file that we are using for deployment >> purposes: >> >> https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 >> >> Here's the log from MySQL: >> >> https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce >> >> Here's an initial log from KeyCloak: >> >> https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef >> >> Here's an further log from KeyCloak once Docker has decided it needed to >> be >> restarted: >> >> https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 >> >> As you can see, the MySQL server starts and is configured due to there >> being no data already present. All looks good. KeyCloak eventually gets >> connected to MySQL and begins using Liquibase to roll through transitions >> but crashes (how?) and thus the container overall crashes forcing Docker >> to >> restart, which merely happens over and over. >> >> FWIW I earlier created a StackOverflow post which has us at a _different_ >> liquibase change but also failing: >> >> https://stackoverflow.com/questions/45466482/keycloak-will- >> not-start-due-to-liquibase-changelog-error?noredirect=1# >> comment77894983_45466482 >> >> What I've posted in the Gists above occurred after I shut everything down >> and wiped the MySQL data directory of it's contents in full. >> >> An aside - we have multiple projects working within Swarm using stack >> deployments with externally managed networks (as recommended by Docker) >> and >> GlusterFS volumes without issue. In this particular case the only tangible >> difference is the use of the latest MySQL version which other projects may >> not be using. We also do not have experience of WildFly-based software. >> >> Any ideas what I've done wrong? >> >> Thanks, >> >> James >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From james.mk.green at gmail.com Thu Aug 3 07:01:46 2017 From: james.mk.green at gmail.com (James Green) Date: Thu, 3 Aug 2017 12:01:46 +0100 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: Looks like a timeout causes an initial crash then the liquibase crashes begin: https://gist.github.com/jmkgreen/4a474f1b97d8cbea5bf77a6f475ec78c Unsure what is actually happening that gets timed out though - there is mention of an http interface but is that a repercussion of something deeper? Thanks, James On 3 August 2017 at 11:01, Marko Strukelj wrote: > Hmm, grasping for straws I would try a previous version of Keycloak to > rule out the possibility of a regression, then I would try with a different > version of MySql, then I would try locally running instance of Keycloak > against containerised MySql ... > > On Thu, Aug 3, 2017 at 11:36 AM, Marko Strukelj > wrote: > >> There's your error in line 237 of the first log: >> 08:53:26,263 ERROR [org.keycloak.connections.jpa. >> updater.liquibase.conn.DefaultLiquibaseConnectionProvider] >> (ServerService Thread Pool -- 52) Change Set META-INF/ >> jpa-changelog-1.7.0.xml::1.7.0::bburke at redhat.com failed. Error: Table >> 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE >> keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, >> PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)]: >> liquibase.exception.DatabaseException: Table 'KEYCLOAK_GROUP' already >> exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) >> NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) NULL, REALM_ID >> VARCHAR(36) NULL)] >> >> The question now is why that table exists already if you started with an >> empty database. >> >> On Thu, Aug 3, 2017 at 11:22 AM, James Green >> wrote: >> >>> Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, >>> have reason to be interested, so are deploying an instance into our test >>> environment which happens to be Docker Swarm. >>> >>> Problem: The KeyCloak service is being restarted by Docker, presumably >>> due >>> to a crash. The logs indicate it gets so far within a liquibase script >>> then >>> fails. >>> >>> Here's the docker-compose.yml file that we are using for deployment >>> purposes: >>> >>> https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 >>> >>> Here's the log from MySQL: >>> >>> https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce >>> >>> Here's an initial log from KeyCloak: >>> >>> https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef >>> >>> Here's an further log from KeyCloak once Docker has decided it needed to >>> be >>> restarted: >>> >>> https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 >>> >>> As you can see, the MySQL server starts and is configured due to there >>> being no data already present. All looks good. KeyCloak eventually gets >>> connected to MySQL and begins using Liquibase to roll through transitions >>> but crashes (how?) and thus the container overall crashes forcing Docker >>> to >>> restart, which merely happens over and over. >>> >>> FWIW I earlier created a StackOverflow post which has us at a _different_ >>> liquibase change but also failing: >>> >>> https://stackoverflow.com/questions/45466482/keycloak-will-n >>> ot-start-due-to-liquibase-changelog-error?noredirect=1#comme >>> nt77894983_45466482 >>> >>> What I've posted in the Gists above occurred after I shut everything down >>> and wiped the MySQL data directory of it's contents in full. >>> >>> An aside - we have multiple projects working within Swarm using stack >>> deployments with externally managed networks (as recommended by Docker) >>> and >>> GlusterFS volumes without issue. In this particular case the only >>> tangible >>> difference is the use of the latest MySQL version which other projects >>> may >>> not be using. We also do not have experience of WildFly-based software. >>> >>> Any ideas what I've done wrong? >>> >>> Thanks, >>> >>> James >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From john.bartko at drillinginfo.com Thu Aug 3 08:00:22 2017 From: john.bartko at drillinginfo.com (John Bartko) Date: Thu, 3 Aug 2017 12:00:22 +0000 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: , Message-ID: I *think* that the timeout referred to by this error: WFLYCTL0348: Timeout after [300] seconds can be increased by specifying -Djboss.as.management.blocking.timeout=### in the java options. I suspect that when a liquibase transaction gets abruptly stopped like that, subsequent attempts to use the same database would possibly result in "table already exist" errors. I experienced when performing a 1.9.x -> 2.5.x schema update the following transaction timeout also needed to be increased beyond its default value of 300: /subsystem=transactions:write-attribute(name=default-timeout,value=###) Hope that helps, - John Bartko ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of James Green Sent: Thursday, August 3, 2017 6:01:46 AM To: Marko Strukelj Cc: keycloak-user Subject: Re: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment Looks like a timeout causes an initial crash then the liquibase crashes begin: https://gist.github.com/jmkgreen/4a474f1b97d8cbea5bf77a6f475ec78c Unsure what is actually happening that gets timed out though - there is mention of an http interface but is that a repercussion of something deeper? Thanks, James On 3 August 2017 at 11:01, Marko Strukelj wrote: > Hmm, grasping for straws I would try a previous version of Keycloak to > rule out the possibility of a regression, then I would try with a different > version of MySql, then I would try locally running instance of Keycloak > against containerised MySql ... > > On Thu, Aug 3, 2017 at 11:36 AM, Marko Strukelj > wrote: > >> There's your error in line 237 of the first log: >> 08:53:26,263 ERROR [org.keycloak.connections.jpa. >> updater.liquibase.conn.DefaultLiquibaseConnectionProvider] >> (ServerService Thread Pool -- 52) Change Set META-INF/ >> jpa-changelog-1.7.0.xml::1.7.0::bburke at redhat.com failed. Error: Table >> 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE >> keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) NULL, >> PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)]: >> liquibase.exception.DatabaseException: Table 'KEYCLOAK_GROUP' already >> exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) >> NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) NULL, REALM_ID >> VARCHAR(36) NULL)] >> >> The question now is why that table exists already if you started with an >> empty database. >> >> On Thu, Aug 3, 2017 at 11:22 AM, James Green >> wrote: >> >>> Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, >>> have reason to be interested, so are deploying an instance into our test >>> environment which happens to be Docker Swarm. >>> >>> Problem: The KeyCloak service is being restarted by Docker, presumably >>> due >>> to a crash. The logs indicate it gets so far within a liquibase script >>> then >>> fails. >>> >>> Here's the docker-compose.yml file that we are using for deployment >>> purposes: >>> >>> https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 >>> >>> Here's the log from MySQL: >>> >>> https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce >>> >>> Here's an initial log from KeyCloak: >>> >>> https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef >>> >>> Here's an further log from KeyCloak once Docker has decided it needed to >>> be >>> restarted: >>> >>> https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 >>> >>> As you can see, the MySQL server starts and is configured due to there >>> being no data already present. All looks good. KeyCloak eventually gets >>> connected to MySQL and begins using Liquibase to roll through transitions >>> but crashes (how?) and thus the container overall crashes forcing Docker >>> to >>> restart, which merely happens over and over. >>> >>> FWIW I earlier created a StackOverflow post which has us at a _different_ >>> liquibase change but also failing: >>> >>> https://stackoverflow.com/questions/45466482/keycloak-will-n >>> ot-start-due-to-liquibase-changelog-error?noredirect=1#comme >>> nt77894983_45466482 >>> >>> What I've posted in the Gists above occurred after I shut everything down >>> and wiped the MySQL data directory of it's contents in full. >>> >>> An aside - we have multiple projects working within Swarm using stack >>> deployments with externally managed networks (as recommended by Docker) >>> and >>> GlusterFS volumes without issue. In this particular case the only >>> tangible >>> difference is the use of the latest MySQL version which other projects >>> may >>> not be using. We also do not have experience of WildFly-based software. >>> >>> Any ideas what I've done wrong? >>> >>> Thanks, >>> >>> James >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From t.ruiten at rdmedia.com Thu Aug 3 08:07:38 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Thu, 3 Aug 2017 14:07:38 +0200 Subject: [keycloak-user] illegal character in path when testing email setup In-Reply-To: References: Message-ID: Figured it out, I needed to remove the final '/' on the proxy_pass line so it reads: proxy_pass http://localhost:8080; See also: https://forum.nginx.org/read.php?2,75231,175775#msg-175775 And in the nginx docs for proxy_pass : If proxy_pass is specified without a URI, the request URI is passed to the server in the same form as sent by a client when the original request is processed, or the full normalized request URI is passed when processing the changed URI: location /some/path/ { proxy_pass http://127.0.0.1; } On 3 August 2017 at 11:34, Tiemen Ruiten wrote: > I pinned this down: it's only an issue when running Keycloak behind an > nginx proxy. > > My current stripped down nginx config: > > /etc/nginx/nginx.conf: > > include /usr/share/nginx/modules/*.conf; > user nginx; > error_log /var/log/nginx/error.log; > pid /run/nginx.pid; > worker_processes auto; > worker_rlimit_nofile 30000; > events { > worker_connections 4096; > multi_accept on; > } > http { > log_format main '$http_host $remote_addr > [$time_local] ' > '"$request" $status > $body_bytes_sent ' > '"$http_referer" > "$http_user_agent" ' > '$request_time > $upstream_response_time'; > access_log /var/log/nginx/access.log main; > server_tokens off; > include /etc/nginx/mime.types; > include /etc/nginx/conf.d/*.conf; > } > > /etc/nginx/conf.d/keycloak.conf > > server { > listen 443 ssl; > server_name REDACTED; > ssl_certificate /etc/pki/tls/certs/REDACTED.cer; > ssl_certificate_key /etc/pki/tls/private/REDACTED.key; > > location / { > proxy_http_version 1.1; > proxy_pass http://localhost:8080/; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Port 443; > } > } > > Is there a recommended nginx configuration for Keycloak? > > On 14 July 2017 at 11:59, Stian Thorgersen wrote: > >> I've tried the same steps and we have tests that do the same steps. So >> there's something more to it. You can create a JIRA sure, but we need to be >> able to reproduce it. >> >> Ideal is that you can reproduce it with a fresh install of Keycloak >> directly on your box with a fresh DB as well. >> >> On 14 July 2017 at 10:42, Tiemen Ruiten wrote: >> >>> Stian, does this help? Should I file a bug report? >>> >>> If anyone could give me some pointers for a workaround, that would also >>> be much appreciated. >>> >>> >>> On 12 July 2017 at 13:09, Tiemen Ruiten wrote: >>> >>>> OK, so I rolled a new Keycloak instance and it gives me the exact same >>>> error. Reproducing is trivial: >>>> >>>> - login >>>> - click Realm Settings >>>> - click Email tab >>>> - Fill in Host and From fields >>>> - Hit 'Test connection' >>>> >>>> I can share the Ansible playbook I used to setup the VM privately if >>>> you'd like. >>>> >>>> On 12 July 2017 at 11:43, Tiemen Ruiten wrote: >>>> >>>>> Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0 >>>>> to 3.2.0), in fact the only changes in standalone.xml are related to the >>>>> keystore and database. I'll see if I can setup another instance and >>>>> reproduce there. >>>>> >>>>> On 11 July 2017 at 07:35, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> Tried to reproduce this, but can't and it's working just fine here. >>>>>> Do you have steps to reproduce? >>>>>> >>>>>> On 10 July 2017 at 16:04, Tiemen Ruiten wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I get the following error when hitting the 'Test connection' button >>>>>>> on the >>>>>>> email tab in Realm settings: >>>>>>> >>>>>>> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot >>>>>>> Thread) >>>>>>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* >>>>>>> started in >>>>>>> >>>>>>> 21731ms - Started 449 of 824 services (561 services are lazy, >>>>>>> passive or >>>>>>> on-demand) >>>>>>> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_j >>>>>>> axrs.i18n] >>>>>>> (default task-11) RESTEASY002130: Failed to parse request.: >>>>>>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to >>>>>>> create URI: >>>>>>> https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >>>>>>> "port":null,"host":"mail.rdmedia.com >>>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>>>>>> at >>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>>>>>> es(ResteasyUriBuilder.java:749) >>>>>>> at >>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas >>>>>>> yUriBuilder.java:721) >>>>>>> at >>>>>>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr >>>>>>> iInfo.java:58) >>>>>>> at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInf >>>>>>> o.java:53) >>>>>>> at >>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac >>>>>>> tUriInfo(ServletUtil.java:41) >>>>>>> at >>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>>>>> spatcher.service(ServletContainerDispatcher.java:200) >>>>>>> at >>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>> her.service(HttpServletDispatcher.java:56) >>>>>>> at >>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>>>>> her.service(HttpServletDispatcher.java:51) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>>>>>> rvletHandler.java:85) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>>>>> oFilter(FilterHandler.java:129) >>>>>>> at >>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.d >>>>>>> oFilter(KeycloakSessionServletFilter.java:90) >>>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>>>>>> r.java:60) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>>>>> oFilter(FilterHandler.java:131) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>>>>>> terHandler.java:84) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>>>>>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>>>>>> eRequest(ServletDispatchingHandler.java:36) >>>>>>> at >>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssoc >>>>>>> iationHandler.handleRequest(SecurityContextAssociationHandle >>>>>>> r.java:78) >>>>>>> at >>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>>> redicateHandler.java:43) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociat >>>>>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationC >>>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>>>> at >>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>>> redicateHandler.java:43) >>>>>>> at >>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler >>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.security.ServletConfidentiality >>>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr >>>>>>> aintHandler.java:64) >>>>>>> at >>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandle >>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>>>> at >>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.ha >>>>>>> ndleRequest(NotificationReceiverHandler.java:50) >>>>>>> at >>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssocia >>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>>>>>> Handler.java:43) >>>>>>> at >>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>>> redicateHandler.java:43) >>>>>>> at >>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61) >>>>>>> at >>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>>> redicateHandler.java:43) >>>>>>> at >>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>>>>> redicateHandler.java:43) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>>>>>> stRequest(ServletInitialHandler.java:284) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>>>>>> equest(ServletInitialHandler.java:263) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>>>>>> 0(ServletInitialHandler.java:81) >>>>>>> at >>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>>>>>> equest(ServletInitialHandler.java:174) >>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>>>>>> java:202) >>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>>>>>> ge.java:793) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>> Executor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>> lExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> Caused by: java.net.URISyntaxException: Illegal character in path at >>>>>>> index >>>>>>> 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConn >>>>>>> ection/{ >>>>>>> "port":null,"host":"mail.rdmedia.com >>>>>>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>>>>>> at java.net.URI$Parser.fail(URI.java:2848) >>>>>>> at java.net.URI$Parser.checkChars(URI.java:3021) >>>>>>> at java.net.URI$Parser.parseHierarchical(URI.java:3105) >>>>>>> at java.net.URI$Parser.parse(URI.java:3053) >>>>>>> at java.net.URI.(URI.java:588) >>>>>>> at >>>>>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>>>>>> es(ResteasyUriBuilder.java:744) >>>>>>> ... 40 more >>>>>>> >>>>>>> The 67th character is the slash after testSMTPConnection. Is this a >>>>>>> bug >>>>>>> and/or is there a workaround/fix? >>>>>>> >>>>>>> -- >>>>>>> Tiemen Ruiten >>>>>>> Systems Engineer >>>>>>> R&D Media >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Tiemen Ruiten >>>>> Systems Engineer >>>>> R&D Media >>>>> >>>> >>>> >>>> >>>> -- >>>> Tiemen Ruiten >>>> Systems Engineer >>>> R&D Media >>>> >>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media From pcfleischer at outlook.com Thu Aug 3 08:48:52 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Thu, 3 Aug 2017 12:48:52 +0000 Subject: [keycloak-user] Identity broker login SAMLResponse handling In-Reply-To: References: <24a90799-735f-1741-5903-761655e2f15d@redhat.com> <83F6A601-D5EC-4249-8FA6-6D306042758C@outlook.com> Message-ID: Hi Guys, I?m revisiting this again and I think we found a solution. I kept the same setup but instead of the post binding url being either the externalidp (non-keycloak-idp) or another keycloak identity broker i set the url?s to be our client application. I basically ignore the saml response and voila the oidc javascript adapter handles the redirect, oidc token request, etc. Here are some ideas? any sound like the right direction? 1) Add a custom authentication flow for ?Post-Login? which handles the relay instead of saml client. 2) Somehow configure the Idp client to use ?redirect binding? (it seems like after attaching debugger this is impossible because the client is doing a null check and this is an empty string?) 3) Setup our client application to have an endpoint which basically ignores the post binding. I personally like the idea of #1 since this would give use some nice control over any other custom actions we may need to perform that can?t be handled by the standard flow. ? Phil > On Jul 31, 2017, at 6:08 AM, Phillip Fleischer wrote: > > Maybe we just have our client setup wrong and it?s possible to configure it to redirect to the ?management url??? > > We tried that for a while but it seemed that the client expected to only want to redirect or post another SAML Response to another endpoint. > >> On Jul 31, 2017, at 5:53 AM, Phillip Fleischer wrote: >> >> No problem, >> >> Our application is angular js using keycloak oidc adapter with spring boot back end. The native behavior to use keyclaok OIDC directly. >> >> The Third Party (Non-kc-server) is the external SAML IdP which we wish to trust to authenticate in via SAMLResponse registering/linking and authenticating into the application. We expect we may have many of these so we?re attempting to use KC for ease of use instead of rolling our own. >> >> 1) Not-KC -> POST SAMLResponse to kc to authenticate. >> 2) KC -> Idp broker - handle this saml response. >> 3) KC -> SAML client - Idp Initiated >> (cannot use broker directly - it appears to require that KC initated SAMLRequest with ?code? to be sent in response??) >> 4) KC -> SAML client - result in POST SAMLResponse to the ACS url. >> (SAMLResponse still does not have a code that could be handled directly by broker directly??) >> >> Up to #3 seems to work, but I think we?d expect that #4 saml client would redirect us to our client (thru relaystate), but it results with a SAMLResponse POST to the ACS url in the client configuration. This is basically back where we started? so hence the logical infinite loop (if we add more brokers and clients we just keep getting more and more saml responses without codes). >> >> Hope that helps explain, >> >> ? Phil >> >>> On Jul 31, 2017, at 2:00 AM, Hynek Mlnarik wrote: >>> >>> I don't understand the scenario either. What exactly is the scenario? >>> The loop is between which parties? How does "another broker" fit into >>> the picture, is it even Keycloak? Why does your OIDC client not use >>> Keycloak OIDC capabilities directly? Is it necessary to relay the SAML >>> response to the client and process it there? >>> >>> Can you rephrase it with explicitly labeling the parties (kc server, >>> non-kc-server (?), client, brokered idp, ...) when you mention them? >>> >>> On Sun, Jul 30, 2017 at 2:12 PM, Phillip Fleischer >>> wrote: >>>> Yeah, I presume it?s a logical understanding error but to elaborate? >>>> >>>> We?re attempting to relay the succesful login response and client session to an OIDC client using the js adapter. >>>> >>>> - Idp Initiated broker seems to be succesful and gets to post login actions >>>> - Idp Initiated client POST another SAMLResponse to ACS POST Binding URL >>>> - This response is signed by KC, if we set up another broker we?ll endlessly be sending SAMLResponses. >>>> >>>> We were thinking we might just be relayed to our client after session and the app would check the session and kick of the OIDC flow. Maybe we need to implement saml adapter in our application to handle the final response? >>>> >>>> ? Phil >>>> >>>>> On Jul 29, 2017, at 10:06 AM, Bill Burke wrote: >>>>> >>>>> I don't understand what the error is. Your external IDP sends a login >>>>> response to >>>>> >>>>> https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated >>>>> >>>>> And there is an infinite loop? >>>>> >>>>> On 7/29/17 5:03 AM, Phillip Fleischer wrote: >>>>>> Hi, >>>>>> >>>>>> We?re using keycloak for several authorization use cases already and are attempting to prototype some identity brokering with an external IdP application. >>>>>> >>>>>> Our current configuration the user is logged in the external IdP which sends a POST with the SAMLResponse directly to our broker. It looks the appropriate solution is idp initiated configuration in the examples. >>>>>> >>>>>> broker: external-idp-name >>>>>> client and url name: saml-idp-initiated >>>>>> >>>>>> https://{root}/auth/realms/{realm}/broker/external-idp-name/endpoint/clients/saml-idp-initiated >>>>>> >>>>>> >>>>>> The challenge is that our client the posts yet another SAMLResponse either back to our broker or to the realm saml service. >>>>>> >>>>>> These result in following results... >>>>>> >>>>>> 1 - {realmUrl}/broker/external-idp-name/endpoint/clients/saml-idp-initiated >>>>>> |?- infinite redirect loop POST SAMLResponses >>>>>> 2 - {realmUrl}/broker/{broker}/endpoint >>>>>> |?- handleSamlResponse fails to validate ?code? set to ?relayState?. >>>>>> 3 - {realmUrl}/protocol/saml >>>>>> |?- handles SAMLResponses as logout and fails. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> It feels like we?re either totally missing the mark or this is a use case totally >>>>>> not supported that we?re attempting to kluge together. Anyone have thoughts where we?re going conceptually wrong?? >>>>>> >>>>>> >>>>>> ? Phil >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> -- >>> >>> --Hynek >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From james.mk.green at gmail.com Thu Aug 3 09:52:31 2017 From: james.mk.green at gmail.com (James Green) Date: Thu, 3 Aug 2017 14:52:31 +0100 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: OK I have identified a problem and a workaround: jboss/keycloak-mysql:latest works against mysql:5.5 but not against mysql:5.6 or mysql:5.7 Here's the log working against mysq:5.5 - note the time taken to initialise the database: [ ... ] 13:37:38,210 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started realmRevisions cache from keycloak container 13:37:38,219 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started userRevisions cache from keycloak container 13:37:38,224 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container 13:37:42,640 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 57) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml 13:41:13,725 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 13:41:13,781 INFO [org.hibernate.Version] (ServerService Thread Pool -- 57) HHH000412: Hibernate Core {5.0.7.Final} 13:41:13,782 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000206: hibernate.properties not found [ ... ] That's quite a bit of time operating against an empty database! On 3 August 2017 at 13:00, John Bartko wrote: > I *think* that the timeout referred to by this error: > > > WFLYCTL0348: Timeout after [300] seconds > > > can be increased by specifying -Djboss.as.management.blocking.timeout=### > in the java options. > > I suspect that when a liquibase transaction gets abruptly stopped like > that, subsequent attempts to use the same database would possibly result in > "table already exist" errors. > > I experienced when performing a 1.9.x -> 2.5.x schema update the following > transaction timeout also needed to be increased beyond its default value of > 300: > > /subsystem=transactions:write-attribute(name=default-timeout,value=###) > > > Hope that helps, > - John Bartko > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of James Green < > james.mk.green at gmail.com> > *Sent:* Thursday, August 3, 2017 6:01:46 AM > *To:* Marko Strukelj > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Clean Install with MySQL - Keycloak > restarts itself due to liquibase errors - Docker Swarm environment > > Looks like a timeout causes an initial crash then the liquibase crashes > begin: > > https://gist.github.com/jmkgreen/4a474f1b97d8cbea5bf77a6f475ec78c > > Unsure what is actually happening that gets timed out though - there is > mention of an http interface but is that a repercussion of something > deeper? > > Thanks, > > James > > > On 3 August 2017 at 11:01, Marko Strukelj wrote: > > > Hmm, grasping for straws I would try a previous version of Keycloak to > > rule out the possibility of a regression, then I would try with a > different > > version of MySql, then I would try locally running instance of Keycloak > > against containerised MySql ... > > > > On Thu, Aug 3, 2017 at 11:36 AM, Marko Strukelj > > wrote: > > > >> There's your error in line 237 of the first log: > >> 08:53:26,263 ERROR [org.keycloak.connections.jpa. > >> updater.liquibase.conn.DefaultLiquibaseConnectionProvider] > >> (ServerService Thread Pool -- 52) Change Set META-INF/ > >> jpa-changelog-1.7.0.xml::1.7.0::bburke at redhat.com failed. Error: Table > >> 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE > >> keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME VARCHAR(255) > NULL, > >> PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)]: > >> liquibase.exception.DatabaseException: Table 'KEYCLOAK_GROUP' already > >> exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) > >> NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) NULL, > REALM_ID > >> VARCHAR(36) NULL)] > >> > >> The question now is why that table exists already if you started with an > >> empty database. > >> > >> On Thu, Aug 3, 2017 at 11:22 AM, James Green > >> wrote: > >> > >>> Unsure what I'm doing wrong here. Circumstance: we've spotted KeyCloak, > >>> have reason to be interested, so are deploying an instance into our > test > >>> environment which happens to be Docker Swarm. > >>> > >>> Problem: The KeyCloak service is being restarted by Docker, presumably > >>> due > >>> to a crash. The logs indicate it gets so far within a liquibase script > >>> then > >>> fails. > >>> > >>> Here's the docker-compose.yml file that we are using for deployment > >>> purposes: > >>> > >>> https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d12017f07 > >>> > >>> Here's the log from MySQL: > >>> > >>> https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae47cce > >>> > >>> Here's an initial log from KeyCloak: > >>> > >>> https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba27ef > >>> > >>> Here's an further log from KeyCloak once Docker has decided it needed > to > >>> be > >>> restarted: > >>> > >>> https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d5c42 > >>> > >>> As you can see, the MySQL server starts and is configured due to there > >>> being no data already present. All looks good. KeyCloak eventually gets > >>> connected to MySQL and begins using Liquibase to roll through > transitions > >>> but crashes (how?) and thus the container overall crashes forcing > Docker > >>> to > >>> restart, which merely happens over and over. > >>> > >>> FWIW I earlier created a StackOverflow post which has us at a > _different_ > >>> liquibase change but also failing: > >>> > >>> https://stackoverflow.com/questions/45466482/keycloak-will-n > >>> ot-start-due-to-liquibase-changelog-error?noredirect=1#comme > >>> nt77894983_45466482 > >>> > >>> What I've posted in the Gists above occurred after I shut everything > down > >>> and wiped the MySQL data directory of it's contents in full. > >>> > >>> An aside - we have multiple projects working within Swarm using stack > >>> deployments with externally managed networks (as recommended by Docker) > >>> and > >>> GlusterFS volumes without issue. In this particular case the only > >>> tangible > >>> difference is the use of the latest MySQL version which other projects > >>> may > >>> not be using. We also do not have experience of WildFly-based software. > >>> > >>> Any ideas what I've done wrong? > >>> > >>> Thanks, > >>> > >>> James > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adam.keily at adelaide.edu.au Fri Aug 4 01:03:44 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Fri, 4 Aug 2017 05:03:44 +0000 Subject: [keycloak-user] ADFS SAML Logout Message-ID: Hi, Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500. In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks. I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version. Help appreciated. Thanks Adam 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: java.lang.NullPointerException at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189) at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) ... 37 more Caused by: java.lang.NullPointerException at java.net.URI$Parser.parse(URI.java:3042) at java.net.URI.(URI.java:588) at java.net.URI.create(URI.java:850) at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99) at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88) at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187) ... 51 more -- From hmlnarik at redhat.com Fri Aug 4 02:25:59 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 4 Aug 2017 08:25:59 +0200 Subject: [keycloak-user] ADFS SAML Logout In-Reply-To: References: Message-ID: It seems ADFS has not set the name format when logging in. Have you configured output Name ID format in respective ADFS transform claim rule? --Hynek On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily wrote: > Hi, > > Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500. > > In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks. > > I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version. > > Help appreciated. > Thanks > Adam > > 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.RuntimeException: java.lang.NullPointerException > at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189) > at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266) > at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) > ... 37 more > Caused by: java.lang.NullPointerException > at java.net.URI$Parser.parse(URI.java:3042) > at java.net.URI.(URI.java:588) > at java.net.URI.create(URI.java:850) > at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99) > at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88) > at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187) > ... 51 more > > -- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From bubi at charmides.in-berlin.de Fri Aug 4 04:48:22 2017 From: bubi at charmides.in-berlin.de (Burghard Britzke) Date: Fri, 4 Aug 2017 10:48:22 +0200 Subject: [keycloak-user] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter Message-ID: <846FE48B-FCA9-49BD-9406-0628936E0B2F@charmides.in-berlin.de> in order to run a keycloak-server on tomcat, I am searching for a class named org.keycloak.services.filters.ClientConnectionFilter. Could anybody send me a hint where to find it? Could anybody share a link to a documentation of this filter? -- Gru? burghard.britzke https://britzke.berlin/ From thomas.darimont at googlemail.com Fri Aug 4 05:14:13 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 4 Aug 2017 11:14:13 +0200 Subject: [keycloak-user] [keycloak-dev] Keycloak and HAProxy In-Reply-To: <6f52043452674dd28d4fdea8950b89e4@CHNSHLMBX32.ad.infosys.com> References: <6f52043452674dd28d4fdea8950b89e4@CHNSHLMBX32.ad.infosys.com> Message-ID: Hello Shankar, a while ago I built a demo-system with Keycloak running behind a ha-proxy with docker. Maybe this helps you a bit. https://github.com/jugsaar/visit-yajug-20161023-keycloak/tree/master/idm-system Cheers, Thomas 2017-08-04 7:09 GMT+02:00 Shankar_Bhaskaran : > Hi , > > We have configured HAProxy as our load balancer and keycloak (3.0) as our > SSO. We have configured the keycloak domain and secured our wars with > keycloak for our web application. > > In Haproxy we have provided the "forwardfor" option which introduces the > header parameter -"X-Forwarded-For" and configured keycloak as given below > to accept the header parameter as given below. > > " redirect-socket="https" proxy-address-forwarding="true"/>" > > But still the redirect from keycloak is going to HAProxy machine and not > to backend servers with our webapp. > > Is there any help you can provide here > > Regards, > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From brahima at gmail.com Fri Aug 4 05:22:17 2017 From: brahima at gmail.com (Brahim Ait elhaj) Date: Fri, 4 Aug 2017 11:22:17 +0200 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: References: <220032d0170a40aa890d4d39af67b6a7@FE-MBX1028.de.bosch.com> Message-ID: Hi pedro, Sorry for the delay to answer, but yes. To familiarize myself with KC, it tried the approach you suggested in our last discussion (MQTT Broker both a PDP and PEP) and it works. I'm still considering the more ?clean? approach but this gave an argument in favor of adopting the tool (having a working solution) ... it tried several others (WSO2 ...) and find KC more simple to understand and integrate. We're currently deploying it in our qa environment to push our tests further ... On Wed, Aug 2, 2017 at 12:00 AM, Pedro Igor Silva wrote: > Hi Brahim, > > Are you still considering Keycloak and our Authorization Services in your > architecture ? > > Regards. > Pedro Igor > > On Thu, Jul 13, 2017 at 4:41 AM, Schuster Sebastian (INST/ESY1) < > Sebastian.Schuster at bosch-si.com> wrote: > >> Hi Pedro, >> >> Since I saw you referring to "https://docs.kantarainitiativ >> e.org/uma/ed/uma-core-2.0-08.html#seek-authorization": I think this is >> not latest version of UMA2. They changed the naming of the spec parts and >> IMHO https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2. >> 0-04.html and https://docs.kantarainitiative.org/uma/ed/oauth-uma- >> federated-authz-2.0-04.html form the current spec. Just in case you did >> not notice the change of names... >> >> Best regards, >> Sebastian >> >> Mit freundlichen Gr??en / Best regards >> >> Sebastian Schuster >> >> Engineering and Support (INST/ESY1) >> Bosch Software Innovations GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin >> | GERMANY | www.bosch-si.com >> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | >> Sebastian.Schuster at bosch-si.com >> >> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B >> Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn >> >> >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org [mailto: >> keycloak-user-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva >> Sent: Mittwoch, 12. Juli 2017 19:19 >> To: Brahim Ait elhaj >> Cc: keycloak-user >> Subject: Re: [keycloak-user] Authorization services without User Access >> token (Mqtt Broker / IoT) >> >> On Wed, Jul 12, 2017 at 1:23 PM, Brahim Ait elhaj >> wrote: >> >> > >> >> If a device is actually an user, who are your clients ? The same >> devices ? >> >> >> > >> > My client is the MQTT Server in this use case (as the >> > *photoz-restful-api* in the *photoz* example). >> > I want to protect access to MQTT topics (paths/resources) of this MQTT >> > server. >> > >> > I was initially asking myself whereas devices should be ? users ? or ? >> > clients ? but we could end with a lot of clients in the latter scenario >> ... >> > also after playing with KC and reading through the mailing list >> > questions/answers, i think that's a better approach to have devices be >> > users and not clients. >> > >> > However, did you have something in mind when asking this question ? >> > >> >> I was wondering if the users you mentioned were actually service accounts >> associated with clients representing your devices. But yeah, the decision >> on whether devices should be users or not I think depend on the >> capabilities you want to support on them. >> >> >> > >> > >> >> >> >> >> >>> >> >>> For several reasons/constraints that i won't explain here, i can't >> >>> have my devices connect first to Keycloak to obtain a token (using >> >>> their X.509 certificates as KC supports it) and then connect to the >> >>> MQTT Broker passing this token. They connect directly to the MQTT >> >>> Broker, each device presenting its X.509 certificate to the Broker. >> >>> After connection, the Broker doesn't know client private key. >> >> >> >> >> >> Now I'm curious :) >> >> >> > >> > Ok, the main reason is that the one thing that can be guaranteed about >> > devices is that they have a certificate to authenticate themselves. >> They're >> > not necessarily http or even mqtt capable. They can be able to >> communicate >> > only via a low power wide area network (Lora / Sigfox ... ie. not >> connected >> > to internet directly) >> > >> > So we know how to deal with a user (be it a human or a device) that can >> > authenticate and get an access token. >> > My concern here is how to deal with a user (device) that can not. >> > >> >> Ok, so that changes things a bit ... >> >> >> > >> >> However, I think we could support your use case with UMA 2.0 changes we >> >> are planning. In the new version of the specs, the client don't >> actually >> >> need an access token in order to obtain RPTs from AS. There is a >> specific >> >> OAuth2 Grant Type, which you can use just like any other grant type. >> The >> >> tricky here is that instead of using an OAuth2 Access Token to gain >> access >> >> to our APIs, you basically authenticate the client using whatever >> client >> >> authentication method we support. For instance, id/secret, jwt or even >> >> using a bearer token (as it stands today). In addition to that, you are >> >> allowed to send tokens with claims associated with a requesting party >> >> (e.g.: your devices). That would allow you to send your devices >> >> certificates. >> >> >> >> In a nutshell, in a single request to the server you would provide your >> >> client credentials + device certificate. And we would need to support >> >> extracting requesting party information (the user) from certificates. >> >> >> > >> > Yes, it seems really interesting and corresponding to what i'd like to >> > achieve. Since you talk about UMA, i understand this is the ? >> Authorization >> > API ? that is involved here. >> > >> >> That is one of the changes introduced by UMA 2.0. The Authorization API >> was >> replaced by a UMA Grant Type [1]. We are going to deprecate the >> Authorization API and leave it there for a while. But remove it in future >> releases. >> >> My statement above also applies to our Entitlement API, which we also want >> to support scenarios where the identity is not really represented by an ID >> or access token. >> >> [1] >> https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-08. >> html#seek-authorization >> >> >> > >> > Also, you said ? *In the new version of the specs, the client don't >> > actually need an access token in order to obtain RPTs from AS* ?, can >> you >> > please point me to the specs that talk about this specific part (if >> > possible) ? I quickly went through the v2.0 without being able to >> clearly >> > identity this specific part ... >> > >> >> See link above. >> >> >> > >> > Do you have something (beta ...) that i can start playing with ? Is it >> > already in the roadmap (maybe you have a specific ticket number in >> mind) ? >> > >> >> Nothing yet ... But this is my next task in Keycloak. At the moment I'm >> stuck with tasks in other projects that I need to get it done. But the >> JIRA >> is https://issues.jboss.org/browse/KEYCLOAK-3169. >> >> >> > >> > Depending on the estimated ? landing ? date, i can contribute in many >> > ways. So, What's the next step :-) >> > >> >> Sure thing. Maybe you can start providing some more background to what you >> need in that JIRA. Although the title is related with UMA 2.0 it will also >> involve changes to Entitlement API. >> >> The initial plan did not include what we are discussing here. But I think >> we can consider your requirements during development once we agree on what >> we really need to do. >> >> Maybe another approach to your problem is make your MQTT Broker both a PDP >> and PEP. I mean, you would use some REST API in Keycloak to evaluate >> policies based on a set of one or more resources/topics + enforce access >> based on the permissions returned by the server. We do have an endpoint >> that you can use to evaluate policies (see >> https://github.com/keycloak/keycloak/blob/master/integration >> /admin-client/src/main/java/org/keycloak/admin/client/ >> resource/PoliciesResource.java#L70). >> But it is basically accessing the API used by our Policy Evaluation Toll >> in >> the admin console. Ideally, you should use Entitlement API, Authorization >> API/UMA Grant Type. >> >> >> > >> >> >> >> >> >>> >> >>> Best regards, >> >>> Brahim >> >>> >> >> >> > >> > >> > >> >> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From veit.guna at gmx.de Fri Aug 4 08:05:38 2017 From: veit.guna at gmx.de (Veit Guna) Date: Fri, 4 Aug 2017 14:05:38 +0200 Subject: [keycloak-user] AWS ELB Message-ID: Hi. My company plans to use KC for central authentication and authorization for multiple microservice backends and frontends. Since all our services are running on AWS, we're wondering whether it is a problem to use the AWS ELBs and not the wildfly clustering. So my question is, is it a requirement to use the wildfly clustering capabilities to be able to get a working, scalable KC? What might not work or even break if we just load balance against isolated KC instances which maybe share the same storage/db? Thanks! From pcfleischer at outlook.com Fri Aug 4 09:12:12 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Fri, 4 Aug 2017 13:12:12 +0000 Subject: [keycloak-user] AWS ELB In-Reply-To: References: Message-ID: I believe this is pretty well documented somewhere. Unless I recall incorrectly, Even with multiple node in standalone you still need clustering setup for many operations. Since clustering uses multicast by default you'll need to use jgroups backed by a database provider of some sort. If you search around I believe this is all out on documentation you might need to search jboss docs instead of keycloak though. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Veit Guna Sent: Friday, August 4, 2017 8:05:38 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] AWS ELB Hi. My company plans to use KC for central authentication and authorization for multiple microservice backends and frontends. Since all our services are running on AWS, we're wondering whether it is a problem to use the AWS ELBs and not the wildfly clustering. So my question is, is it a requirement to use the wildfly clustering capabilities to be able to get a working, scalable KC? What might not work or even break if we just load balance against isolated KC instances which maybe share the same storage/db? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jasonspittel at yahoo.com Fri Aug 4 09:47:08 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Fri, 4 Aug 2017 13:47:08 +0000 (UTC) Subject: [keycloak-user] ADFS SAML Logout In-Reply-To: References: Message-ID: <1961904341.7345913.1501854428922@mail.yahoo.com> Hi Adam, I had this exact same issue. If you are running a JEE stack with JSF on the Service Provider (SP), the issue has to do with how a logout is initiated on SP side. Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side logout: externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" ); But setting that parameter results in the jsessionid on the SP side being killed, which results in the SP trying to log in before logging out. My work around was to preserve the jsessionid before setting the GLO parameter: ? ?private void preserveJsessionidCookie(ExternalContext externalContext) ?? { ??????for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies()) ??????{ ???????? if (cookie.getName().equalsIgnoreCase("jsessionid")) ???????? { ????????????((HttpServletResponse)externalContext.getResponse()).addCookie(cookie); ????????????break; ???????? } ??????} ?? } Hope this helps, Jason On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik wrote: It seems ADFS has not set the name format when logging in. Have you configured output Name ID format in respective ADFS transform claim rule? --Hynek On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily wrote: > Hi, > > Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500. > > In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks. > > I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version. > > Help appreciated. > Thanks > Adam > > 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException >? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) >? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) >? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) >? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) >? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) >? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >? ? ? ? at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) >? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) >? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) >? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246) >? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) >? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >? ? ? ? at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.RuntimeException: java.lang.NullPointerException >? ? ? ? at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189) >? ? ? ? at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266) >? ? ? ? at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135) >? ? ? ? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >? ? ? ? at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >? ? ? ? at java.lang.reflect.Method.invoke(Method.java:498) >? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) >? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) >? ? ? ? ... 37 more > Caused by: java.lang.NullPointerException >? ? ? ? at java.net.URI$Parser.parse(URI.java:3042) >? ? ? ? at java.net.URI.(URI.java:588) >? ? ? ? at java.net.URI.create(URI.java:850) >? ? ? ? at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99) >? ? ? ? at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88) >? ? ? ? at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187) >? ? ? ? ... 51 more > > -- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ryan.dawson at alfresco.com Fri Aug 4 09:58:17 2017 From: ryan.dawson at alfresco.com (Ryan Dawson) Date: Fri, 4 Aug 2017 13:58:17 +0000 Subject: [keycloak-user] Keycloak and zuul Message-ID: <6DC52E0F-CAB9-42EB-B41F-1E312BA5C655@alfresco.com> Hi, Does anyone have example configuration for using keycloak together with Zuul as the reverse proxy and the services behind the proxy getting the authenticated user from the request? I?m currently trying to configure keycloak authentication on the proxy and pass the token through to the services. Ryan From john.bartko at drillinginfo.com Fri Aug 4 10:18:45 2017 From: john.bartko at drillinginfo.com (John Bartko) Date: Fri, 4 Aug 2017 14:18:45 +0000 Subject: [keycloak-user] AWS ELB In-Reply-To: References: , Message-ID: I believe it is the case that either nodes must replicate the session cache, or the LB must use some sort of session affinity. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Phillip Fleischer Sent: Friday, August 4, 2017 8:12:12 AM To: Veit Guna; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] AWS ELB I believe this is pretty well documented somewhere. Unless I recall incorrectly, Even with multiple node in standalone you still need clustering setup for many operations. Since clustering uses multicast by default you'll need to use jgroups backed by a database provider of some sort. If you search around I believe this is all out on documentation you might need to search jboss docs instead of keycloak though. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Veit Guna Sent: Friday, August 4, 2017 8:05:38 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] AWS ELB Hi. My company plans to use KC for central authentication and authorization for multiple microservice backends and frontends. Since all our services are running on AWS, we're wondering whether it is a problem to use the AWS ELBs and not the wildfly clustering. So my question is, is it a requirement to use the wildfly clustering capabilities to be able to get a working, scalable KC? What might not work or even break if we just load balance against isolated KC instances which maybe share the same storage/db? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pcfleischer at outlook.com Fri Aug 4 10:32:54 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Fri, 4 Aug 2017 14:32:54 +0000 Subject: [keycloak-user] AWS ELB In-Reply-To: References: , , Message-ID: I wonder if you completely disabled caching in configuration if that would work with no additional changes. Obviously not ideal for performance. We definitely are using jgroups for this though. ________________________________ From: John Bartko Sent: Friday, August 4, 2017 10:18:45 AM To: Veit Guna; keycloak-user at lists.jboss.org; Phillip Fleischer Subject: Re: [keycloak-user] AWS ELB I believe it is the case that either nodes must replicate the session cache, or the LB must use some sort of session affinity. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Phillip Fleischer Sent: Friday, August 4, 2017 8:12:12 AM To: Veit Guna; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] AWS ELB I believe this is pretty well documented somewhere. Unless I recall incorrectly, Even with multiple node in standalone you still need clustering setup for many operations. Since clustering uses multicast by default you'll need to use jgroups backed by a database provider of some sort. If you search around I believe this is all out on documentation you might need to search jboss docs instead of keycloak though. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Veit Guna Sent: Friday, August 4, 2017 8:05:38 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] AWS ELB Hi. My company plans to use KC for central authentication and authorization for multiple microservice backends and frontends. Since all our services are running on AWS, we're wondering whether it is a problem to use the AWS ELBs and not the wildfly clustering. So my question is, is it a requirement to use the wildfly clustering capabilities to be able to get a working, scalable KC? What might not work or even break if we just load balance against isolated KC instances which maybe share the same storage/db? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From t.ruiten at rdmedia.com Fri Aug 4 11:44:28 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Fri, 4 Aug 2017 17:44:28 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group Message-ID: Hello, I'm getting the following error when I attempt to delete a group that has been imported from a FreeIPA LDAP User Federation through a group-ldap-mapper: 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) UT005023: Exception handling request to /auth/admin/realms/authentid/groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at org.keycloak.services.resources.admin.permissions.GroupPermissions.deletePermissions(GroupPermissions.java:188) at org.keycloak.services.resources.admin.permissions.GroupPermissions.setPermissionsEnabled(GroupPermissions.java:167) at org.keycloak.services.resources.admin.permissions.AdminPermissions$1.onEvent(AdminPermissions.java:77) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:68) at org.keycloak.models.jpa.JpaRealmProvider.removeGroup(JpaRealmProvider.java:379) at org.keycloak.models.cache.infinispan.RealmCacheSession.removeGroup(RealmCacheSession.java:926) at org.keycloak.models.cache.infinispan.RealmAdapter.removeGroup(RealmAdapter.java:1242) at org.keycloak.services.resources.admin.GroupResource.deleteGroup(GroupResource.java:118) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more In fact, I can not delete any groups anymore. There are two LDAP User Federations setup, one to an Active Directory, one to the aforementioned FreeIPA instance. Both have group mappers setup and some of the group names clash unfortunately, that's why I wanted to delete some groups and redo the import. What can I do? -- Tiemen Ruiten Systems Engineer R&D Media From jwhiting at redhat.com Fri Aug 4 12:20:04 2017 From: jwhiting at redhat.com (Jeremy Whiting) Date: Fri, 4 Aug 2017 17:20:04 +0100 Subject: [keycloak-user] Missing artifact in JBoss Public Nexus repository. Message-ID: Hi, I cloned the project and attempted to run the Maven resolve goal $ mvn dependency:resolve The goal fails. Looks like this artifact is missing in Nexus. org.keycloak.example.demo:product-portal-example:war:2.4.0.Final I am thinking this was missed during the release to the jboss-public-repository-group. Shall I raise a JIRA ? ........ [INFO] EAR example ........................................ FAILURE [ 0.022 s] [INFO] Admin Access Example ............................... SKIPPED [INFO] Angular Product Portal JS .......................... SKIPPED [INFO] Angular2 Product Portal JS ......................... SKIPPED [INFO] JAX-RS Database Service Using OAuth Bearer Tokens .. SKIPPED [INFO] Simple OAuth Client ................................ SKIPPED [INFO] Simple OAuth Client Using CDI and JSF .............. SKIPPED [INFO] Service Account Example App ........................ SKIPPED [INFO] Offline Access Portal .............................. SKIPPED [INFO] Provider Examples .................................. SKIPPED [INFO] Event Listener System.out Example .................. SKIPPED [INFO] Event Store In-Mem Example ......................... SKIPPED [INFO] Properties Authentication Provider Example ......... SKIPPED [INFO] Authenticator Example .............................. SKIPPED [INFO] Authenticator Example .............................. SKIPPED [INFO] Domain Extension Example ........................... SKIPPED [INFO] User Storage JPA Provider Exapmle .................. SKIPPED [INFO] JS Console ......................................... SKIPPED [INFO] Keycloak Examples - Multi Tenant ................... SKIPPED [INFO] Keycloak Examples - Basic Auth ..................... SKIPPED [INFO] Fuse examples ...................................... SKIPPED [INFO] Customer Portal - Secured in Karaf/Fuse ............ SKIPPED [INFO] CXF JAXWS Example - Secured in Karaf/Fuse .......... SKIPPED [INFO] Product Portal - Secured in Karaf/Fuse ............. SKIPPED [INFO] CXF JAXRS Example - Secured in Karaf/Fuse .......... SKIPPED [INFO] Camel endpoint example - Secured in Karaf/Fuse ..... SKIPPED [INFO] Keycloak Fuse Example - Features ................... SKIPPED [INFO] Keycloak Examples - External Config ................ SKIPPED [INFO] Keycloak Examples - Kerberos Credential Delegation . SKIPPED [INFO] Themes Examples .................................... SKIPPED [INFO] Provider Examples .................................. SKIPPED [INFO] Keycloak SAML Adapter Example POST Binding and Signatures SKIPPED [INFO] Keycloak SAML Adapter Example POST Binding and Assertion Encryption SKIPPED [INFO] Keycloak SAML Adapter Example Redirect Binding with Signatures SKIPPED [INFO] Keycloak SAML Adapter as a Servlet Filter .......... SKIPPED [INFO] LDAP Demo Application .............................. SKIPPED [INFO] Keycloak Authz: Examples Parent .................... SKIPPED [INFO] Keycloak Authz: PhotoZ Example Application Parent . SKIPPED [INFO] Keycloak Authz: Photoz RESTful API ................. SKIPPED [INFO] Keycloak Authz: Photoz HTML5 Client ................ SKIPPED [INFO] Keycloak Authz: Examples - Photoz Authz Rule-based Policy SKIPPED [INFO] Keycloak Authz: Examples - Servlet Authorization ... SKIPPED [INFO] Keycloak Authz: Hello World Example ................ SKIPPED [INFO] Keycloak Authz: Hello World Example ................ SKIPPED [INFO] Keycloak TestSuite ................................. SKIPPED [INFO] Keycloak Arquillian Integration TestSuite .......... SKIPPED [INFO] Servers ............................................ SKIPPED [INFO] Auth Server ........................................ SKIPPED [INFO] Auth Server Services ............................... SKIPPED [INFO] Auth Server Services - Testsuite Providers ......... SKIPPED [INFO] Keycloak Integration TestSuite ..................... SKIPPED [INFO] Keycloak Security Proxy TestSuite .................. SKIPPED [INFO] Keycloak Tomcat 6 Integration TestSuite ............ SKIPPED [INFO] Keycloak Tomcat 7 Integration TestSuite ............ SKIPPED [INFO] Keycloak Tomcat 8 Integration TestSuite ............ SKIPPED [INFO] Keycloak Jetty 8.1.x Integration TestSuite ......... SKIPPED [INFO] Keycloak Jetty 9.1.x Integration TestSuite ......... SKIPPED [INFO] Keycloak Jetty 9.2.x Integration TestSuite ......... SKIPPED [INFO] Keycloak Jetty 9.3.x Integration TestSuite ......... SKIPPED [INFO] Keycloak SAML Jetty Testsuite Integration .......... SKIPPED [INFO] Test apps .......................................... SKIPPED [INFO] JS Console ......................................... SKIPPED [INFO] Test apps distribution ............................. SKIPPED [INFO] JAX-RS Database Service Using OAuth Bearer Tokens .. SKIPPED [INFO] Keycloak Authz: PhotoZ Test Parent ................ SKIPPED [INFO] Keycloak Authz Test: Photoz RESTful API ............ SKIPPED [INFO] Keycloak Authz Tests: Photoz HTML5 Client .......... SKIPPED [INFO] Keycloak Authz Tests: Photoz Authz Rule-based Policy SKIPPED [INFO] Keycloak Authz Tests: Hello World Example .......... SKIPPED [INFO] Keycloak Authz: Servlet Authorization Test ......... SKIPPED [INFO] integration-arquillian-test-apps-servlets .......... SKIPPED [INFO] Test utils ......................................... SKIPPED [INFO] Auth Server - JBoss ................................ SKIPPED [INFO] Auth Server - Undertow ............................. SKIPPED [INFO] App Server ......................................... SKIPPED [INFO] App Server - JBoss ................................. SKIPPED [INFO] App Server - Karaf ................................. SKIPPED [INFO] App Server - Tomcat ................................ SKIPPED [INFO] Tests .............................................. SKIPPED [INFO] Base TestSuite ..................................... SKIPPED [INFO] Other Tests Modules ................................ SKIPPED [INFO] Adapter Tests ...................................... SKIPPED [INFO] Adapter Tests - JBoss .............................. SKIPPED [INFO] Adapter Tests - Karaf .............................. SKIPPED [INFO] Adapter Tests - Tomcat ............................. SKIPPED [INFO] SSSD tests ......................................... SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 12.801 s [INFO] Finished at: 2017-08-04T17:08:52+01:00 [INFO] Final Memory: 290M/1130M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project customer-portal-example-ear: Could not resolve dependencies for project org.keycloak.example.demo:customer-portal-example-ear:ear:2.4.0.Final: Failure to find org.keycloak.example.demo:product-portal-example:war:2.4.0.Final in http://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss-public-repository-group has elapsed or updates are forced -> [Help 1] [ERROR] Jeremy -- Jeremy Whiting Senior Software Engineer, Middleware Performance Team Red Hat ------------------------------------------------------------ Registered Address: Red Hat UK Ltd, Peninsular House, 30 Monument Street, London. United Kingdom. Registered in England and Wales under Company Registration No. 03798903. Directors: Directors:Michael Cunningham (US), Michael O'Neill(Ireland), Eric Shander (US) From miloud.belarbi at essencedigital.com Fri Aug 4 12:22:53 2017 From: miloud.belarbi at essencedigital.com (Miloud Belarbi) Date: Fri, 4 Aug 2017 17:22:53 +0100 Subject: [keycloak-user] Missing client_id query param on social broker link Message-ID: Hello, I'm having trouble successfully connecting an identity provider (google) with keycloak to supply login to saml clients of keycloak. I have created a realm '*universe'* and created two clients in that realm. One with saml as the client protocol called *'samlclient'* and the other with openid-connect as the client protocol called *'openclient'*. I am able to login to both the client using a user created on the *universe* realm. no problem so far. I now add a google social identity provider following the guide here: http://www.keycloak.org/docs/2.5/server_admin/topics/identity-broker/social/google.html I am able to login to *openclient* using both keycloak login and google login. I am able to still login to *samlclient* using keycloak login, but NOT using google social login I've attached an image to demonstrate what i mean. *on the openclient:* The red google button has the following link: {root}/auth/realms/universe/broker/google/login?*client_id=openclient* &code=xyz *on the samclient:* The red google button has the following link: {root}/auth/realms/universe/broker/google/login?code=yxz The difference between the two is that keycloak doesn't put the client_id query param to call the broker for *samlclient* but does so for the *openclient*. I did inspect on my chrome browser and modified the link and added the query param *&client_id=samlclient *and it worked fine. Can someone help me identify why my saml client doesn't inject that query param in the broker url link? How can i fix this? Kind regards. Miloud -- ------------------------------------------------------- essenceglobal.com Facebook ? Twitter ? YouTube ? Instagram From edwin.zhao at nokia-sbell.com Fri Aug 4 12:31:18 2017 From: edwin.zhao at nokia-sbell.com (Zhao, Edwin (NSB - CN/Beijing)) Date: Fri, 4 Aug 2017 16:31:18 +0000 Subject: [keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login In-Reply-To: References: Message-ID: Hi Keycloak team, This is Edwin from Nokia A&A organization. We want a change on brute force detection, to reset the password failure counter after a successful login I saw 2 related tickets had once been created for this before https://issues.jboss.org/browse/KEYCLOAK-2692 https://issues.jboss.org/browse/KEYCLOAK-3046 We understand the potential risk, but many of our products still want this change to enhance user experiences. So we are once again raising this request, please help to provide the enhancement. Please let me know if I need to create a JIRA ticket Thanks, Edwin ---------------------------------------------- Reproduce: Enable Brute Force Detection on the realm Set Max Login Failures to 3 (or any other number) on a user Attempt to log in to Keycloak with the user try invalid password 2 times Attempt to log in to Keycloak with the user with correct password (should succeed) Log out Attempt to log in to Keycloak with the user try invalid password 1 times Attempt to log in to Keycloak with the user with correct password (should succeed, but fails) Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out). From celso.agra at gmail.com Fri Aug 4 13:46:58 2017 From: celso.agra at gmail.com (Celso Agra) Date: Fri, 4 Aug 2017 14:46:58 -0300 Subject: [keycloak-user] Does it have OTP and TFA algorithms on keycloak? Message-ID: Is there a way to perform an OTP and Two factor authetication on Keycloak? I'm looking for a solution to implement a Two factor authetication and On time Password to do critical operations in my app. So, I'd like to know if Keycloak has an specific flow for that. If not, I'd like to know if would be possible to integrate users from keycloak into LinOTP application. Best Regards, -- --- *Celso Agra* From adam.keily at adelaide.edu.au Sun Aug 6 22:16:03 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Mon, 7 Aug 2017 02:16:03 +0000 Subject: [keycloak-user] ADFS SAML Logout In-Reply-To: <1961904341.7345913.1501854428922@mail.yahoo.com> References: <1961904341.7345913.1501854428922@mail.yahoo.com> Message-ID: Awesome. Thanks for your help guys. Hynek, you were correct, I?d been able to get ADFS brokered sign on working using the ?unspecified? Name ID format. Unfortunately, it looks like this breaks sign out. Once I configured ADFS to send NameID in email address format. It would indeed pass the signout request to ADFS. This post was useful too http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html. I?d read it before but obviously not well enough. For me I just preferred using email address (actually UPN), rather than the Windows qualified domain name. I also had ?Want AuthnRequests Signed? set to off in keycloak which is required for successful signout along with setting the SAML signature key name to CERT_SUBJECT. Once I did all that, single logout now works. Incidentally, I wanted to keep the username in keycloak as the sAMAccountName value so I configured ADFS to send the sAMAccountName as the Common Name claim and then configured a username template importer mapper with ${ATTRIBUTE.http://schemas.xmlsoap.org/claims/CommonName}. Thanks for the help. Adam From: Jason Spittel [mailto:jasonspittel at yahoo.com] Sent: Friday, 4 August 2017 11:17 PM To: Hynek Mlnarik ; Adam Keily Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] ADFS SAML Logout Hi Adam, I had this exact same issue. If you are running a JEE stack with JSF on the Service Provider (SP), the issue has to do with how a logout is initiated on SP side. Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side logout: externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" ); But setting that parameter results in the jsessionid on the SP side being killed, which results in the SP trying to log in before logging out. My work around was to preserve the jsessionid before setting the GLO parameter: private void preserveJsessionidCookie(ExternalContext externalContext) { for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies()) { if (cookie.getName().equalsIgnoreCase("jsessionid")) { ((HttpServletResponse)externalContext.getResponse()).addCookie(cookie); break; } } } Hope this helps, Jason On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik > wrote: It seems ADFS has not set the name format when logging in. Have you configured output Name ID format in respective ADFS transform claim rule? --Hynek On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily > wrote: > Hi, > > Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500. > > In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks. > > I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version. > > Help appreciated. > Thanks > Adam > > 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.RuntimeException: java.lang.NullPointerException > at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189) > at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266) > at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) > ... 37 more > Caused by: java.lang.NullPointerException > at java.net.URI$Parser.parse(URI.java:3042) > at java.net.URI.(URI.java:588) > at java.net.URI.create(URI.java:850) > at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99) > at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88) > at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187) > ... 51 more > > -- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From veit.guna at gmx.de Mon Aug 7 03:31:55 2017 From: veit.guna at gmx.de (Veit Guna) Date: Mon, 7 Aug 2017 09:31:55 +0200 Subject: [keycloak-user] AWS ELB In-Reply-To: References: Message-ID: Yeah something like this I had in mind. Currently all our services a stateless REST services that don't need something like a session or replication or such. Having to setup some Wildfly specific cluster in AWS would put an extra burden to our DevOps. Not sure how big the pain is though :). So the question is not about Wildfly and how to setup a cluster in AWS, but more like, what KC needs to function properly. Does it heavily rely on Wildfly/JEE (EJBs, distributed TX etc.) to function properly or is it just a "goodie" that comes with Wildfly out-of-the-box (loadbalancing, failover etc.)? E.g. does it really need session replication? What does the cache need to function properly? Maybe it supports redis? Things like that. I wonder If someone has a running setup working on AWS without spinning up a Wildfly cluster and just relying on AWS ELB and maybe sticky sessions with isolated KC instances. Am 04.08.2017 um 16:32 schrieb Phillip Fleischer: > I wonder if you completely disabled caching in configuration if that > would work with no additional changes. Obviously not ideal for > performance. > > We definitely are using jgroups for this though. > > ------------------------------------------------------------------------ > *From:* John Bartko > *Sent:* Friday, August 4, 2017 10:18:45 AM > *To:* Veit Guna; keycloak-user at lists.jboss.org; Phillip Fleischer > *Subject:* Re: [keycloak-user] AWS ELB > > I believe it is the case that either nodes must replicate the session > cache, or the LB must use some sort of session affinity. > ------------------------------------------------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org > on behalf of Phillip Fleischer > > *Sent:* Friday, August 4, 2017 8:12:12 AM > *To:* Veit Guna; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] AWS ELB > > I believe this is pretty well documented somewhere. > > Unless I recall incorrectly, Even with multiple node in standalone you > still need clustering setup for many operations. Since clustering uses > multicast by default you'll need to use jgroups backed by a database > provider of some sort. > > If you search around I believe this is all out on documentation you > might need to search jboss docs instead of keycloak though. > > > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org > on behalf of Veit Guna > > Sent: Friday, August 4, 2017 8:05:38 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] AWS ELB > > Hi. > > My company plans to use KC for central authentication and authorization > for multiple microservice backends and frontends. > Since all our services are running on AWS, we're wondering whether it is > a problem to use the AWS ELBs and not the wildfly clustering. > > So my question is, is it a requirement to use the wildfly clustering > capabilities to be able to get a working, scalable KC? > What might not work or even break if we just load balance against > isolated KC instances which maybe share the same storage/db? > > Thanks! > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rody.van.der.vliet at accenture.com Mon Aug 7 03:50:01 2017 From: rody.van.der.vliet at accenture.com (van der Vliet, Rody) Date: Mon, 7 Aug 2017 07:50:01 +0000 Subject: [keycloak-user] Isssue impersonate functionality Keycloak 3.2.0 Message-ID: Hi Keycloak Community, We have recently upgraded our application landscape to use Keycloak 3.2.0. Within this version we have noticed some unstable behavior regarding the impersonate function in the admin console of keycloak. Regards, Rody van der Vliet Technology Consultant - Financial Services +31622484548 rody.van.der.vliet at accenture.com ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com From mposolda at redhat.com Mon Aug 7 04:10:54 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 7 Aug 2017 10:10:54 +0200 Subject: [keycloak-user] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter In-Reply-To: <846FE48B-FCA9-49BD-9406-0628936E0B2F@charmides.in-berlin.de> References: <846FE48B-FCA9-49BD-9406-0628936E0B2F@charmides.in-berlin.de> Message-ID: <0ab8c0bd-69f9-d425-21a0-8f808ee11e5c@redhat.com> We don't support running Keycloak server on Tomcat. The blogpost you mentioned in the other post is from 2015 and very likely is outdated and doesn't work with Keycloak 3.2.0. What you can do is download Keycloak-server distribution and then Tomcat adapter, so your apps on Tomcat will be secured. Marek On 04/08/17 10:48, Burghard Britzke wrote: > in order to run a keycloak-server on tomcat, I am searching for a class named org.keycloak.services.filters.ClientConnectionFilter. Could anybody send me a hint where to find it? Could anybody share a link to a documentation of this filter? > -- > Gru? > burghard.britzke > https://britzke.berlin/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.delhomenie at gmail.com Mon Aug 7 05:07:12 2017 From: thomas.delhomenie at gmail.com (Thomas DELHOMENIE) Date: Mon, 7 Aug 2017 11:07:12 +0200 Subject: [keycloak-user] Migration from Picketlink IDM Message-ID: Hello, We currently use PicketLink (in a quite old version : 1.4), especially the IDM part. As Picketlink is a dead project, we are evaluating alternative solutions, which naturally led us to Keycloak. I have some questions : * I understand that Keycloak must be run as a server, but isn't there a way to embed only the User Federation capability in an application (so not in server mode) ? We basically need to be able to manage users/groups, aggregate them from multiple sources (LDAP, AD, custom data store, ...) and expose them in our API. That's what we did with Picketlink IDM, but I am not sure it is feasible with Keycloak. * we provide the capability for the administrators of our application to configure their users and groups storages, by configuration. Is it still possible with Keycloak or can this only be done via the admin console ? Regards, Thomas From ncdram at gmail.com Mon Aug 7 05:47:37 2017 From: ncdram at gmail.com (N. C. Deepak Ramesh) Date: Mon, 7 Aug 2017 15:17:37 +0530 Subject: [keycloak-user] Password Reset Issue for Outlook Users Message-ID: Hi All, We have deployed Keycloak 3.1.0.Final and everything works fine. However, password reset fails for all users using Outlook (Webmail/Client). When clicking on the password reset link the user gets the following message: *We're sorry, An error occurred, please login through your application again* I suspect this is the same issue as what is described on http://lists.jboss.org/pipermail/keycloak-user/2017-May/010586.html Is this fixed in later versions of Keycloak? Or if it is deemed not to be a Keycloak bug are there are any recommended work-arounds for this user base that is primarily on Outlook? How do other installations get around this problem? Any help would be greatly appreciated. Thanks in advance. Deepak From hmlnarik at redhat.com Mon Aug 7 06:01:36 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 7 Aug 2017 12:01:36 +0200 Subject: [keycloak-user] Password Reset Issue for Outlook Users In-Reply-To: References: Message-ID: This should have been fixed in Keycloak 3.2.0 (until then password password reset link would get expired immediately after rendering; since 3.2.0 that the link gets expired after actual password reset). Further improvements are part of subsequent releases. --Hynek On Mon, Aug 7, 2017 at 11:47 AM, N. C. Deepak Ramesh wrote: > Hi All, > > We have deployed Keycloak 3.1.0.Final and everything works fine. However, > password reset fails for all users using Outlook (Webmail/Client). When > clicking on the password reset link the user gets the following message: > > *We're sorry, An error occurred, please login through your application > again* > > I suspect this is the same issue as what is described on > http://lists.jboss.org/pipermail/keycloak-user/2017-May/010586.html > > Is this fixed in later versions of Keycloak? Or if it is deemed not to be a > Keycloak bug are there are any recommended work-arounds for this user base > that is primarily on Outlook? How do other installations get around this > problem? Any help would be greatly appreciated. > > Thanks in advance. > > Deepak > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From mposolda at redhat.com Mon Aug 7 06:53:00 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 7 Aug 2017 12:53:00 +0200 Subject: [keycloak-user] Migration from Picketlink IDM In-Reply-To: References: Message-ID: Glad that someone is still using picketlink 1.4. It reminds me some old days when, I was working on GateIn Portal, which was using Picketlink 1.4 :) But I agree that it is good to migrate :) Answers inline. On 07/08/17 11:07, Thomas DELHOMENIE wrote: > Hello, > > We currently use PicketLink (in a quite old version : 1.4), especially the > IDM part. As Picketlink is a dead project, we are evaluating alternative > solutions, which naturally led us to Keycloak. I have some questions : > * I understand that Keycloak must be run as a server, but isn't there a way > to embed only the User Federation capability in an application (so not in > server mode) ? We basically need to be able to manage users/groups, > aggregate them from multiple sources (LDAP, AD, custom data store, ...) and > expose them in our API. That's what we did with Picketlink IDM, but I am > not sure it is feasible with Keycloak. Not directly. Keycloak is meant to be used as a server and do it for you. Once user successfully authenticates, the details are available in his accessToken. Application doesn't know from which source (LDAP server) this info came from, it's not the responsibility of the application. Also Keycloak has admin REST API, which allows you to search for users and return corresponding JSON objects with user details. We have nice admin client, which allows you to easily execute this REST API from Java application. > * we provide the capability for the administrators of our application to > configure their users and groups storages, by configuration. Is it still > possible with Keycloak or can this only be done via the admin console ? We have admin REST API and everything, which is doable in Keycloak admin console, can be also done through admin REST API. In latest 3.2.1 version there is more fine grained admin permissions model, which should allow you to specify permission for admins in more fine grained way if needed. Marek > > Regards, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ncdram at gmail.com Mon Aug 7 07:31:40 2017 From: ncdram at gmail.com (N. C. Deepak Ramesh) Date: Mon, 7 Aug 2017 17:01:40 +0530 Subject: [keycloak-user] Password Reset Issue for Outlook Users In-Reply-To: References: Message-ID: That's great news. Let me upgrade to 3.2.0 and get back. Deepak On Mon, Aug 7, 2017 at 3:31 PM, Hynek Mlnarik wrote: > This should have been fixed in Keycloak 3.2.0 (until then password > password reset link would get expired immediately after rendering; > since 3.2.0 that the link gets expired after actual password reset). > Further improvements are part of subsequent releases. > > --Hynek > > On Mon, Aug 7, 2017 at 11:47 AM, N. C. Deepak Ramesh > wrote: > > Hi All, > > > > We have deployed Keycloak 3.1.0.Final and everything works fine. However, > > password reset fails for all users using Outlook (Webmail/Client). When > > clicking on the password reset link the user gets the following message: > > > > *We're sorry, An error occurred, please login through your application > > again* > > > > I suspect this is the same issue as what is described on > > http://lists.jboss.org/pipermail/keycloak-user/2017-May/010586.html > > > > Is this fixed in later versions of Keycloak? Or if it is deemed not to > be a > > Keycloak bug are there are any recommended work-arounds for this user > base > > that is primarily on Outlook? How do other installations get around this > > problem? Any help would be greatly appreciated. > > > > Thanks in advance. > > > > Deepak > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > From thomas.delhomenie at gmail.com Mon Aug 7 09:03:20 2017 From: thomas.delhomenie at gmail.com (Thomas DELHOMENIE) Date: Mon, 7 Aug 2017 15:03:20 +0200 Subject: [keycloak-user] Migration from Picketlink IDM In-Reply-To: References: Message-ID: Funny, the application I am talking about is Gatein/eXo actually :) Thanks for your answers Marek. Looks like replacing Picketlink by Keycloak will not be as straight forward as I initially thought. It will require architecture changes, will impact configuration, custom developments and will require data migration if we want to use it. Le 7 ao?t 2017 12:53, "Marek Posolda" a ?crit : Glad that someone is still using picketlink 1.4. It reminds me some old days when, I was working on GateIn Portal, which was using Picketlink 1.4 :) But I agree that it is good to migrate :) Answers inline. On 07/08/17 11:07, Thomas DELHOMENIE wrote: > Hello, > > We currently use PicketLink (in a quite old version : 1.4), especially the > IDM part. As Picketlink is a dead project, we are evaluating alternative > solutions, which naturally led us to Keycloak. I have some questions : > * I understand that Keycloak must be run as a server, but isn't there a way > to embed only the User Federation capability in an application (so not in > server mode) ? We basically need to be able to manage users/groups, > aggregate them from multiple sources (LDAP, AD, custom data store, ...) and > expose them in our API. That's what we did with Picketlink IDM, but I am > not sure it is feasible with Keycloak. > Not directly. Keycloak is meant to be used as a server and do it for you. Once user successfully authenticates, the details are available in his accessToken. Application doesn't know from which source (LDAP server) this info came from, it's not the responsibility of the application. Also Keycloak has admin REST API, which allows you to search for users and return corresponding JSON objects with user details. We have nice admin client, which allows you to easily execute this REST API from Java application. * we provide the capability for the administrators of our application to > configure their users and groups storages, by configuration. Is it still > possible with Keycloak or can this only be done via the admin console ? > We have admin REST API and everything, which is doable in Keycloak admin console, can be also done through admin REST API. In latest 3.2.1 version there is more fine grained admin permissions model, which should allow you to specify permission for admins in more fine grained way if needed. Marek > > Regards, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From simonpayne58 at gmail.com Mon Aug 7 10:10:31 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Mon, 7 Aug 2017 15:10:31 +0100 Subject: [keycloak-user] token introspection Message-ID: Hi All, I'm evaluating keycloak and i'm currently looking at token introspection. I've managed to achieve this manually, i.e. by sending a post via postman, but i'm unable to figure out whether this can be achieved via the keycloak adapters, specifically spring boot. any help in this area would be appreciated. thanks Simon. From MPoettgen at clifford-thames.com Mon Aug 7 11:14:29 2017 From: MPoettgen at clifford-thames.com (Michael Poettgen) Date: Mon, 7 Aug 2017 15:14:29 +0000 Subject: [keycloak-user] Delegated User Self-Administration Message-ID: Hello Everyone, I've got questions on how to properly do delegated user self-administration with Keycloak. Some background information: * We are working with hundreds or even thousands of organizations for which we want to manage access to our applications. * Some of these organizations are our internal divisions for which we have active directories. Users from these organizations can be integrated through "User Storage Federation" and they will continue to be maintained in the respective directories. * Some of these organizations are part of larger organizations which have proper identity providers. Users from these organizations can be integrated through "Identity Brokering" and they will continue to be maintained in the respective identity providers. * For the remaining external organizations (and there are a lot of them) we would have to maintain user accounts ourselves and we would like to delegate that maintenance work to a designated user self-administrator within the external organization. * A user self-administrator should be able to view, create, lock and unlock user accounts within the same organization. * Optionally a user self-administrator should be able to grant or revoke access to particular (sets of) applications for the users he is allowed to administer. I do understand that this could probably be achieved through separate realms and "Dedicated Realm Admin Consoles", but as far as I understand these realms would be entirely separate. This would mean that we would have to set up clients hundreds of times for each of the organizations. We would have to figure out how to direct each user to the proper realm for authentication and each organization would have its own login page. * Does Keycloak have something like the notion of "sub-realms" where a user can authenticate against a realm, if there is a corresponding user account in the realm itself or in one of the sub-realms? * It is probably possible to use the "User Storage SPI" to write a custom User Storage Federation Provider, but does that make sense? Would it perform well? * Another option would probably be to write a custom User Self-Administration application using the "Admin REST API". (Unfortunately there is not even an API to retrieve users filtered by anything other than base properties, so the application could end up retrieving thousands of user accounts to find five accounts belonging to a particular organization.) * The third option would be to customize Keycloak itself, but we are no Java experts, so is this advisable? * Has anyone implemented a scenario like this with Keycloak? * Does anyone know whether there are any plans to extend Keycloak to better support a scenario like this? Thanks, Michael This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From bruno at abstractj.org Mon Aug 7 16:27:05 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 07 Aug 2017 20:27:05 +0000 Subject: [keycloak-user] [keycloak-dev] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter In-Reply-To: <35AE1E1D-4186-4335-81B4-D0338279AE90@charmides.in-berlin.de> References: <468FF9D7-636A-4A2E-8D96-CC9992DCA802@charmides.in-berlin.de> <35AE1E1D-4186-4335-81B4-D0338279AE90@charmides.in-berlin.de> Message-ID: I don't think this is supported. Also, like Bill and Stian stated in 2015 ( http://lists.jboss.org/pipermail/keycloak-dev/2015-November/006018.html) in theory it would be possible, but new issues may happen as we update. On Sun, Aug 6, 2017 at 3:30 AM Burghard Britzke wrote: > I posted it already on the [keycloak-user] mailing list without a reply. > I want to run the keycloak server on a tomcat 8/9 instance. For that, I > found an article > https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/ > < > https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/> > which describes, how to deploy keycloak on tomcat. Unfortunately it > describes the version 1.1.0-Beta2, which is very old. It his web.xml a > filter is with the name > org.keycloak.services.filters.ClientConnectionFilter referenced. When > starting the context on tomcat8/9, a ClassNotFoundException is thrown. > I have been unable to resolve the dependency in 1.1.0-Beta2 and > 3.2.0-Final, too. > > The name of the class intends that it is from the keycloak project. Can > anybody post me a hint, where to find this class? I also asked the author > of the above article, but until now he did not answer. > > -- > Gru? > burghard.britzke > https://britzke.berlin/ > > > Anfang der weitergeleiteten Nachricht: > > > > An: keycloak-user at lists.jboss.org > > > > in order to run a keycloak-server on tomcat, I am searching for a class > named org.keycloak.services.filters.ClientConnectionFilter. Could anybody > send me a hint where to find it? Could anybody share a link to a > documentation of this filter? > > -- > > Gru? > > burghard.britzke > > https://britzke.berlin/ > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bruno at abstractj.org Mon Aug 7 16:33:27 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 07 Aug 2017 20:33:27 +0000 Subject: [keycloak-user] [keycloak-dev] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter In-Reply-To: <35AE1E1D-4186-4335-81B4-D0338279AE90@charmides.in-berlin.de> References: <468FF9D7-636A-4A2E-8D96-CC9992DCA802@charmides.in-berlin.de> <35AE1E1D-4186-4335-81B4-D0338279AE90@charmides.in-berlin.de> Message-ID: btw, that class was removed a long time ago. See: https://github.com/keycloak/keycloak/tree/1.2.0.Final/services/src/main/java/org/keycloak/services/filters On Sun, Aug 6, 2017 at 3:30 AM Burghard Britzke wrote: > I posted it already on the [keycloak-user] mailing list without a reply. > I want to run the keycloak server on a tomcat 8/9 instance. For that, I > found an article > https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/ > < > https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/> > which describes, how to deploy keycloak on tomcat. Unfortunately it > describes the version 1.1.0-Beta2, which is very old. It his web.xml a > filter is with the name > org.keycloak.services.filters.ClientConnectionFilter referenced. When > starting the context on tomcat8/9, a ClassNotFoundException is thrown. > I have been unable to resolve the dependency in 1.1.0-Beta2 and > 3.2.0-Final, too. > > The name of the class intends that it is from the keycloak project. Can > anybody post me a hint, where to find this class? I also asked the author > of the above article, but until now he did not answer. > > -- > Gru? > burghard.britzke > https://britzke.berlin/ > > > Anfang der weitergeleiteten Nachricht: > > > > An: keycloak-user at lists.jboss.org > > > > in order to run a keycloak-server on tomcat, I am searching for a class > named org.keycloak.services.filters.ClientConnectionFilter. Could anybody > send me a hint where to find it? Could anybody share a link to a > documentation of this filter? > > -- > > Gru? > > burghard.britzke > > https://britzke.berlin/ > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From simonpayne58 at gmail.com Tue Aug 8 04:31:27 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Tue, 8 Aug 2017 09:31:27 +0100 Subject: [keycloak-user] token introspection In-Reply-To: References: Message-ID: after some debugging i figured that keycloak.policy-enforcer-config.online-introspection=true switched on this functionality, however it appears to error on a 400 after making a call to the /auth/realms/master/protocol/openid-connect/token endpoint. I'm assuming this is a bug? Thanks On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne wrote: > Hi All, > > I'm evaluating keycloak and i'm currently looking at token introspection. > > I've managed to achieve this manually, i.e. by sending a post via postman, > but i'm unable to figure out whether this can be achieved via the keycloak > adapters, specifically spring boot. > > any help in this area would be appreciated. > > thanks > > Simon. > From Anton.Arntz at planonsoftware.com Tue Aug 8 04:53:57 2017 From: Anton.Arntz at planonsoftware.com (Anton Arntz) Date: Tue, 8 Aug 2017 08:53:57 +0000 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive Message-ID: You are absolutely right, but at the time this was all the information I had and just wanted to check if anyone else had a similar experience. We narrowed it down to 1 realm receiving a lot of requests. All the requests are originating from the customer's ADFS that fills up our log. It seems that those requests aren't even logged at the keycloak realm, but the "logout all sessions" button in the sessions part of the realm does stop the storm. To answer your questions, customers didn't see the login page and keycloak didn't process HTTP requests anymore. KeyCloak is just one instance. I don't know the amount of database connections at that time. Will certainly look into those metrics next time. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: dinsdag 1 augustus 2017 16:31 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? On 8/1/17 5:47 AM, Anton Arntz wrote: > We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. > Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. > Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. > Has anyone experienced the same with this KeyCloak version? > > Kind regards, > Anton Arntz > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From shailesh.kochhar at gmail.com Tue Aug 8 05:13:15 2017 From: shailesh.kochhar at gmail.com (Shailesh Kochhar) Date: Tue, 08 Aug 2017 09:13:15 +0000 Subject: [keycloak-user] Multiple direct access flows within a realm Message-ID: Hi everyone, I am trying to understand if keycloak can support an authentication scenario. I have a realm which has multiple trusted clients authenticating. Some are mobile clients and some are web based clients. These clients use direct access token flow to exchange user credentials for a token. We'd like to support different credentials based on the client. I'd one client (web) to be able to use username/password for a token while another (mobile) client uses username and secure token like an OTP or a RSA SecurID. I have been able to create custom flows in my relam from the admin console and I can setup a flow which requires OTPs. However, I am unable to configure the flow per client. The only option I have been able to find is to change the flow for an entire realm. So my question is, is it possible to configure the OAuth flow in keycloak at the client level? If not, are there extension possibilities which could make this feasible? Thanks, Shailesh From bburke at redhat.com Tue Aug 8 09:29:29 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 8 Aug 2017 09:29:29 -0400 Subject: [keycloak-user] token introspection In-Reply-To: References: Message-ID: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> I'm looking at the code on server and I dont' see that it requires any special switch to use it. The endpoint is: @Post /auth/realms/{realm}/protocol/openid-connect/token/introspect Takes form params. token token_type_hint (optional and defaults to "access_token") On 8/8/17 4:31 AM, Simon Payne wrote: > after some debugging i figured that > keycloak.policy-enforcer-config.online-introspection=true switched on this > functionality, however it appears to error on a 400 after making a call to > the /auth/realms/master/protocol/openid-connect/token endpoint. > > I'm assuming this is a bug? > > Thanks > > > > On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne wrote: > >> Hi All, >> >> I'm evaluating keycloak and i'm currently looking at token introspection. >> >> I've managed to achieve this manually, i.e. by sending a post via postman, >> but i'm unable to figure out whether this can be achieved via the keycloak >> adapters, specifically spring boot. >> >> any help in this area would be appreciated. >> >> thanks >> >> Simon. >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Aug 8 09:35:03 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 8 Aug 2017 09:35:03 -0400 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive In-Reply-To: References: Message-ID: <3043eb42-366e-6e9a-eb7c-2fc1fcacc8d4@redhat.com> How can ADFS make requests to Keycloak? Wouldn't it be other way around? On 8/8/17 4:53 AM, Anton Arntz wrote: > You are absolutely right, but at the time this was all the information I had and just wanted to check if anyone else had a similar experience. > We narrowed it down to 1 realm receiving a lot of requests. All the requests are originating from the customer's ADFS that fills up our log. It seems that those requests aren't even logged at the keycloak realm, but the "logout all sessions" button in the sessions part of the realm does stop the storm. > To answer your questions, customers didn't see the login page and keycloak didn't process HTTP requests anymore. KeyCloak is just one instance. I don't know the amount of database connections at that time. Will certainly look into those metrics next time. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke > Sent: dinsdag 1 augustus 2017 16:31 > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive > > You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? > > On 8/1/17 5:47 AM, Anton Arntz wrote: >> We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. >> Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. >> Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. >> Has anyone experienced the same with this KeyCloak version? >> >> Kind regards, >> Anton Arntz >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Aug 8 10:28:37 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 8 Aug 2017 10:28:37 -0400 Subject: [keycloak-user] token introspection In-Reply-To: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> Message-ID: Doesn't look like the switch is hooked up to anything. As it is, it looks like this switch was added for RPT validation, not access token validation, and not ever implemented. You just want the adapter to validate the access token with the auth server for bearer token requests, right? On 8/8/17 9:29 AM, Bill Burke wrote: > I'm looking at the code on server and I dont' see that it requires any > special switch to use it. The endpoint is: > > @Post > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > Takes form params. > > token > > token_type_hint (optional and defaults to "access_token") > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: >> after some debugging i figured that >> keycloak.policy-enforcer-config.online-introspection=true switched on this >> functionality, however it appears to error on a 400 after making a call to >> the /auth/realms/master/protocol/openid-connect/token endpoint. >> >> I'm assuming this is a bug? >> >> Thanks >> >> >> >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne wrote: >> >>> Hi All, >>> >>> I'm evaluating keycloak and i'm currently looking at token introspection. >>> >>> I've managed to achieve this manually, i.e. by sending a post via postman, >>> but i'm unable to figure out whether this can be achieved via the keycloak >>> adapters, specifically spring boot. >>> >>> any help in this area would be appreciated. >>> >>> thanks >>> >>> Simon. >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From simonpayne58 at gmail.com Tue Aug 8 11:10:39 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Tue, 8 Aug 2017 16:10:39 +0100 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> Message-ID: yes correct. there is a definite change in behavior with the addition of the keycloak.policy-enforcer-config.online-introspection=true flag, as without this single line in my property file it works correctly as a bearer only resource server. Addition of this line results in the incorrect call to token exchange endpoint. thanks On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > Doesn't look like the switch is hooked up to anything. As it is, it > looks like this switch was added for RPT validation, not access token > validation, and not ever implemented. You just want the adapter to > validate the access token with the auth server for bearer token > requests, right? > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > I'm looking at the code on server and I dont' see that it requires any > > special switch to use it. The endpoint is: > > > > @Post > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > Takes form params. > > > > token > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > >> after some debugging i figured that > >> keycloak.policy-enforcer-config.online-introspection=true switched on > this > >> functionality, however it appears to error on a 400 after making a call > to > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > >> > >> I'm assuming this is a bug? > >> > >> Thanks > >> > >> > >> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne > wrote: > >> > >>> Hi All, > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > introspection. > >>> > >>> I've managed to achieve this manually, i.e. by sending a post via > postman, > >>> but i'm unable to figure out whether this can be achieved via the > keycloak > >>> adapters, specifically spring boot. > >>> > >>> any help in this area would be appreciated. > >>> > >>> thanks > >>> > >>> Simon. > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From okianl at yahoo.com Tue Aug 8 12:17:54 2017 From: okianl at yahoo.com (Lucian Ochian) Date: Tue, 8 Aug 2017 16:17:54 +0000 (UTC) Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> Message-ID: <1839453359.1966941.1502209074630@mail.yahoo.com> Simon, Do you have a demo app with that? I am just curious to see a spring(boot) app with authorizations...I remember that I tried something with authorizations, and the authorization context was null(I know there are some Jira issues about it), but I still could not get it to work in 2.5.5 AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext(); Thanks,Lucian On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne wrote: yes correct. there is a definite change in behavior with the addition of the keycloak.policy-enforcer-config.online-introspection=true? flag, as without this single line in my property file it works correctly as a bearer only resource server.? Addition of this line results in the incorrect call to token exchange endpoint. thanks On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > Doesn't look like the switch is hooked up to anything.? As it is, it > looks like this switch was added for RPT validation, not access token > validation, and not ever implemented.? You just want the adapter to > validate the access token with the auth server for bearer token > requests, right? > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > I'm looking at the code on server and I dont' see that it requires any > > special switch to use it.? The endpoint is: > > > > @Post > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > Takes form params. > > > > token > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > >> after some debugging i figured that > >> keycloak.policy-enforcer-config.online-introspection=true switched on > this > >> functionality, however it appears to error on a 400 after making a call > to > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > >> > >> I'm assuming this is a bug? > >> > >> Thanks > >> > >> > >> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne > wrote: > >> > >>> Hi All, > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > introspection. > >>> > >>> I've managed to achieve this manually, i.e. by sending a post via > postman, > >>> but i'm unable to figure out whether this can be achieved via the > keycloak > >>> adapters, specifically spring boot. > >>> > >>> any help in this area would be appreciated. > >>> > >>> thanks > >>> > >>> Simon. > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Aug 8 13:48:49 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 8 Aug 2017 13:48:49 -0400 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> Message-ID: <0c658ec4-d1b8-0b8b-5197-6a21aa50a3b2@redhat.com> It works because our bearer tokens are JWS signed JWTs whose signature and issuer are validated by the adapter itself using the realm's public key. On 8/8/17 11:10 AM, Simon Payne wrote: > yes correct. > > there is a definite change in behavior with the addition of the > keycloak.policy-enforcer-config.online-introspection=true flag, as without > this single line in my property file it works correctly as a bearer only > resource server. Addition of this line results in the incorrect call to > token exchange endpoint. > > thanks > > > On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > >> Doesn't look like the switch is hooked up to anything. As it is, it >> looks like this switch was added for RPT validation, not access token >> validation, and not ever implemented. You just want the adapter to >> validate the access token with the auth server for bearer token >> requests, right? >> >> >> On 8/8/17 9:29 AM, Bill Burke wrote: >>> I'm looking at the code on server and I dont' see that it requires any >>> special switch to use it. The endpoint is: >>> >>> @Post >>> >>> /auth/realms/{realm}/protocol/openid-connect/token/introspect >>> >>> Takes form params. >>> >>> token >>> >>> token_type_hint (optional and defaults to "access_token") >>> >>> >>> >>> >>> >>> On 8/8/17 4:31 AM, Simon Payne wrote: >>>> after some debugging i figured that >>>> keycloak.policy-enforcer-config.online-introspection=true switched on >> this >>>> functionality, however it appears to error on a 400 after making a call >> to >>>> the /auth/realms/master/protocol/openid-connect/token endpoint. >>>> >>>> I'm assuming this is a bug? >>>> >>>> Thanks >>>> >>>> >>>> >>>> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne >> wrote: >>>>> Hi All, >>>>> >>>>> I'm evaluating keycloak and i'm currently looking at token >> introspection. >>>>> I've managed to achieve this manually, i.e. by sending a post via >> postman, >>>>> but i'm unable to figure out whether this can be achieved via the >> keycloak >>>>> adapters, specifically spring boot. >>>>> >>>>> any help in this area would be appreciated. >>>>> >>>>> thanks >>>>> >>>>> Simon. >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Aug 8 15:57:22 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 8 Aug 2017 16:57:22 -0300 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> Message-ID: This property is a zombie though, it should not impact anything given that there is no logic in the adapter to introspect the token using the introspection endpoint. I'm going to remove this property in any case ... I did a simple test using our Spring Boot Quickstart [1] and setting this property does cause any issue. [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot On Tue, Aug 8, 2017 at 12:10 PM, Simon Payne wrote: > yes correct. > > there is a definite change in behavior with the addition of the > keycloak.policy-enforcer-config.online-introspection=true flag, as > without > this single line in my property file it works correctly as a bearer only > resource server. Addition of this line results in the incorrect call to > token exchange endpoint. > > thanks > > > On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > > > Doesn't look like the switch is hooked up to anything. As it is, it > > looks like this switch was added for RPT validation, not access token > > validation, and not ever implemented. You just want the adapter to > > validate the access token with the auth server for bearer token > > requests, right? > > > > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > > I'm looking at the code on server and I dont' see that it requires any > > > special switch to use it. The endpoint is: > > > > > > @Post > > > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > > > Takes form params. > > > > > > token > > > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > > >> after some debugging i figured that > > >> keycloak.policy-enforcer-config.online-introspection=true switched on > > this > > >> functionality, however it appears to error on a 400 after making a > call > > to > > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > > >> > > >> I'm assuming this is a bug? > > >> > > >> Thanks > > >> > > >> > > >> > > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne > > wrote: > > >> > > >>> Hi All, > > >>> > > >>> I'm evaluating keycloak and i'm currently looking at token > > introspection. > > >>> > > >>> I've managed to achieve this manually, i.e. by sending a post via > > postman, > > >>> but i'm unable to figure out whether this can be achieved via the > > keycloak > > >>> adapters, specifically spring boot. > > >>> > > >>> any help in this area would be appreciated. > > >>> > > >>> thanks > > >>> > > >>> Simon. > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Tue Aug 8 15:57:50 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 8 Aug 2017 16:57:50 -0300 Subject: [keycloak-user] token introspection In-Reply-To: <1839453359.1966941.1502209074630@mail.yahoo.com> References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> <1839453359.1966941.1502209074630@mail.yahoo.com> Message-ID: Hey Lucian, we have this https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot . On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian wrote: > Simon, > Do you have a demo app with that? I am just curious to see a spring(boot) > app with authorizations...I remember that I tried something with > authorizations, and the authorization context was null(I know there are > some Jira issues about it), but I still could not get it to work in 2.5.5 > AuthorizationContext authzContext = > keycloakSecurityContext.getAuthorizationContext(); > Thanks,Lucian > > On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > simonpayne58 at gmail.com> wrote: > > yes correct. > > there is a definite change in behavior with the addition of the > keycloak.policy-enforcer-config.online-introspection=true flag, as > without > this single line in my property file it works correctly as a bearer only > resource server. Addition of this line results in the incorrect call to > token exchange endpoint. > > thanks > > > On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > > > Doesn't look like the switch is hooked up to anything. As it is, it > > looks like this switch was added for RPT validation, not access token > > validation, and not ever implemented. You just want the adapter to > > validate the access token with the auth server for bearer token > > requests, right? > > > > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > > I'm looking at the code on server and I dont' see that it requires any > > > special switch to use it. The endpoint is: > > > > > > @Post > > > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > > > Takes form params. > > > > > > token > > > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > > >> after some debugging i figured that > > >> keycloak.policy-enforcer-config.online-introspection=true switched on > > this > > >> functionality, however it appears to error on a 400 after making a > call > > to > > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > > >> > > >> I'm assuming this is a bug? > > >> > > >> Thanks > > >> > > >> > > >> > > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne > > wrote: > > >> > > >>> Hi All, > > >>> > > >>> I'm evaluating keycloak and i'm currently looking at token > > introspection. > > >>> > > >>> I've managed to achieve this manually, i.e. by sending a post via > > postman, > > >>> but i'm unable to figure out whether this can be achieved via the > > keycloak > > >>> adapters, specifically spring boot. > > >>> > > >>> any help in this area would be appreciated. > > >>> > > >>> thanks > > >>> > > >>> Simon. > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pschiffe at redhat.com Tue Aug 8 17:32:14 2017 From: pschiffe at redhat.com (Peter Schiffer) Date: Tue, 08 Aug 2017 23:32:14 +0200 Subject: [keycloak-user] Clean Install with MySQL - Keycloak restarts itself due to liquibase errors - Docker Swarm environment In-Reply-To: References: Message-ID: <1502227934.1892.4.camel@redhat.com> Hi, I see the same problem, my error: https://paste.fedoraproject.org/paste/0NIqg2n~-iQSFUm5c2jrDQ I'm using docker image jboss/keycloak-mysql:3.2.1.Final with empty db and the error is reproducible with both mariadb:10.2 and mariadb:10.1. Last time when I was playing with keycloak 2.x, it worked fine with mariadb:10.1 I've tried all final 3.x docker images with mariadb:10.2 and the error was the same. With keycloak 2.5.5 final (and the 10.2 db) the error was: https://paste.fedoraproject.org/paste/hnIGv89hfxPrB5bVPCL8tA peter On Thu, 2017-08-03 at 14:52 +0100, James Green wrote: > OK I have identified a problem and a workaround: > > jboss/keycloak-mysql:latest works against mysql:5.5 but not against > mysql:5.6 or mysql:5.7 > > Here's the log working against mysq:5.5 - note the time taken to > initialise > the database: > > [ ... ] > 13:37:38,210 INFO [org.jboss.as.clustering.infinispan] > (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started realmRevisions cache from > keycloak container > 13:37:38,219 INFO [org.jboss.as.clustering.infinispan] > (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started userRevisions cache from > keycloak > container > 13:37:38,224 INFO [org.jboss.as.clustering.infinispan] > (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started authorizationRevisions > cache from > keycloak container > 13:37:42,640 INFO > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterP > rovider] > (ServerService Thread Pool -- 57) Initializing database schema. Using > changelog META-INF/jpa-changelog-master.xml > 13:41:13,725 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 57) HHH000204: Processing > PersistenceUnitInfo > [ > name: keycloak-default > ...] > 13:41:13,781 INFO [org.hibernate.Version] (ServerService Thread Pool > -- > 57) HHH000412: Hibernate Core {5.0.7.Final} > 13:41:13,782 INFO [org.hibernate.cfg.Environment] (ServerService > Thread > Pool -- 57) HHH000206: hibernate.properties not found > [ ... ] > > That's quite a bit of time operating against an empty database! > > > On 3 August 2017 at 13:00, John Bartko > wrote: > > > I *think* that the timeout referred to by this error: > > > > > > WFLYCTL0348: Timeout after [300] seconds > > > > > > can be increased by specifying > > -Djboss.as.management.blocking.timeout=### > > in the java options. > > > > I suspect that when a liquibase transaction gets abruptly stopped > > like > > that, subsequent attempts to use the same database would possibly > > result in > > "table already exist" errors. > > > > I experienced when performing a 1.9.x -> 2.5.x schema update the > > following > > transaction timeout also needed to be increased beyond its default > > value of > > 300: > > > > /subsystem=transactions:write-attribute(name=default- > > timeout,value=###) > > > > > > Hope that helps, > > - John Bartko > > ------------------------------ > > *From:* keycloak-user-bounces at lists.jboss.org < > > keycloak-user-bounces at lists.jboss.org> on behalf of James Green < > > james.mk.green at gmail.com> > > *Sent:* Thursday, August 3, 2017 6:01:46 AM > > *To:* Marko Strukelj > > *Cc:* keycloak-user > > *Subject:* Re: [keycloak-user] Clean Install with MySQL - Keycloak > > restarts itself due to liquibase errors - Docker Swarm environment > > > > Looks like a timeout causes an initial crash then the liquibase > > crashes > > begin: > > > > https://gist.github.com/jmkgreen/4a474f1b97d8cbea5bf77a6f475ec78c > > > > Unsure what is actually happening that gets timed out though - > > there is > > mention of an http interface but is that a repercussion of > > something > > deeper? > > > > Thanks, > > > > James > > > > > > On 3 August 2017 at 11:01, Marko Strukelj > > wrote: > > > > > Hmm, grasping for straws I would try a previous version of > > > Keycloak to > > > rule out the possibility of a regression, then I would try with a > > > > different > > > version of MySql, then I would try locally running instance of > > > Keycloak > > > against containerised MySql ... > > > > > > On Thu, Aug 3, 2017 at 11:36 AM, Marko Strukelj > > com> > > > wrote: > > > > > > > There's your error in line 237 of the first log: > > > > 08:53:26,263 ERROR [org.keycloak.connections.jpa. > > > > updater.liquibase.conn.DefaultLiquibaseConnectionProvider] > > > > (ServerService Thread Pool -- 52) Change Set META-INF/ > > > > jpa-changelog-1.7.0.xml::1.7.0::bburke at redhat.com failed. > > > > Error: Table > > > > 'KEYCLOAK_GROUP' already exists [Failed SQL: CREATE TABLE > > > > keycloak.KEYCLOAK_GROUP (ID VARCHAR(36) NOT NULL, NAME > > > > VARCHAR(255) > > > > NULL, > > > > PARENT_GROUP VARCHAR(36) NULL, REALM_ID VARCHAR(36) NULL)]: > > > > liquibase.exception.DatabaseException: Table 'KEYCLOAK_GROUP' > > > > already > > > > exists [Failed SQL: CREATE TABLE keycloak.KEYCLOAK_GROUP (ID > > > > VARCHAR(36) > > > > NOT NULL, NAME VARCHAR(255) NULL, PARENT_GROUP VARCHAR(36) > > > > NULL, > > > > REALM_ID > > > > VARCHAR(36) NULL)] > > > > > > > > The question now is why that table exists already if you > > > > started with an > > > > empty database. > > > > > > > > On Thu, Aug 3, 2017 at 11:22 AM, James Green > > > ail.com> > > > > wrote: > > > > > > > > > Unsure what I'm doing wrong here. Circumstance: we've spotted > > > > > KeyCloak, > > > > > have reason to be interested, so are deploying an instance > > > > > into our > > > > test > > > > > environment which happens to be Docker Swarm. > > > > > > > > > > Problem: The KeyCloak service is being restarted by Docker, > > > > > presumably > > > > > due > > > > > to a crash. The logs indicate it gets so far within a > > > > > liquibase script > > > > > then > > > > > fails. > > > > > > > > > > Here's the docker-compose.yml file that we are using for > > > > > deployment > > > > > purposes: > > > > > > > > > > https://gist.github.com/jmkgreen/b79f95c3eca2eac3fb66c66d1201 > > > > > 7f07 > > > > > > > > > > Here's the log from MySQL: > > > > > > > > > > https://gist.github.com/jmkgreen/75b99fe98cf1d16a99895e78dae4 > > > > > 7cce > > > > > > > > > > Here's an initial log from KeyCloak: > > > > > > > > > > https://gist.github.com/jmkgreen/96285800949b5c4f62c31caa3eba > > > > > 27ef > > > > > > > > > > Here's an further log from KeyCloak once Docker has decided > > > > > it needed > > > > to > > > > > be > > > > > restarted: > > > > > > > > > > https://gist.github.com/jmkgreen/2051ab14e470d1d46dabcfdd519d > > > > > 5c42 > > > > > > > > > > As you can see, the MySQL server starts and is configured due > > > > > to there > > > > > being no data already present. All looks good. KeyCloak > > > > > eventually gets > > > > > connected to MySQL and begins using Liquibase to roll through > > > > transitions > > > > > but crashes (how?) and thus the container overall crashes > > > > > forcing > > > > Docker > > > > > to > > > > > restart, which merely happens over and over. > > > > > > > > > > FWIW I earlier created a StackOverflow post which has us at a > > > > _different_ > > > > > liquibase change but also failing: > > > > > > > > > > https://stackoverflow.com/questions/45466482/keycloak-will-n > > > > > ot-start-due-to-liquibase-changelog-error?noredirect=1#comme > > > > > nt77894983_45466482 > > > > > > > > > > What I've posted in the Gists above occurred after I shut > > > > > everything > > > > down > > > > > and wiped the MySQL data directory of it's contents in full. > > > > > > > > > > An aside - we have multiple projects working within Swarm > > > > > using stack > > > > > deployments with externally managed networks (as recommended > > > > > by Docker) > > > > > and > > > > > GlusterFS volumes without issue. In this particular case the > > > > > only > > > > > tangible > > > > > difference is the use of the latest MySQL version which other > > > > > projects > > > > > may > > > > > not be using. We also do not have experience of WildFly-based > > > > > software. > > > > > > > > > > Any ideas what I've done wrong? > > > > > > > > > > Thanks, > > > > > > > > > > James > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marc.destefanis at easytrust.com Wed Aug 9 03:57:25 2017 From: marc.destefanis at easytrust.com (Marc Destefanis) Date: Wed, 9 Aug 2017 07:57:25 +0000 Subject: [keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client Message-ID: Hi, I don't understand how the < resource > attribute from the keycloak.json is bound to a client. I explain the case I face : In my WAR I have a keycloak.json which contains the value < WS > on the < resource > attribute. I've previously created a < GUI > client that allows me to generate a token and a < WS > client with a bearer-only access type that I use to secure my WARs. Everything works fine, my WARs are secured and I'm able to request the web services with the token generated with the GUI client. BUT, If I change the < resource > attribute value with a client name which doesn't exist it still works. I can set the < resource > attribute to < anyThing > or < oneTwoThree > etc and it still works even if I didn't create these clients. I was expecting an error like < the client oneTwoThree doesn't exist > or something else when I request a web service secured in a WAR with a non existing resource value in the keycloak.json file. Is it a normal behavior ? Do I misunderstood something or do I have an issue ? Regards, Marc Destefanis. From tgc at dma.dk Wed Aug 9 04:13:18 2017 From: tgc at dma.dk (Tomas Groth Christensen) Date: Wed, 9 Aug 2017 08:13:18 +0000 Subject: [keycloak-user] Disable Sticky Sessions? Message-ID: <1502266398.32143.33.camel@dma.dk> Hi, I am using keycloak as a broker where the user in a browser can choose which identity provider to use for authentication and this works just fine. We have also set up a "headless flow" where an application using the kc_idp_hint can preselect a special identity provider which can authenticate the user (with a special authenticator) without user interaction. This used to work fine, but with Keycloak 3.2.x this breaks, since now Keycloak requires cookies to be enabled. As far as I can tell this is because the?AUTH_SESSION_ID cookie used for "Sticky sessions" is now a hard requirement. Is there a way to disable this hard requirement on cookies? I know that enabling cookies will fix this for the application, but my problem is that there is multiple implementation of this application, and I don't control any of them. Best regards, Tomas From sblanc at redhat.com Wed Aug 9 04:43:21 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 9 Aug 2017 10:43:21 +0200 Subject: [keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client In-Reply-To: References: Message-ID: It's because of the "bearer-only" nature of your client. Only the token is verified. In some cases it could use the 'resource' property if for instance "use-resource-role-mappings" is used ( https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java#L99-L103) On Wed, Aug 9, 2017 at 9:57 AM, Marc Destefanis < marc.destefanis at easytrust.com> wrote: > Hi, > > I don't understand how the < resource > attribute from the keycloak.json > is bound to a client. I explain the case I face : > > In my WAR I have a keycloak.json which contains the value < WS > on the < > resource > attribute. > I've previously created a < GUI > client that allows me to generate a > token and a < WS > client with a bearer-only access type that I use to > secure my WARs. > > Everything works fine, my WARs are secured and I'm able to request the web > services with the token generated with the GUI client. > > BUT, > If I change the < resource > attribute value with a client name which > doesn't exist it still works. > I can set the < resource > attribute to < anyThing > or < oneTwoThree > > etc and it still works even if I didn't create these clients. > > I was expecting an error like < the client oneTwoThree doesn't exist > or > something else when I request a web service secured in a WAR with a non > existing resource value in the keycloak.json file. > > Is it a normal behavior ? > Do I misunderstood something or do I have an issue ? > > Regards, > Marc Destefanis. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From simonpayne58 at gmail.com Wed Aug 9 04:50:31 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Wed, 9 Aug 2017 09:50:31 +0100 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> <1839453359.1966941.1502209074630@mail.yahoo.com> Message-ID: thanks Pedro, however, i think our use cases are not exactly the same. it appears your component is set to allow authentication of user where mine is bearer only. the only other differences i can see between our projects is that i am running gradle with keycloak 3.2.0 and that i have also added compile( 'org.keycloak:keycloak-authz-client:3.2.0.CR1') Lucian, i don't have a project which i can share at the moment as other code is included, if you would still like to see something i can make a shareable version. Thanks On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva wrote: > Hey Lucian, we have this https://github.com/keycloak/ > keycloak-quickstarts/tree/latest/app-authz-springboot. > > On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian wrote: > >> Simon, >> Do you have a demo app with that? I am just curious to see a spring(boot) >> app with authorizations...I remember that I tried something with >> authorizations, and the authorization context was null(I know there are >> some Jira issues about it), but I still could not get it to work in 2.5.5 >> AuthorizationContext authzContext = >> keycloakSecurityContext.getAuthorizationContext(); >> Thanks,Lucian >> >> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < >> simonpayne58 at gmail.com> wrote: >> >> yes correct. >> >> there is a definite change in behavior with the addition of the >> keycloak.policy-enforcer-config.online-introspection=true flag, as >> without >> this single line in my property file it works correctly as a bearer only >> resource server. Addition of this line results in the incorrect call to >> token exchange endpoint. >> >> thanks >> >> >> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: >> >> > Doesn't look like the switch is hooked up to anything. As it is, it >> > looks like this switch was added for RPT validation, not access token >> > validation, and not ever implemented. You just want the adapter to >> > validate the access token with the auth server for bearer token >> > requests, right? >> > >> > >> > On 8/8/17 9:29 AM, Bill Burke wrote: >> > > I'm looking at the code on server and I dont' see that it requires any >> > > special switch to use it. The endpoint is: >> > > >> > > @Post >> > > >> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect >> > > >> > > Takes form params. >> > > >> > > token >> > > >> > > token_type_hint (optional and defaults to "access_token") >> > > >> > > >> > > >> > > >> > > >> > > On 8/8/17 4:31 AM, Simon Payne wrote: >> > >> after some debugging i figured that >> > >> keycloak.policy-enforcer-config.online-introspection=true switched >> on >> > this >> > >> functionality, however it appears to error on a 400 after making a >> call >> > to >> > >> the /auth/realms/master/protocol/openid-connect/token endpoint. >> > >> >> > >> I'm assuming this is a bug? >> > >> >> > >> Thanks >> > >> >> > >> >> > >> >> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne >> > wrote: >> > >> >> > >>> Hi All, >> > >>> >> > >>> I'm evaluating keycloak and i'm currently looking at token >> > introspection. >> > >>> >> > >>> I've managed to achieve this manually, i.e. by sending a post via >> > postman, >> > >>> but i'm unable to figure out whether this can be achieved via the >> > keycloak >> > >>> adapters, specifically spring boot. >> > >>> >> > >>> any help in this area would be appreciated. >> > >>> >> > >>> thanks >> > >>> >> > >>> Simon. >> > >>> >> > >> _______________________________________________ >> > >> keycloak-user mailing list >> > >> keycloak-user at lists.jboss.org >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From lists at merit.unu.edu Wed Aug 9 06:01:34 2017 From: lists at merit.unu.edu (mj) Date: Wed, 9 Aug 2017 12:01:34 +0200 Subject: [keycloak-user] Credential Reset question | secondary email address Message-ID: <5e58a99c-3e99-122d-9811-846931ce3802@merit.unu.edu> Hi, We configured a writeable federated ldap (AD) provider. Needs to be writeable, because we use the keycloak password change function. Now, in case a user doesn't remember his password, we can use the "Credential Reset" function, which sends a password reset email to the LDAP email address. However, since the user doesn't remember his password, he will not be able to access the reset email... Chicken and egg situtation... So we can change the email address in keycloak temporarily, but that will also change the email in AD LDAP (since it's writeable) which causes many problems in other ldap-connected applications. So: Is there a way to send the password reset email to a 'secondary' email address? Perhaps an address we can manually enter at the moment a user requests the password reset (using a popup?), or is there a secondary password field for a user in keycloak? (perhaps importable from ldap, as we keep secondary emails there as well) Best regards, MJ From marc.destefanis at easytrust.com Wed Aug 9 06:10:15 2017 From: marc.destefanis at easytrust.com (Marc Destefanis) Date: Wed, 9 Aug 2017 10:10:15 +0000 Subject: [keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client In-Reply-To: References: Message-ID: Thank you Sebastien Blanc, So it?s a normal behavior, it answers my question. But I?m curious, why the ? resource ? property is required if this one is used only if the ? use-resource-role-mappings ? is setted to true ? This is the fact that the ? resource ? property is required that let me thought I had an issue. Regards, Marc Destefanis. De : Sebastien Blanc [mailto:sblanc at redhat.com] Envoy? : mercredi 9 ao?t 2017 10:43 ? : Marc Destefanis Cc : keycloak-user at lists.jboss.org; Sonia Belhadj Objet : Re: [keycloak-user] keycloak.json configuration - link between resource attribute and Keycloak client It's because of the "bearer-only" nature of your client. Only the token is verified. In some cases it could use the 'resource' property if for instance "use-resource-role-mappings" is used (https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java#L99-L103) On Wed, Aug 9, 2017 at 9:57 AM, Marc Destefanis > wrote: Hi, I don't understand how the < resource > attribute from the keycloak.json is bound to a client. I explain the case I face : In my WAR I have a keycloak.json which contains the value < WS > on the < resource > attribute. I've previously created a < GUI > client that allows me to generate a token and a < WS > client with a bearer-only access type that I use to secure my WARs. Everything works fine, my WARs are secured and I'm able to request the web services with the token generated with the GUI client. BUT, If I change the < resource > attribute value with a client name which doesn't exist it still works. I can set the < resource > attribute to < anyThing > or < oneTwoThree > etc and it still works even if I didn't create these clients. I was expecting an error like < the client oneTwoThree doesn't exist > or something else when I request a web service secured in a WAR with a non existing resource value in the keycloak.json file. Is it a normal behavior ? Do I misunderstood something or do I have an issue ? Regards, Marc Destefanis. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sajid at theinnovationinc.co Wed Aug 9 06:30:27 2017 From: sajid at theinnovationinc.co (Sajid Chauhan) Date: Wed, 9 Aug 2017 16:00:27 +0530 Subject: [keycloak-user] REST api for user self-registration Message-ID: Hi All, I have found that there are REST apis for Admin. Are there REST Apis for a new user to register himself? Can you please share the link? Secondly, is there a way to customize the user registration screen and add more text box fields? Or would we need to make code changes for that? Thanks and regards, Sajid From edwin.de.jong at simacan.com Wed Aug 9 07:32:54 2017 From: edwin.de.jong at simacan.com (Edwin de Jong) Date: Wed, 9 Aug 2017 13:32:54 +0200 Subject: [keycloak-user] JGroups failure: failed submitting DONT_BUNDLE message to thread pool Message-ID: <57b8d08c-0f76-20b4-0ed8-2217768675db@simacan.com> Dear Keycloak users (and devs), This morning, we faced a production level issue on our Keycloak Cluster, running in a 3-node formation on EC2. Symptoms were a high failure rate of requests (> 20%) and high latency (> 10 seconds). We are currently trying to figure out what went wrong. We would appreciate it if someone with knowledge op JGroups / Inifinispan could chime in with a working hypothesis. About priority: we are currently running nominally. We have brought down two of the instances and brought up two new instances. The cluster is working again as expected. Below I'll give information about our setup, the relevant log-messages and links to some screenshots of our monitoring: EC2 instances are C4.Large (3x) Keycloak Version 3.1.0-FINAL Normal CPU usage is around 1% or less. It peaked to 16% during the incident. Memory usage is normal. Screenshots: - datadog statistics of our services calling keycloak: https://ibb.co/dsDTKv - AWS EC2 instance Cloudwatch statistics: network out rate (in bytes per MINUTE): https://ibb.co/j8jhCF - AWS EC2 instance Cloudwatch statistics: network in rate (in bytes per MINUTE): https://ibb.co/ggLuRa Log lines, just before failure (to help reduce clutter, I've removed the date and replaced the IP addresses with "IP-A", "IP-B", "IP-C"). The last message is repeated around 500.000 times in the span of around 1 minute. ---------------------->%----------------------- 05:09:23,925 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel server: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,926 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel keycloak: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,926 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel web: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,926 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel ejb: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,928 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel hibernate: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,990 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel server: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,990 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel keycloak: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,991 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel web: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,992 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel hibernate: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,992 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel ejb: [ip-A|3] (2) [ip-A, ip-B] 05:09:23,996 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) ISPN000310: Starting cluster-wide rebalance for cache authorization, topology CacheTopology{id=6, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} 05:09:24,001 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=6, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} 05:09:24,004 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, topology CacheTopology{id=6, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} 05:09:24,014 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=6, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} 05:09:24,027 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 6 05:09:24,028 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, topology id = 6 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 6 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t132) ISPN000336: Finished cluster-wide rebalance for cache authorization, topology id = 6 05:09:33,567 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,569 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,569 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,573 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,575 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,521 WARN [org.jgroups.protocols.pbcast.NAKACK] (Incoming-19,ee,ip-B) JGRP000011: ip-B: dropped message 54375 from non-member ip-C (view=[ip-A|3] (2) [ip-A, ip-B]) Warning 05:09:33,527 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,529 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,529 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,530 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,533 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,518 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,525 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,525 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,527 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,527 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] 05:09:33,577 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) ISPN000310: Starting cluster-wide rebalance for cache authorization, topology CacheTopology{id=10, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, actualMembers=[ip-A, ip-B, ip-C]} 05:09:33,579 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, topology CacheTopology{id=10, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, actualMembers=[ip-A, ip-B, ip-C]} 05:09:33,580 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=10, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, actualMembers=[ip-A, ip-B, ip-C]} 05:09:33,582 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t15) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=10, rebalanceId=3, currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, actualMembers=[ip-A, ip-B, ip-C]} 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 10 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) ISPN000336: Finished cluster-wide rebalance for cache authorization, topology id = 10 05:09:33,590 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, topology id = 10 05:09:33,601 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t133) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 10 05:09:34,001 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE message to thread pool: java.util.concurrent.RejectedExecutionException: Task org.jgroups.protocols.TP$SingleMessageHandler at 17c86a0c rejected from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size = 4, active threads = 4, queued tasks = 100, completed tasks = 1589693]. Msg: RequestCorrelator: id=200, type=REQ, id=607, rsp_expected=true, FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=206], TCP: [cluster_name=ee] ERROR 05:09:34,010 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE message to thread pool: java.util.concurrent.RejectedExecutionException: Task org.jgroups.protocols.TP$SingleMessageHandler at 4fec3655 rejected from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size = 4, active threads = 4, queued tasks = 100, completed tasks = 1589694]. Msg: RequestCorrelator: id=200, type=REQ, id=609, rsp_expected=true, FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=208], TCP: [cluster_name=ee] ERROR (last line repeated many, many times) ---------------------->%----------------------- Infinispan subsystem configuration in standalone-ha.xml: ---------------------->%----------------------- ---------------------->%----------------------- JGroups subsystem configuration: ---------------------->%----------------------- S3AccessKey S3SecretAccessKey S3PingBucketName ---------------------->%----------------------- with kind regards, Edwin de Jong -- Simacan B.V. Data Engineer From mposolda at redhat.com Wed Aug 9 08:37:14 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Aug 2017 14:37:14 +0200 Subject: [keycloak-user] Disable Sticky Sessions? In-Reply-To: <1502266398.32143.33.camel@dma.dk> References: <1502266398.32143.33.camel@dma.dk> Message-ID: On 09/08/17 10:13, Tomas Groth Christensen wrote: > Hi, > > I am using keycloak as a broker where the user in a browser can choose > which identity provider to use for authentication and this works just > fine. > > We have also set up a "headless flow" where an application using the > kc_idp_hint can preselect a special identity provider which can > authenticate the user (with a special authenticator) without user > interaction. This used to work fine, but with Keycloak 3.2.x this > breaks, since now Keycloak requires cookies to be enabled. As far as I > can tell this is because the AUTH_SESSION_ID cookie used for "Sticky > sessions" is now a hard requirement. > > Is there a way to disable this hard requirement on cookies? Am I understand correctly that you're using browser flow from the non-browser applications? ATM it's not possible to disable this. Marek > > I know that enabling cookies will fix this for the application, but my > problem is that there is multiple implementation of this application, > and I don't control any of them. > > Best regards, > Tomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Aug 9 08:40:37 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Aug 2017 14:40:37 +0200 Subject: [keycloak-user] REST api for user self-registration In-Reply-To: References: Message-ID: <82ec994d-1731-97ab-de1e-713e42c29f04@redhat.com> On 09/08/17 12:30, Sajid Chauhan wrote: > Hi All, > > I have found that there are REST apis for Admin. Are there REST Apis for a > new user to register himself? Can you please share the link? Yes, we have admin REST API. It's used by our admin console for example. It's not so flexible like classic registration form (eg. you don't have captcha there. Required actions like TOTP setup won't be automatically triggered, which works for OOTB Keycloak registration etc) and it's preferred to use our registration form. > > Secondly, is there a way to customize the user registration screen and add > more text box fields? Or would we need to make code changes for that? Yes it's possible with code changes. It's documented and I think that we also have an example for that in the keycloak-examples distribution in "providers" directory. Marek > > Thanks and regards, > Sajid > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Anton.Arntz at planonsoftware.com Wed Aug 9 08:50:54 2017 From: Anton.Arntz at planonsoftware.com (Anton Arntz) Date: Wed, 9 Aug 2017 12:50:54 +0000 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive In-Reply-To: <3043eb42-366e-6e9a-eb7c-2fc1fcacc8d4@redhat.com> References: <3043eb42-366e-6e9a-eb7c-2fc1fcacc8d4@redhat.com> Message-ID: Correct, the first step is a redirect from KeyCloak to the ADFS server to authenticate the user. This initial redirect happens only once. After that we see more than 1000 requests hitting our KeyCloak URL with a redirect from that ADFS server and redirecting back to the ADFS server. I mean like this: KeyCloak -> ADFS ADFS -> KeyCloak KeyCloak -> ADFS ADFS -> KeyCloak KeyCloak -> ADFS ADFS -> KeyCloak We reached out to our customer to check if one of their users has a different cookie configuration in his/her browser. Best way forward seems to be to locate the storm generator first. -----Original Message----- From: Bill Burke [mailto:bburke at redhat.com] Sent: dinsdag 8 augustus 2017 15:35 To: Anton Arntz ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive How can ADFS make requests to Keycloak? Wouldn't it be other way around? On 8/8/17 4:53 AM, Anton Arntz wrote: > You are absolutely right, but at the time this was all the information I had and just wanted to check if anyone else had a similar experience. > We narrowed it down to 1 realm receiving a lot of requests. All the requests are originating from the customer's ADFS that fills up our log. It seems that those requests aren't even logged at the keycloak realm, but the "logout all sessions" button in the sessions part of the realm does stop the storm. > To answer your questions, customers didn't see the login page and keycloak didn't process HTTP requests anymore. KeyCloak is just one instance. I don't know the amount of database connections at that time. Will certainly look into those metrics next time. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke > Sent: dinsdag 1 augustus 2017 16:31 > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive > > You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? > > On 8/1/17 5:47 AM, Anton Arntz wrote: >> We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. >> Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. >> Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. >> Has anyone experienced the same with this KeyCloak version? >> >> Kind regards, >> Anton Arntz >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Wed Aug 9 09:45:24 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 9 Aug 2017 15:45:24 +0200 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive In-Reply-To: References: <3043eb42-366e-6e9a-eb7c-2fc1fcacc8d4@redhat.com> Message-ID: I assume the protocol for accessing ADFS is SAML, is that correct? Can anything relevant be found in ADFS Event log? Is the Keycloak source trusted? What is content of the ADFS messages? If that is SAML status response with error code, what is the error code? You can view the content of SAML messages either in browser (if fronchannel is used) or by raising debug level in keycloak [1]. Is the certificate KeyInfo set correctly to CERT_SUBJECT? [1] Troubleshooting section of http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html On Wed, Aug 9, 2017 at 2:50 PM, Anton Arntz wrote: > Correct, the first step is a redirect from KeyCloak to the ADFS server to authenticate the user. > This initial redirect happens only once. > After that we see more than 1000 requests hitting our KeyCloak URL with a redirect from that ADFS server and redirecting back to the ADFS server. > I mean like this: > KeyCloak -> ADFS > ADFS -> KeyCloak > KeyCloak -> ADFS > ADFS -> KeyCloak > KeyCloak -> ADFS > ADFS -> KeyCloak > We reached out to our customer to check if one of their users has a different cookie configuration in his/her browser. > Best way forward seems to be to locate the storm generator first. > > -----Original Message----- > From: Bill Burke [mailto:bburke at redhat.com] > Sent: dinsdag 8 augustus 2017 15:35 > To: Anton Arntz ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive > > How can ADFS make requests to Keycloak? Wouldn't it be other way around? > > > On 8/8/17 4:53 AM, Anton Arntz wrote: >> You are absolutely right, but at the time this was all the information I had and just wanted to check if anyone else had a similar experience. >> We narrowed it down to 1 realm receiving a lot of requests. All the requests are originating from the customer's ADFS that fills up our log. It seems that those requests aren't even logged at the keycloak realm, but the "logout all sessions" button in the sessions part of the realm does stop the storm. >> To answer your questions, customers didn't see the login page and keycloak didn't process HTTP requests anymore. KeyCloak is just one instance. I don't know the amount of database connections at that time. Will certainly look into those metrics next time. >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke >> Sent: dinsdag 1 augustus 2017 16:31 >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive >> >> You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? >> >> On 8/1/17 5:47 AM, Anton Arntz wrote: >>> We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. >>> Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. >>> Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. >>> Has anyone experienced the same with this KeyCloak version? >>> >>> Kind regards, >>> Anton Arntz >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From horizn at wp.pl Wed Aug 9 09:59:13 2017 From: horizn at wp.pl (K K) Date: Wed, 09 Aug 2017 15:59:13 +0200 Subject: [keycloak-user] Operation ("add") failed - address... Message-ID: <598b1531cb2e96.96164674@wp.pl> I have migrated configuration from keycloak-server.json file to standalone.xml and since that for some reason Keycloak is failing to start: https://pastebin.com/KkcC1hL7 If I remove Mongo configuration from standalone.xml and put it back again to keycloak-server.json it is working back again. standalone.xml: https://pastebin.com/VTErGeGb keycloak-server.json: https://pastebin.com/CX87EYA5 I tried to replace migration strategy from update to manual or remove it completely but it seems that is not the problem. any idea why? From t.ruiten at rdmedia.com Wed Aug 9 10:04:25 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 9 Aug 2017 16:04:25 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: Message-ID: Hello, Does anyone have an idea? Is there any extra info I can provide? On 4 August 2017 at 17:44, Tiemen Ruiten wrote: > Hello, > > I'm getting the following error when I attempt to delete a group that has > been imported from a FreeIPA LDAP User Federation through a > group-ldap-mapper: > > 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) > UT005023: Exception handling request to /auth/admin/realms/authentid/ > groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException( > ExceptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.NullPointerException > at org.keycloak.services.resources.admin.permissions.GroupPermissions. > deletePermissions(GroupPermissions.java:188) > at org.keycloak.services.resources.admin.permissions.GroupPermissions. > setPermissionsEnabled(GroupPermissions.java:167) > at org.keycloak.services.resources.admin.permissions. > AdminPermissions$1.onEvent(AdminPermissions.java:77) > at org.keycloak.services.DefaultKeycloakSessionFactory.publish( > DefaultKeycloakSessionFactory.java:68) > at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( > JpaRealmProvider.java:379) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > removeGroup(RealmCacheSession.java:926) > at org.keycloak.models.cache.infinispan.RealmAdapter. > removeGroup(RealmAdapter.java:1242) > at org.keycloak.services.resources.admin.GroupResource. > deleteGroup(GroupResource.java:118) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > ... 37 more > > In fact, I can not delete any groups anymore. There are two LDAP User > Federations setup, one to an Active Directory, one to the aforementioned > FreeIPA instance. Both have group mappers setup and some of the group > names clash unfortunately, that's why I wanted to delete some groups and > redo the import. What can I do? > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media From MaXmania at web.de Wed Aug 9 10:13:23 2017 From: MaXmania at web.de (Markus Piatkowski) Date: Wed, 9 Aug 2017 16:13:23 +0200 Subject: [keycloak-user] Federation/Provider update 2.2.1 to 3.2 Message-ID: Hi everyone, I am trying to update our federation from Keycloak 2.2.1 to 3.2. My problem is that the federation in our setup is responsible for blocking inactive user accounts. In the old version the validateAndProxy-method was called on every user-request (e.g. during the login-process). This method deactivated the user when the lastLogin timestamp (user attribute) was too old. In the current version the federation has changed. My first try was to implement the UserStorageProvider with the ImportedUserValidation interface. But the validate method is calling only once for each user. According to my understanding the method is only calling on the local storage access and not when the user is in the cache. My second try was to implement an EventListenerProvider and check the timestamp on the LOGIN event. This worked but I did not get any error message on the Login-Screen. If I disable a user during the login process keycloak fires a CODE_TO _TOKEN_ERROR event. The result is a reload of the login screen without user notification or any error message for the user. Does someone have an idea how to solve the problem? Thanks and regards, Markus From hmlnarik at redhat.com Wed Aug 9 10:13:32 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 9 Aug 2017 16:13:32 +0200 Subject: [keycloak-user] Operation ("add") failed - address... In-Reply-To: <598b1531cb2e96.96164674@wp.pl> References: <598b1531cb2e96.96164674@wp.pl> Message-ID: What DB, what keycloak versions? There is no support for Mongo anymore [1] [1] http://blog.keycloak.org/2017/02/removing-mongo-support-from-keycloak.html On Wed, Aug 9, 2017 at 3:59 PM, K K wrote: > I have migrated configuration from keycloak-server.json file to standalone.xml and since that for some reason Keycloak is failing to start: > > https://pastebin.com/KkcC1hL7 > > If I remove Mongo configuration from standalone.xml and put it back again to keycloak-server.json it is working back again. > > standalone.xml: https://pastebin.com/VTErGeGb > keycloak-server.json: https://pastebin.com/CX87EYA5 > > I tried to replace migration strategy from update to manual or remove it completely but it seems that is not the problem. > any idea why? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From horizn at wp.pl Wed Aug 9 10:27:50 2017 From: horizn at wp.pl (Kamil Kapturkiewicz) Date: Wed, 9 Aug 2017 15:27:50 +0100 Subject: [keycloak-user] Operation ("add") failed - address... In-Reply-To: References: <598b1531cb2e96.96164674@wp.pl> Message-ID: <34460868-e189-47ea-67c8-955cb56cb9b3@wp.pl> Keycloak 2.4.0, there is support for Mongo in that version. I am upgrading from 1.9.8. On 09/08/17 15:13, Hynek Mlnarik wrote: > What DB, what keycloak versions? There is no support for Mongo anymore [1] > > [1] http://blog.keycloak.org/2017/02/removing-mongo-support-from-keycloak.html > > On Wed, Aug 9, 2017 at 3:59 PM, K K wrote: >> I have migrated configuration from keycloak-server.json file to standalone.xml and since that for some reason Keycloak is failing to start: >> >> https://pastebin.com/KkcC1hL7 >> >> If I remove Mongo configuration from standalone.xml and put it back again to keycloak-server.json it is working back again. >> >> standalone.xml: https://pastebin.com/VTErGeGb >> keycloak-server.json: https://pastebin.com/CX87EYA5 >> >> I tried to replace migration strategy from update to manual or remove it completely but it seems that is not the problem. >> any idea why? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- skype. kamil.kapturkiewicz tel/signal. +44 758 306 8467 From edwin.zhao at nokia-sbell.com Wed Aug 9 10:41:14 2017 From: edwin.zhao at nokia-sbell.com (Zhao, Edwin (NSB - CN/Beijing)) Date: Wed, 9 Aug 2017 14:41:14 +0000 Subject: [keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login Message-ID: Is there any suggestion? Should I create a bug fix Jira ticket? From: Zhao, Edwin (NSB - CN/Beijing) Sent: Friday, August 04, 2017 10:45 PM To: 'keycloak-dev-bounces at lists.jboss.org'; keycloak-user at lists.jboss.org Subject: Brute Force Detection issue: wrong password attempt counter not reset with successful login Hi Keycloak team, Many of our products would like to use keycloak for SSO, and with brute force detection function enabled. But they all want password failure counter can be reset after a correct password is entered. I saw 2 related tickets had once been created before, but product teams here in Nokia A&A organization still want the counter be reset after successful login. https://issues.jboss.org/browse/KEYCLOAK-2692 https://issues.jboss.org/browse/KEYCLOAK-3046 We once again raise this request, please help to provide the enhancement. Thanks, Edwin ---------------------------------------------- Reproduce: Enable Brute Force Detection on the realm Set Max Login Failures to 3 (or any other number) on a user Attempt to log in to Keycloak with the user try invalid password 2 times Attempt to log in to Keycloak with the user with correct password (should succeed) Log out Attempt to log in to Keycloak with the user try invalid password 1 times Attempt to log in to Keycloak with the user with correct password (should succeed, but fails) Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out). From john.d.ament at gmail.com Wed Aug 9 13:37:39 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 09 Aug 2017 17:37:39 +0000 Subject: [keycloak-user] Recaptcha Provider causing PersistenceExceptions Message-ID: Hi, After upgrading to Keycloak 3.2 we found on the admin screens they won't load in certain scenarios, under authentication -> flows. When we choose the registration or browser flows, the following stacktrace is seen: 17:33:25,251 ERROR [io.undertow.request] (default task-12) UT005023: Exception handling request to /auth/admin/realms/qpd-manager/authentication/flows/registration/executions: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: java.lang.IllegalArgumentException: id to load is required for loading at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.keycloak.models.ModelException: java.lang.IllegalArgumentException: id to load is required for loading at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy66.find(Unknown Source) at org.keycloak.models.jpa.RealmAdapter.getAuthenticatorConfigById(RealmAdapter.java:1576) at org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:512) at org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:500) at org.keycloak.services.resources.admin.AuthenticationManagementResource.getExecutions(AuthenticationManagementResource.java:464) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more Caused by: java.lang.IllegalArgumentException: id to load is required for loading at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:93) at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:63) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2693) at org.hibernate.internal.SessionImpl.get(SessionImpl.java:975) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 56 more However, keycloak is handling a null return value, that isn't what's happening in JPA. The ID in this case is null, which causes hibernate to throw a persistence exception that the ID must not be null to do a load. I have no idea what is causing this, however it only happens when our custom providers are deployed to Keycloak. This does not happen in Keycloak 3.1. The execution in this case is when loading the recaptcha execution. We have no customized anything with regard to recaptcha. John From john.d.ament at gmail.com Wed Aug 9 14:13:09 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 09 Aug 2017 18:13:09 +0000 Subject: [keycloak-user] Recaptcha Provider causing PersistenceExceptions In-Reply-To: References: Message-ID: I just tested it out. I think I know why it works OOTB but not with config changes. For some reason, in my env caching doesn't work, so its always hitting the DB. The issue does in fact fail on master for this same case, when I get caching to not work. I would recommend adding the following fix (from 3.2 code). Let me know if you want me to create a ticket. Also do let me know if you have any idea why caching gets disabled in my env. John diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java index 61f6254..068fd09 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java @@ -509,10 +509,12 @@ public class AuthenticationManagementResource { rep.setId(execution.getId()); if (factory.isConfigurable()) { - AuthenticatorConfigModel authenticatorConfig = realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig()); + if (execution.getAuthenticatorConfig() != null) { + AuthenticatorConfigModel authenticatorConfig = realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig()); - if (authenticatorConfig != null) { - rep.setAlias(authenticatorConfig.getAlias()); + if (authenticatorConfig != null) { + rep.setAlias(authenticatorConfig.getAlias()); + } } } On Wed, Aug 9, 2017 at 1:37 PM John D. Ament wrote: > Hi, > > After upgrading to Keycloak 3.2 we found on the admin screens they won't > load in certain scenarios, under authentication -> flows. When we choose > the registration or browser flows, the following stacktrace is seen: > > 17:33:25,251 ERROR [io.undertow.request] (default task-12) UT005023: > Exception handling request to > /auth/admin/realms/qpd-manager/authentication/flows/registration/executions: > org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelException: java.lang.IllegalArgumentException: id > to load is required for loading > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.keycloak.models.ModelException: > java.lang.IllegalArgumentException: id to load is required for loading > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) > at com.sun.proxy.$Proxy66.find(Unknown Source) > at > org.keycloak.models.jpa.RealmAdapter.getAuthenticatorConfigById(RealmAdapter.java:1576) > at > org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:512) > at > org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:500) > at > org.keycloak.services.resources.admin.AuthenticationManagementResource.getExecutions(AuthenticationManagementResource.java:464) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > Caused by: java.lang.IllegalArgumentException: id to load is required for > loading > at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:93) > at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:63) > at > org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2693) > at org.hibernate.internal.SessionImpl.get(SessionImpl.java:975) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) > at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) > ... 56 more > > > However, keycloak is handling a null return value, that isn't what's > happening in JPA. The ID in this case is null, which causes hibernate to > throw a persistence exception that the ID must not be null to do a load. > > I have no idea what is causing this, however it only happens when our > custom providers are deployed to Keycloak. This does not happen in > Keycloak 3.1. The execution in this case is when loading the recaptcha > execution. We have no customized anything with regard to recaptcha. > > John > From thomas.darimont at googlemail.com Wed Aug 9 15:33:16 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 9 Aug 2017 21:33:16 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: Message-ID: Hello, which version of Keycloak are you using? Cheers, Thomas 2017-08-09 16:04 GMT+02:00 Tiemen Ruiten : > Hello, > > Does anyone have an idea? Is there any extra info I can provide? > > On 4 August 2017 at 17:44, Tiemen Ruiten wrote: > > > Hello, > > > > I'm getting the following error when I attempt to delete a group that has > > been imported from a FreeIPA LDAP User Federation through a > > group-ldap-mapper: > > > > 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) > > UT005023: Exception handling request to /auth/admin/realms/authentid/ > > groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: org.jboss.resteasy.spi. > UnhandledException: > > java.lang.NullPointerException > > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > > ExceptionHandler.java:76) > > at org.jboss.resteasy.core.ExceptionHandler.handleException( > > ExceptionHandler.java:212) > > at org.jboss.resteasy.core.SynchronousDispatcher.writeException( > > SynchronousDispatcher.java:168) > > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > > SynchronousDispatcher.java:411) > > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > > SynchronousDispatcher.java:202) > > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > > service(ServletContainerDispatcher.java:221) > > at org.jboss.resteasy.plugins.server.servlet. > > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at org.jboss.resteasy.plugins.server.servlet. > > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at io.undertow.servlet.handlers.ServletHandler.handleRequest( > > ServletHandler.java:85) > > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > > doFilter(FilterHandler.java:129) > > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > > KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > > doFilter(FilterHandler.java:131) > > at io.undertow.servlet.handlers.FilterHandler.handleRequest( > > FilterHandler.java:84) > > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > > handleRequest(ServletSecurityRoleHandler.java:62) > > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > > ServletDispatchingHandler.java:36) > > at org.wildfly.extension.undertow.security. > SecurityContextAssociationHand > > ler.handleRequest(SecurityContextAssociationHandler.java:78) > > at io.undertow.server.handlers.PredicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > > er.handleRequest(SSLInformationAssociationHandler.java:131) > > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > > er.handleRequest(ServletAuthenticationCallHandler.java:57) > > at io.undertow.server.handlers.PredicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.security.handlers.AbstractConfidentialityHandler > > .handleRequest(AbstractConfidentialityHandler.java:46) > > at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at io.undertow.security.handlers.AuthenticationMechanismsHandle > > r.handleRequest(AuthenticationMechanismsHandler.java:60) > > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > at io.undertow.security.handlers.NotificationReceiverHandler. > > handleRequest(NotificationReceiverHandler.java:50) > > at io.undertow.security.handlers.AbstractSecurityContextAssocia > > tionHandler.handleRequest(AbstractSecurityContextAssocia > > tionHandler.java:43) > > at io.undertow.server.handlers.PredicateHandler.handleRequest( > > PredicateHandler.java:43) > > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > > handleRequest(JACCContextIdHandler.java:61) > > at io.undertow.server.handlers.PredicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.server.handlers.PredicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest( > > ServletInitialHandler.java:284) > > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > > ServletInitialHandler.java:263) > > at io.undertow.servlet.handlers.ServletInitialHandler.access$ > > 000(ServletInitialHandler.java:81) > > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > > ServletInitialHandler.java:174) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > > at io.undertow.server.HttpServerExchange$1.run( > > HttpServerExchange.java:793) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > > ThreadPoolExecutor.java:1149) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > > ThreadPoolExecutor.java:624) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: java.lang.NullPointerException > > at org.keycloak.services.resources.admin.permissions.GroupPermissions. > > deletePermissions(GroupPermissions.java:188) > > at org.keycloak.services.resources.admin.permissions.GroupPermissions. > > setPermissionsEnabled(GroupPermissions.java:167) > > at org.keycloak.services.resources.admin.permissions. > > AdminPermissions$1.onEvent(AdminPermissions.java:77) > > at org.keycloak.services.DefaultKeycloakSessionFactory.publish( > > DefaultKeycloakSessionFactory.java:68) > > at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( > > JpaRealmProvider.java:379) > > at org.keycloak.models.cache.infinispan.RealmCacheSession. > > removeGroup(RealmCacheSession.java:926) > > at org.keycloak.models.cache.infinispan.RealmAdapter. > > removeGroup(RealmAdapter.java:1242) > > at org.keycloak.services.resources.admin.GroupResource. > > deleteGroup(GroupResource.java:118) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > > MethodInjectorImpl.java:139) > > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > > ResourceMethodInvoker.java:295) > > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > > ResourceMethodInvoker.java:249) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > > ResourceLocatorInvoker.java:138) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > > ResourceLocatorInvoker.java:107) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > > ResourceLocatorInvoker.java:133) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > > ResourceLocatorInvoker.java:107) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > > ResourceLocatorInvoker.java:133) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > > ResourceLocatorInvoker.java:107) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > > ResourceLocatorInvoker.java:133) > > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > > ResourceLocatorInvoker.java:101) > > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > > SynchronousDispatcher.java:395) > > ... 37 more > > > > In fact, I can not delete any groups anymore. There are two LDAP User > > Federations setup, one to an Active Directory, one to the aforementioned > > FreeIPA instance. Both have group mappers setup and some of the group > > names clash unfortunately, that's why I wanted to delete some groups and > > redo the import. What can I do? > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From t.ruiten at rdmedia.com Wed Aug 9 15:35:15 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 9 Aug 2017 21:35:15 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: Message-ID: It's Keycloak 3.2.1. On 9 August 2017 at 21:33, Thomas Darimont wrote: > Hello, > > which version of Keycloak are you using? > > Cheers, > Thomas > > 2017-08-09 16:04 GMT+02:00 Tiemen Ruiten : > >> Hello, >> >> Does anyone have an idea? Is there any extra info I can provide? >> >> On 4 August 2017 at 17:44, Tiemen Ruiten wrote: >> >> > Hello, >> > >> > I'm getting the following error when I attempt to delete a group that >> has >> > been imported from a FreeIPA LDAP User Federation through a >> > group-ldap-mapper: >> > >> > 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) >> > UT005023: Exception handling request to /auth/admin/realms/authentid/ >> > groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: >> org.jboss.resteasy.spi.UnhandledException: >> > java.lang.NullPointerException >> > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( >> > ExceptionHandler.java:76) >> > at org.jboss.resteasy.core.ExceptionHandler.handleException( >> > ExceptionHandler.java:212) >> > at org.jboss.resteasy.core.SynchronousDispatcher.writeException( >> > SynchronousDispatcher.java:168) >> > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> > SynchronousDispatcher.java:411) >> > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> > SynchronousDispatcher.java:202) >> > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher. >> > service(ServletContainerDispatcher.java:221) >> > at org.jboss.resteasy.plugins.server.servlet. >> > HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> > at org.jboss.resteasy.plugins.server.servlet. >> > HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> > at io.undertow.servlet.handlers.ServletHandler.handleRequest( >> > ServletHandler.java:85) >> > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> > doFilter(FilterHandler.java:129) >> > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >> > KeycloakSessionServletFilter.java:90) >> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >> r.java:60) >> > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> > doFilter(FilterHandler.java:131) >> > at io.undertow.servlet.handlers.FilterHandler.handleRequest( >> > FilterHandler.java:84) >> > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >> > handleRequest(ServletSecurityRoleHandler.java:62) >> > at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >> eRequest( >> > ServletDispatchingHandler.java:36) >> > at org.wildfly.extension.undertow.security.SecurityContextAssoc >> iationHand >> > ler.handleRequest(SecurityContextAssociationHandler.java:78) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> > PredicateHandler.java:43) >> > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl >> > er.handleRequest(SSLInformationAssociationHandler.java:131) >> > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl >> > er.handleRequest(ServletAuthenticationCallHandler.java:57) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> > PredicateHandler.java:43) >> > at io.undertow.security.handlers.AbstractConfidentialityHandler >> > .handleRequest(AbstractConfidentialityHandler.java:46) >> > at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai >> > ntHandler.handleRequest(ServletConfidentialityConstraintHand >> ler.java:64) >> > at io.undertow.security.handlers.AuthenticationMechanismsHandle >> > r.handleRequest(AuthenticationMechanismsHandler.java:60) >> > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand >> > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> > at io.undertow.security.handlers.NotificationReceiverHandler. >> > handleRequest(NotificationReceiverHandler.java:50) >> > at io.undertow.security.handlers.AbstractSecurityContextAssocia >> > tionHandler.handleRequest(AbstractSecurityContextAssocia >> > tionHandler.java:43) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> > PredicateHandler.java:43) >> > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >> > handleRequest(JACCContextIdHandler.java:61) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> > PredicateHandler.java:43) >> > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> > PredicateHandler.java:43) >> > at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >> stRequest( >> > ServletInitialHandler.java:284) >> > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( >> > ServletInitialHandler.java:263) >> > at io.undertow.servlet.handlers.ServletInitialHandler.access$ >> > 000(ServletInitialHandler.java:81) >> > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( >> > ServletInitialHandler.java:174) >> > at io.undertow.server.Connectors.executeRootHandler(Connectors. >> java:202) >> > at io.undertow.server.HttpServerExchange$1.run( >> > HttpServerExchange.java:793) >> > at java.util.concurrent.ThreadPoolExecutor.runWorker( >> > ThreadPoolExecutor.java:1149) >> > at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> > ThreadPoolExecutor.java:624) >> > at java.lang.Thread.run(Thread.java:748) >> > Caused by: java.lang.NullPointerException >> > at org.keycloak.services.resources.admin.permissions.GroupPermissions. >> > deletePermissions(GroupPermissions.java:188) >> > at org.keycloak.services.resources.admin.permissions.GroupPermissions. >> > setPermissionsEnabled(GroupPermissions.java:167) >> > at org.keycloak.services.resources.admin.permissions. >> > AdminPermissions$1.onEvent(AdminPermissions.java:77) >> > at org.keycloak.services.DefaultKeycloakSessionFactory.publish( >> > DefaultKeycloakSessionFactory.java:68) >> > at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( >> > JpaRealmProvider.java:379) >> > at org.keycloak.models.cache.infinispan.RealmCacheSession. >> > removeGroup(RealmCacheSession.java:926) >> > at org.keycloak.models.cache.infinispan.RealmAdapter. >> > removeGroup(RealmAdapter.java:1242) >> > at org.keycloak.services.resources.admin.GroupResource. >> > deleteGroup(GroupResource.java:118) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at sun.reflect.NativeMethodAccessorImpl.invoke( >> > NativeMethodAccessorImpl.java:62) >> > at sun.reflect.DelegatingMethodAccessorImpl.invoke( >> > DelegatingMethodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> > MethodInjectorImpl.java:139) >> > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> > ResourceMethodInvoker.java:295) >> > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> > ResourceMethodInvoker.java:249) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> > ResourceLocatorInvoker.java:138) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> > ResourceLocatorInvoker.java:107) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> > ResourceLocatorInvoker.java:133) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> > ResourceLocatorInvoker.java:107) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> > ResourceLocatorInvoker.java:133) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> > ResourceLocatorInvoker.java:107) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> > ResourceLocatorInvoker.java:133) >> > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> > ResourceLocatorInvoker.java:101) >> > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> > SynchronousDispatcher.java:395) >> > ... 37 more >> > >> > In fact, I can not delete any groups anymore. There are two LDAP User >> > Federations setup, one to an Active Directory, one to the aforementioned >> > FreeIPA instance. Both have group mappers setup and some of the group >> > names clash unfortunately, that's why I wanted to delete some groups and >> > redo the import. What can I do? >> > >> > -- >> > Tiemen Ruiten >> > Systems Engineer >> > R&D Media >> > >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Tiemen Ruiten Systems Engineer R&D Media From mposolda at redhat.com Wed Aug 9 15:44:50 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Aug 2017 21:44:50 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: Message-ID: <9d232374-a9ef-d25d-dbe1-6c78a68780af@redhat.com> Could you try if you can delete group in your environment with the fresh realm without LDAP? If it doesn't work for you just with LDAP, it's likely a bug. Feel free to create JIRA with steps to reproduce. Thanks, Marek On 09/08/17 16:04, Tiemen Ruiten wrote: > Hello, > > Does anyone have an idea? Is there any extra info I can provide? > > On 4 August 2017 at 17:44, Tiemen Ruiten wrote: > >> Hello, >> >> I'm getting the following error when I attempt to delete a group that has >> been imported from a FreeIPA LDAP User Federation through a >> group-ldap-mapper: >> >> 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) >> UT005023: Exception handling request to /auth/admin/realms/authentid/ >> groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NullPointerException >> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( >> ExceptionHandler.java:76) >> at org.jboss.resteasy.core.ExceptionHandler.handleException( >> ExceptionHandler.java:212) >> at org.jboss.resteasy.core.SynchronousDispatcher.writeException( >> SynchronousDispatcher.java:168) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:411) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:202) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. >> service(ServletContainerDispatcher.java:221) >> at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >> ServletHandler.java:85) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:129) >> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >> KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:131) >> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >> FilterHandler.java:84) >> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >> handleRequest(ServletSecurityRoleHandler.java:62) >> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( >> ServletDispatchingHandler.java:36) >> at org.wildfly.extension.undertow.security.SecurityContextAssociationHand >> ler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl >> er.handleRequest(SSLInformationAssociationHandler.java:131) >> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl >> er.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) >> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai >> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand >> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at io.undertow.security.handlers.NotificationReceiverHandler. >> handleRequest(NotificationReceiverHandler.java:50) >> at io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssocia >> tionHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >> handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( >> ServletInitialHandler.java:284) >> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( >> ServletInitialHandler.java:263) >> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >> 000(ServletInitialHandler.java:81) >> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( >> ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at io.undertow.server.HttpServerExchange$1.run( >> HttpServerExchange.java:793) >> at java.util.concurrent.ThreadPoolExecutor.runWorker( >> ThreadPoolExecutor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: java.lang.NullPointerException >> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >> deletePermissions(GroupPermissions.java:188) >> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >> setPermissionsEnabled(GroupPermissions.java:167) >> at org.keycloak.services.resources.admin.permissions. >> AdminPermissions$1.onEvent(AdminPermissions.java:77) >> at org.keycloak.services.DefaultKeycloakSessionFactory.publish( >> DefaultKeycloakSessionFactory.java:68) >> at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( >> JpaRealmProvider.java:379) >> at org.keycloak.models.cache.infinispan.RealmCacheSession. >> removeGroup(RealmCacheSession.java:926) >> at org.keycloak.models.cache.infinispan.RealmAdapter. >> removeGroup(RealmAdapter.java:1242) >> at org.keycloak.services.resources.admin.GroupResource. >> deleteGroup(GroupResource.java:118) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke( >> NativeMethodAccessorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >> DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> MethodInjectorImpl.java:139) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> ResourceMethodInvoker.java:295) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> ResourceMethodInvoker.java:249) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> ResourceLocatorInvoker.java:138) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >> ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:101) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:395) >> ... 37 more >> >> In fact, I can not delete any groups anymore. There are two LDAP User >> Federations setup, one to an Active Directory, one to the aforementioned >> FreeIPA instance. Both have group mappers setup and some of the group >> names clash unfortunately, that's why I wanted to delete some groups and >> redo the import. What can I do? >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> > > From t.ruiten at rdmedia.com Wed Aug 9 16:11:53 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 9 Aug 2017 22:11:53 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: <9d232374-a9ef-d25d-dbe1-6c78a68780af@redhat.com> References: <9d232374-a9ef-d25d-dbe1-6c78a68780af@redhat.com> Message-ID: I could delete groups in a newly setup realm, so issue created: https://issues.jboss.org/browse/KEYCLOAK-5271 On 9 August 2017 at 21:44, Marek Posolda wrote: > Could you try if you can delete group in your environment with the fresh > realm without LDAP? If it doesn't work for you just with LDAP, it's likely > a bug. Feel free to create JIRA with steps to reproduce. > > Thanks, > Marek > > On 09/08/17 16:04, Tiemen Ruiten wrote: > >> Hello, >> >> Does anyone have an idea? Is there any extra info I can provide? >> >> On 4 August 2017 at 17:44, Tiemen Ruiten wrote: >> >> Hello, >>> >>> I'm getting the following error when I attempt to delete a group that has >>> been imported from a FreeIPA LDAP User Federation through a >>> group-ldap-mapper: >>> >>> 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) >>> UT005023: Exception handling request to /auth/admin/realms/authentid/ >>> groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: >>> org.jboss.resteasy.spi.UnhandledException: >>> java.lang.NullPointerException >>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( >>> ExceptionHandler.java:76) >>> at org.jboss.resteasy.core.ExceptionHandler.handleException( >>> ExceptionHandler.java:212) >>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException( >>> SynchronousDispatcher.java:168) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> SynchronousDispatcher.java:411) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> SynchronousDispatcher.java:202) >>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. >>> service(ServletContainerDispatcher.java:221) >>> at org.jboss.resteasy.plugins.server.servlet. >>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> at org.jboss.resteasy.plugins.server.servlet. >>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >>> ServletHandler.java:85) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>> doFilter(FilterHandler.java:129) >>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >>> KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>> r.java:60) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>> doFilter(FilterHandler.java:131) >>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>> FilterHandler.java:84) >>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >>> handleRequest(ServletSecurityRoleHandler.java:62) >>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( >>> ServletDispatchingHandler.java:36) >>> at org.wildfly.extension.undertow.security.SecurityContextAssoc >>> iationHand >>> ler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> PredicateHandler.java:43) >>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl >>> er.handleRequest(SSLInformationAssociationHandler.java:131) >>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl >>> er.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> PredicateHandler.java:43) >>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>> .handleRequest(AbstractConfidentialityHandler.java:46) >>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai >>> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand >>> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at io.undertow.security.handlers.NotificationReceiverHandler. >>> handleRequest(NotificationReceiverHandler.java:50) >>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>> tionHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> PredicateHandler.java:43) >>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >>> handleRequest(JACCContextIdHandler.java:61) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> PredicateHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> PredicateHandler.java:43) >>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>> stRequest( >>> ServletInitialHandler.java:284) >>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( >>> ServletInitialHandler.java:263) >>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >>> 000(ServletInitialHandler.java:81) >>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( >>> ServletInitialHandler.java:174) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>> at io.undertow.server.HttpServerExchange$1.run( >>> HttpServerExchange.java:793) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>> ThreadPoolExecutor.java:1149) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>> ThreadPoolExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: java.lang.NullPointerException >>> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >>> deletePermissions(GroupPermissions.java:188) >>> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >>> setPermissionsEnabled(GroupPermissions.java:167) >>> at org.keycloak.services.resources.admin.permissions. >>> AdminPermissions$1.onEvent(AdminPermissions.java:77) >>> at org.keycloak.services.DefaultKeycloakSessionFactory.publish( >>> DefaultKeycloakSessionFactory.java:68) >>> at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( >>> JpaRealmProvider.java:379) >>> at org.keycloak.models.cache.infinispan.RealmCacheSession. >>> removeGroup(RealmCacheSession.java:926) >>> at org.keycloak.models.cache.infinispan.RealmAdapter. >>> removeGroup(RealmAdapter.java:1242) >>> at org.keycloak.services.resources.admin.GroupResource. >>> deleteGroup(GroupResource.java:118) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>> MethodInjectorImpl.java:139) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >>> ResourceMethodInvoker.java:295) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>> ResourceMethodInvoker.java:249) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>> ResourceLocatorInvoker.java:138) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>> ResourceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>> ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>> ResourceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>> ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>> ResourceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>> ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>> ResourceLocatorInvoker.java:101) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> SynchronousDispatcher.java:395) >>> ... 37 more >>> >>> In fact, I can not delete any groups anymore. There are two LDAP User >>> Federations setup, one to an Active Directory, one to the aforementioned >>> FreeIPA instance. Both have group mappers setup and some of the group >>> names clash unfortunately, that's why I wanted to delete some groups and >>> redo the import. What can I do? >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >>> >> >> > -- Tiemen Ruiten Systems Engineer R&D Media From t.ruiten at rdmedia.com Wed Aug 9 16:24:54 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 9 Aug 2017 22:24:54 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: <9d232374-a9ef-d25d-dbe1-6c78a68780af@redhat.com> Message-ID: Hm, looks like it has been reported already: https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-5268 Should I close mine as duplicate? On 9 August 2017 at 22:11, Tiemen Ruiten wrote: > I could delete groups in a newly setup realm, so issue created: > https://issues.jboss.org/browse/KEYCLOAK-5271 > > On 9 August 2017 at 21:44, Marek Posolda wrote: > >> Could you try if you can delete group in your environment with the fresh >> realm without LDAP? If it doesn't work for you just with LDAP, it's likely >> a bug. Feel free to create JIRA with steps to reproduce. >> >> Thanks, >> Marek >> >> On 09/08/17 16:04, Tiemen Ruiten wrote: >> >>> Hello, >>> >>> Does anyone have an idea? Is there any extra info I can provide? >>> >>> On 4 August 2017 at 17:44, Tiemen Ruiten wrote: >>> >>> Hello, >>>> >>>> I'm getting the following error when I attempt to delete a group that >>>> has >>>> been imported from a FreeIPA LDAP User Federation through a >>>> group-ldap-mapper: >>>> >>>> 2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16) >>>> UT005023: Exception handling request to /auth/admin/realms/authentid/ >>>> groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: >>>> org.jboss.resteasy.spi.UnhandledException: >>>> java.lang.NullPointerException >>>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( >>>> ExceptionHandler.java:76) >>>> at org.jboss.resteasy.core.ExceptionHandler.handleException( >>>> ExceptionHandler.java:212) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException( >>>> SynchronousDispatcher.java:168) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>> SynchronousDispatcher.java:411) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>> SynchronousDispatcher.java:202) >>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>> spatcher. >>>> service(ServletContainerDispatcher.java:221) >>>> at org.jboss.resteasy.plugins.server.servlet. >>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>> at org.jboss.resteasy.plugins.server.servlet. >>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >>>> ServletHandler.java:85) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>>> doFilter(FilterHandler.java:129) >>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( >>>> KeycloakSessionServletFilter.java:90) >>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>>> r.java:60) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>>> doFilter(FilterHandler.java:131) >>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>>> FilterHandler.java:84) >>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >>>> handleRequest(ServletSecurityRoleHandler.java:62) >>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>>> eRequest( >>>> ServletDispatchingHandler.java:36) >>>> at org.wildfly.extension.undertow.security.SecurityContextAssoc >>>> iationHand >>>> ler.handleRequest(SecurityContextAssociationHandler.java:78) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> PredicateHandler.java:43) >>>> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl >>>> er.handleRequest(SSLInformationAssociationHandler.java:131) >>>> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl >>>> er.handleRequest(ServletAuthenticationCallHandler.java:57) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> PredicateHandler.java:43) >>>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai >>>> ntHandler.handleRequest(ServletConfidentialityConstraintHand >>>> ler.java:64) >>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand >>>> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>> at io.undertow.security.handlers.NotificationReceiverHandler. >>>> handleRequest(NotificationReceiverHandler.java:50) >>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>>> tionHandler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> PredicateHandler.java:43) >>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. >>>> handleRequest(JACCContextIdHandler.java:61) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> PredicateHandler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> PredicateHandler.java:43) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>>> stRequest( >>>> ServletInitialHandler.java:284) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( >>>> ServletInitialHandler.java:263) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >>>> 000(ServletInitialHandler.java:81) >>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( >>>> ServletInitialHandler.java:174) >>>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>>> java:202) >>>> at io.undertow.server.HttpServerExchange$1.run( >>>> HttpServerExchange.java:793) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>>> ThreadPoolExecutor.java:1149) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>> ThreadPoolExecutor.java:624) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: java.lang.NullPointerException >>>> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >>>> deletePermissions(GroupPermissions.java:188) >>>> at org.keycloak.services.resources.admin.permissions.GroupPermissions. >>>> setPermissionsEnabled(GroupPermissions.java:167) >>>> at org.keycloak.services.resources.admin.permissions. >>>> AdminPermissions$1.onEvent(AdminPermissions.java:77) >>>> at org.keycloak.services.DefaultKeycloakSessionFactory.publish( >>>> DefaultKeycloakSessionFactory.java:68) >>>> at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( >>>> JpaRealmProvider.java:379) >>>> at org.keycloak.models.cache.infinispan.RealmCacheSession. >>>> removeGroup(RealmCacheSession.java:926) >>>> at org.keycloak.models.cache.infinispan.RealmAdapter. >>>> removeGroup(RealmAdapter.java:1242) >>>> at org.keycloak.services.resources.admin.GroupResource. >>>> deleteGroup(GroupResource.java:118) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>>> NativeMethodAccessorImpl.java:62) >>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>>> DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>>> MethodInjectorImpl.java:139) >>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >>>> ResourceMethodInvoker.java:295) >>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>>> ResourceMethodInvoker.java:249) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>>> ResourceLocatorInvoker.java:138) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>> ResourceLocatorInvoker.java:107) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>>> ResourceLocatorInvoker.java:133) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>> ResourceLocatorInvoker.java:107) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>>> ResourceLocatorInvoker.java:133) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>> ResourceLocatorInvoker.java:107) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( >>>> ResourceLocatorInvoker.java:133) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>> ResourceLocatorInvoker.java:101) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>> SynchronousDispatcher.java:395) >>>> ... 37 more >>>> >>>> In fact, I can not delete any groups anymore. There are two LDAP User >>>> Federations setup, one to an Active Directory, one to the aforementioned >>>> FreeIPA instance. Both have group mappers setup and some of the group >>>> names clash unfortunately, that's why I wanted to delete some groups and >>>> redo the import. What can I do? >>>> >>>> -- >>>> Tiemen Ruiten >>>> Systems Engineer >>>> R&D Media >>>> >>>> >>> >>> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media From mposolda at redhat.com Wed Aug 9 17:01:04 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 9 Aug 2017 23:01:04 +0200 Subject: [keycloak-user] NullPointerException when attempting to remove group In-Reply-To: References: <9d232374-a9ef-d25d-dbe1-6c78a68780af@redhat.com> Message-ID: <1a4581da-89c0-b35c-02c9-c94e1300736f@redhat.com> Thanks. I've closed https://issues.jboss.org/browse/KEYCLOAK-5271 as duplicate. Feel free to add yourself as watcher to KEYCLOAK-5268. Marek On 09/08/17 22:24, Tiemen Ruiten wrote: > Hm, looks like it has been reported already: > https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-5268 > > Should I close mine as duplicate? > > On 9 August 2017 at 22:11, Tiemen Ruiten > wrote: > > I could delete groups in a newly setup realm, so issue created: > https://issues.jboss.org/browse/KEYCLOAK-5271 > > > On 9 August 2017 at 21:44, Marek Posolda > wrote: > > Could you try if you can delete group in your environment with > the fresh realm without LDAP? If it doesn't work for you just > with LDAP, it's likely a bug. Feel free to create JIRA with > steps to reproduce. > > Thanks, > Marek > > On 09/08/17 16:04, Tiemen Ruiten wrote: > > Hello, > > Does anyone have an idea? Is there any extra info I can > provide? > > On 4 August 2017 at 17:44, Tiemen Ruiten > > wrote: > > Hello, > > I'm getting the following error when I attempt to > delete a group that has > been imported from a FreeIPA LDAP User Federation > through a > group-ldap-mapper: > > 2017-08-04 16:46:21,636 ERROR [io.undertow.request] > (default task-16) > UT005023: Exception handling request to > /auth/admin/realms/authentid/ > groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0: > org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException( > ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.NullPointerException > at > org.keycloak.services.resources.admin.permissions.GroupPermissions. > deletePermissions(GroupPermissions.java:188) > at > org.keycloak.services.resources.admin.permissions.GroupPermissions. > setPermissionsEnabled(GroupPermissions.java:167) > at org.keycloak.services.resources.admin.permissions. > AdminPermissions$1.onEvent(AdminPermissions.java:77) > at > org.keycloak.services.DefaultKeycloakSessionFactory.publish( > DefaultKeycloakSessionFactory.java:68) > at org.keycloak.models.jpa.JpaRealmProvider.removeGroup( > JpaRealmProvider.java:379) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > removeGroup(RealmCacheSession.java:926) > at org.keycloak.models.cache.infinispan.RealmAdapter. > removeGroup(RealmAdapter.java:1242) > at org.keycloak.services.resources.admin.GroupResource. > deleteGroup(GroupResource.java:118) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > ... 37 more > > In fact, I can not delete any groups anymore. There > are two LDAP User > Federations setup, one to an Active Directory, one to > the aforementioned > FreeIPA instance. Both have group mappers setup and > some of the group > names clash unfortunately, that's why I wanted to > delete some groups and > redo the import. What can I do? > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media From vikrant02.work at gmail.com Wed Aug 9 17:35:09 2017 From: vikrant02.work at gmail.com (Vikrant Singh) Date: Thu, 10 Aug 2017 03:05:09 +0530 Subject: [keycloak-user] DB deadlock for concurrent logins Message-ID: Hi, I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB 10.2.7 for DB, recently upgraded from 3.1.0.Final. Deployment is consist of 3 keycloak servers along with 3 DB instances. As part of kubernetes rediness check, a token is requested for a local user in master realm every 10 sec. The concurrent token request for same user is causing the deadlock exception in DB. Following is the exception being logged in keycloak. Caused by: java.sql.SQLException: Deadlock found when trying to get lock; try restarting transaction Query is: select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218) ... 76 more Caused by: java.sql.SQLException: Lock wait timeout exceeded; try restarting transaction Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters ['pbkdf2-sha256',0,1501750736628,,0,27500,0,,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6','Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218) ... 78 more Why keycloak is trying to update the user credential for every login. and why is deadlock occurring? Any help truly appreciated. Thanks, Vikrant From veit.guna at gmx.de Wed Aug 9 18:24:09 2017 From: veit.guna at gmx.de (Veit Guna) Date: Thu, 10 Aug 2017 00:24:09 +0200 Subject: [keycloak-user] Security Patches Message-ID: <3cd78eb1-9c05-fa5a-9014-c18712b2a140@gmx.de> Hi. As the keycloak support page explicitly states, that the keycloak community edition will _never_ get patches, I'm wondering how this is usually handled. Let's assume there's a security critical bug in keycloak that can be exploited from the outside. Usually how quickly gets this fixed in the community edition? I know, that this is will be quickly patched in the Red Hat SSO version of keycloak, but what does that mean regarding keycloak CE? When will such fixes usually reach keycloak? Are patches for Red Hat SSO public available so one could theoretically use them to patch keycloak by oneself? Cheers Veit From bburke at redhat.com Wed Aug 9 21:03:33 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 9 Aug 2017 21:03:33 -0400 Subject: [keycloak-user] DB deadlock for concurrent logins In-Reply-To: References: Message-ID: <48868bfb-7dc0-2bee-f634-6e7a98789ab1@redhat.com> I believe that the default hashing algorithm has changed to SHA-256 as SHA-1 was recently in the news for being able to create hash collisions. Because of this change, each login will update the password hash stored with the 1st login of the user. Not sure why MariaDB would deadlock. Don't know enough about how that database performs locks. It is trying to update a foreign key that has an index associated with it. Maybe that has something to do with it. On 8/9/17 5:35 PM, Vikrant Singh wrote: > Hi, > > I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB 10.2.7 > for DB, recently upgraded from 3.1.0.Final. > > Deployment is consist of 3 keycloak servers along with 3 DB instances. As > part of kubernetes rediness check, a token is requested for a local user in > master realm every 10 sec. The concurrent token request for same user is > causing the deadlock exception in DB. Following is the exception being > logged in keycloak. > > > Caused by: java.sql.SQLException: Deadlock found when trying to get > lock; try restarting transaction > > Query is: select userentity0_.ID as ID1_71_, > userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as > EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, > userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as > ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, > userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as > LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, > userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, > userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ > where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters > ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] > > at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146) > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221) > > at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218) > > ... 76 more > > > Caused by: java.sql.SQLException: Lock wait timeout exceeded; try > restarting transaction > > Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, > CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, > SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters > ['pbkdf2-sha256',0,1501750736628,,0,27500,0, .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6','Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] > > at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146) > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221) > > at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218) > > ... 78 more > > > Why keycloak is trying to update the user credential for every login. > and why is deadlock occurring? Any help truly appreciated. > > > Thanks, > > Vikrant > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Chris.Raiskin at standard.com Wed Aug 9 21:25:37 2017 From: Chris.Raiskin at standard.com (Chris Raiskin) Date: Thu, 10 Aug 2017 01:25:37 +0000 Subject: [keycloak-user] unsubscribe Message-ID: From simonpayne58 at gmail.com Thu Aug 10 05:11:53 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 10 Aug 2017 10:11:53 +0100 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> <1839453359.1966941.1502209074630@mail.yahoo.com> Message-ID: do we have token introspection implemented in any of the client adapters (other than spring boot)? thanks On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne wrote: > thanks Pedro, > > however, i think our use cases are not exactly the same. it appears your > component is set to allow authentication of user where mine is bearer only. > > the only other differences i can see between our projects is that i am > running gradle with keycloak 3.2.0 and that i have also added compile( > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > Lucian, i don't have a project which i can share at the moment as other > code is included, if you would still like to see something i can make a > shareable version. > > Thanks > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva > wrote: > >> Hey Lucian, we have this https://github.com/keycloak/ke >> ycloak-quickstarts/tree/latest/app-authz-springboot. >> >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian wrote: >> >>> Simon, >>> Do you have a demo app with that? I am just curious to see a >>> spring(boot) app with authorizations...I remember that I tried something >>> with authorizations, and the authorization context was null(I know there >>> are some Jira issues about it), but I still could not get it to work in >>> 2.5.5 >>> AuthorizationContext authzContext = >>> keycloakSecurityContext.getAuthorizationContext(); >>> Thanks,Lucian >>> >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < >>> simonpayne58 at gmail.com> wrote: >>> >>> yes correct. >>> >>> there is a definite change in behavior with the addition of the >>> keycloak.policy-enforcer-config.online-introspection=true flag, as >>> without >>> this single line in my property file it works correctly as a bearer only >>> resource server. Addition of this line results in the incorrect call to >>> token exchange endpoint. >>> >>> thanks >>> >>> >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: >>> >>> > Doesn't look like the switch is hooked up to anything. As it is, it >>> > looks like this switch was added for RPT validation, not access token >>> > validation, and not ever implemented. You just want the adapter to >>> > validate the access token with the auth server for bearer token >>> > requests, right? >>> > >>> > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: >>> > > I'm looking at the code on server and I dont' see that it requires >>> any >>> > > special switch to use it. The endpoint is: >>> > > >>> > > @Post >>> > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect >>> > > >>> > > Takes form params. >>> > > >>> > > token >>> > > >>> > > token_type_hint (optional and defaults to "access_token") >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: >>> > >> after some debugging i figured that >>> > >> keycloak.policy-enforcer-config.online-introspection=true switched >>> on >>> > this >>> > >> functionality, however it appears to error on a 400 after making a >>> call >>> > to >>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint. >>> > >> >>> > >> I'm assuming this is a bug? >>> > >> >>> > >> Thanks >>> > >> >>> > >> >>> > >> >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne >> > >>> > wrote: >>> > >> >>> > >>> Hi All, >>> > >>> >>> > >>> I'm evaluating keycloak and i'm currently looking at token >>> > introspection. >>> > >>> >>> > >>> I've managed to achieve this manually, i.e. by sending a post via >>> > postman, >>> > >>> but i'm unable to figure out whether this can be achieved via the >>> > keycloak >>> > >>> adapters, specifically spring boot. >>> > >>> >>> > >>> any help in this area would be appreciated. >>> > >>> >>> > >>> thanks >>> > >>> >>> > >>> Simon. >>> > >>> >>> > >> _______________________________________________ >>> > >> keycloak-user mailing list >>> > >> keycloak-user at lists.jboss.org >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From simonpayne58 at gmail.com Thu Aug 10 05:18:22 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 10 Aug 2017 10:18:22 +0100 Subject: [keycloak-user] discovery and key security Message-ID: Hi, I have found that .well-known and jwks_uri endpoints are left unsecured meaning that unauthenticated clients can discover auth server configuration and signing keys. surely we should require minimum of basic authentication using client id and secret? thanks Simon. From john.d.ament at gmail.com Thu Aug 10 06:45:31 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 10 Aug 2017 10:45:31 +0000 Subject: [keycloak-user] Recaptcha Provider causing PersistenceExceptions In-Reply-To: References: Message-ID: I've created https://issues.jboss.org/browse/KEYCLOAK-5274 and will leave it up to the KC team if they want to apply the patch. I can throw it out there as a PR if you're going to accept it. John On Wed, Aug 9, 2017 at 2:13 PM John D. Ament wrote: > I just tested it out. I think I know why it works OOTB but not with > config changes. For some reason, in my env caching doesn't work, so its > always hitting the DB. The issue does in fact fail on master for this same > case, when I get caching to not work. > > I would recommend adding the following fix (from 3.2 code). Let me know > if you want me to create a ticket. Also do let me know if you have any > idea why caching gets disabled in my env. > > John > > diff --git > a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java > b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java > index 61f6254..068fd09 100755 > --- > a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java > +++ > b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java > @@ -509,10 +509,12 @@ public class AuthenticationManagementResource { > rep.setId(execution.getId()); > > if (factory.isConfigurable()) { > - AuthenticatorConfigModel authenticatorConfig = > realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig()); > + if (execution.getAuthenticatorConfig() != null) { > + AuthenticatorConfigModel authenticatorConfig = > realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig()); > > - if (authenticatorConfig != null) { > - rep.setAlias(authenticatorConfig.getAlias()); > + if (authenticatorConfig != null) { > + rep.setAlias(authenticatorConfig.getAlias()); > + } > } > } > > On Wed, Aug 9, 2017 at 1:37 PM John D. Ament > wrote: > >> Hi, >> >> After upgrading to Keycloak 3.2 we found on the admin screens they won't >> load in certain scenarios, under authentication -> flows. When we choose >> the registration or browser flows, the following stacktrace is seen: >> >> 17:33:25,251 ERROR [io.undertow.request] (default task-12) UT005023: >> Exception handling request to >> /auth/admin/realms/qpd-manager/authentication/flows/registration/executions: >> org.jboss.resteasy.spi.UnhandledException: >> org.keycloak.models.ModelException: java.lang.IllegalArgumentException: id >> to load is required for loading >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.keycloak.models.ModelException: >> java.lang.IllegalArgumentException: id to load is required for loading >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) >> at com.sun.proxy.$Proxy66.find(Unknown Source) >> at >> org.keycloak.models.jpa.RealmAdapter.getAuthenticatorConfigById(RealmAdapter.java:1576) >> at >> org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:512) >> at >> org.keycloak.services.resources.admin.AuthenticationManagementResource.recurseExecutions(AuthenticationManagementResource.java:500) >> at >> org.keycloak.services.resources.admin.AuthenticationManagementResource.getExecutions(AuthenticationManagementResource.java:464) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >> ... 37 more >> Caused by: java.lang.IllegalArgumentException: id to load is required >> for loading >> at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:93) >> at org.hibernate.event.spi.LoadEvent.(LoadEvent.java:63) >> at >> org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2693) >> at org.hibernate.internal.SessionImpl.get(SessionImpl.java:975) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) >> at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) >> ... 56 more >> >> >> However, keycloak is handling a null return value, that isn't what's >> happening in JPA. The ID in this case is null, which causes hibernate to >> throw a persistence exception that the ID must not be null to do a load. >> >> I have no idea what is causing this, however it only happens when our >> custom providers are deployed to Keycloak. This does not happen in >> Keycloak 3.1. The execution in this case is when loading the recaptcha >> execution. We have no customized anything with regard to recaptcha. >> >> John >> > From vikrant02.work at gmail.com Thu Aug 10 07:36:33 2017 From: vikrant02.work at gmail.com (Vikrant Singh) Date: Thu, 10 Aug 2017 17:06:33 +0530 Subject: [keycloak-user] DB deadlock for concurrent logins Message-ID: Yes, but password migration should only be happening during first login. I have checked the CREDENTIAL table in DB and user have already migrated to new hashing algorithm and no of iterations, but still keycloak is trying to run Update query for each login attempt. -Vikrant On Thu, Aug 10, 2017 at 4:18 PM, wrote: > > > I believe that the default hashing algorithm has changed to SHA-256 as > SHA-1 was recently in the news for being able to create hash > collisions. Because of this change, each login will update the password > hash stored with the 1st login of the user. > > Not sure why MariaDB would deadlock. Don't know enough about how that > database performs locks. It is trying to update a foreign key that has > an index associated with it. Maybe that has something to do with it. > > > > On 8/9/17 5:35 PM, Vikrant Singh wrote: > > Hi, > > > > I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB > 10.2.7 > > for DB, recently upgraded from 3.1.0.Final. > > > > Deployment is consist of 3 keycloak servers along with 3 DB instances. As > > part of kubernetes rediness check, a token is requested for a local user > in > > master realm every 10 sec. The concurrent token request for same user is > > causing the deadlock exception in DB. Following is the exception being > > logged in keycloak. > > > > > > Caused by: java.sql.SQLException: Deadlock found when trying to get > > lock; try restarting transaction > > > > Query is: select userentity0_.ID as ID1_71_, > > userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as > > EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, > > userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as > > ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, > > userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as > > LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, > > userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, > > userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ > > where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters > > ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] > > > > at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery( > LogQueryTool.java:146) > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > executeQuery(AbstractQueryProtocol.java:221) > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > ... 76 more > > > > > > Caused by: java.sql.SQLException: Lock wait timeout exceeded; try > > restarting transaction > > > > Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, > > CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, > > SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters > > ['pbkdf2-sha256',0,1501750736628,,0,27500,0, > .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' > Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ > 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] > > > > at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery( > LogQueryTool.java:146) > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > executeQuery(AbstractQueryProtocol.java:221) > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > ... 78 more > > > > > > Why keycloak is trying to update the user credential for every login. > > and why is deadlock occurring? Any help truly appreciated. > > > > > > Thanks, > > > > Vikrant > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Aug 10 07:53:23 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 10 Aug 2017 08:53:23 -0300 Subject: [keycloak-user] token introspection In-Reply-To: References: <33a71c1b-bd49-e697-eddf-b59e213f2565@redhat.com> <1839453359.1966941.1502209074630@mail.yahoo.com> Message-ID: No, we don't. Like Bill said, you don't really need it. Basically, what we support is described in docs [1]. [1] http://www.keycloak.org/docs/3.1/authorization_services/topics/enforcer/keycloak-enforcement-filter.html On Thu, Aug 10, 2017 at 6:11 AM, Simon Payne wrote: > do we have token introspection implemented in any of the client adapters > (other than spring boot)? > > thanks > > > On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne > wrote: > > > thanks Pedro, > > > > however, i think our use cases are not exactly the same. it appears your > > component is set to allow authentication of user where mine is bearer > only. > > > > the only other differences i can see between our projects is that i am > > running gradle with keycloak 3.2.0 and that i have also added compile( > > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > > > Lucian, i don't have a project which i can share at the moment as other > > code is included, if you would still like to see something i can make a > > shareable version. > > > > Thanks > > > > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva > > wrote: > > > >> Hey Lucian, we have this https://github.com/keycloak/ke > >> ycloak-quickstarts/tree/latest/app-authz-springboot. > >> > >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian wrote: > >> > >>> Simon, > >>> Do you have a demo app with that? I am just curious to see a > >>> spring(boot) app with authorizations...I remember that I tried > something > >>> with authorizations, and the authorization context was null(I know > there > >>> are some Jira issues about it), but I still could not get it to work in > >>> 2.5.5 > >>> AuthorizationContext authzContext = > >>> keycloakSecurityContext.getAuthorizationContext(); > >>> Thanks,Lucian > >>> > >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > >>> simonpayne58 at gmail.com> wrote: > >>> > >>> yes correct. > >>> > >>> there is a definite change in behavior with the addition of the > >>> keycloak.policy-enforcer-config.online-introspection=true flag, as > >>> without > >>> this single line in my property file it works correctly as a bearer > only > >>> resource server. Addition of this line results in the incorrect call > to > >>> token exchange endpoint. > >>> > >>> thanks > >>> > >>> > >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke wrote: > >>> > >>> > Doesn't look like the switch is hooked up to anything. As it is, it > >>> > looks like this switch was added for RPT validation, not access token > >>> > validation, and not ever implemented. You just want the adapter to > >>> > validate the access token with the auth server for bearer token > >>> > requests, right? > >>> > > >>> > > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: > >>> > > I'm looking at the code on server and I dont' see that it requires > >>> any > >>> > > special switch to use it. The endpoint is: > >>> > > > >>> > > @Post > >>> > > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > >>> > > > >>> > > Takes form params. > >>> > > > >>> > > token > >>> > > > >>> > > token_type_hint (optional and defaults to "access_token") > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: > >>> > >> after some debugging i figured that > >>> > >> keycloak.policy-enforcer-config.online-introspection=true > switched > >>> on > >>> > this > >>> > >> functionality, however it appears to error on a 400 after making a > >>> call > >>> > to > >>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > >>> > >> > >>> > >> I'm assuming this is a bug? > >>> > >> > >>> > >> Thanks > >>> > >> > >>> > >> > >>> > >> > >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne < > simonpayne58 at gmail.com > >>> > > >>> > wrote: > >>> > >> > >>> > >>> Hi All, > >>> > >>> > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > >>> > introspection. > >>> > >>> > >>> > >>> I've managed to achieve this manually, i.e. by sending a post via > >>> > postman, > >>> > >>> but i'm unable to figure out whether this can be achieved via the > >>> > keycloak > >>> > >>> adapters, specifically spring boot. > >>> > >>> > >>> > >>> any help in this area would be appreciated. > >>> > >>> > >>> > >>> thanks > >>> > >>> > >>> > >>> Simon. > >>> > >>> > >>> > >> _______________________________________________ > >>> > >> keycloak-user mailing list > >>> > >> keycloak-user at lists.jboss.org > >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > _______________________________________________ > >>> > > keycloak-user mailing list > >>> > > keycloak-user at lists.jboss.org > >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > >>> > _______________________________________________ > >>> > keycloak-user mailing list > >>> > keycloak-user at lists.jboss.org > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hmlnarik at redhat.com Thu Aug 10 08:32:50 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 10 Aug 2017 14:32:50 +0200 Subject: [keycloak-user] JGroups failure: failed submitting DONT_BUNDLE message to thread pool In-Reply-To: <57b8d08c-0f76-20b4-0ed8-2217768675db@simacan.com> References: <57b8d08c-0f76-20b4-0ed8-2217768675db@simacan.com> Message-ID: You seem to be facing https://issues.jboss.org/browse/WFLY-6179. Once keycloak updates to WF 10.1/11.x, this issue should be resolved. On Wed, Aug 9, 2017 at 1:32 PM, Edwin de Jong wrote: > Dear Keycloak users (and devs), > > This morning, we faced a production level issue on our Keycloak Cluster, > running in a 3-node formation on EC2. Symptoms were a high failure rate > of requests (> 20%) and high latency (> 10 seconds). We are currently > trying to figure out what went wrong. We would appreciate it if someone > with knowledge op JGroups / Inifinispan could chime in with a working > hypothesis. > > About priority: we are currently running nominally. We have brought down > two of the instances and brought up two new instances. The cluster is > working again as expected. > > Below I'll give information about our setup, the relevant log-messages > and links to some screenshots of our monitoring: > > EC2 instances are C4.Large (3x) > Keycloak Version 3.1.0-FINAL > > Normal CPU usage is around 1% or less. It peaked to 16% during the incident. > Memory usage is normal. > > Screenshots: > > - datadog statistics of our services calling keycloak: https://ibb.co/dsDTKv > - AWS EC2 instance Cloudwatch statistics: network out rate (in bytes per > MINUTE): https://ibb.co/j8jhCF > - AWS EC2 instance Cloudwatch statistics: network in rate (in bytes per > MINUTE): https://ibb.co/ggLuRa > > Log lines, just before failure (to help reduce clutter, I've removed the > date and replaced the IP addresses with "IP-A", "IP-B", "IP-C"). The > last message is repeated around 500.000 times in the span of around 1 > minute. > > ---------------------->%----------------------- > 05:09:23,925 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > server: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,926 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > keycloak: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,926 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > web: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,926 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > ejb: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,928 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > hibernate: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,990 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > server: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,990 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > keycloak: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,991 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > web: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,992 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > hibernate: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,992 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > ejb: [ip-A|3] (2) [ip-A, ip-B] > 05:09:23,996 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > ISPN000310: Starting cluster-wide rebalance for cache authorization, > topology CacheTopology{id=6, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > 05:09:24,001 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > ISPN000310: Starting cluster-wide rebalance for cache sessions, topology > CacheTopology{id=6, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > 05:09:24,004 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > topology CacheTopology{id=6, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > 05:09:24,014 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > topology CacheTopology{id=6, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > 05:09:24,027 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > ISPN000336: Finished cluster-wide rebalance for cache sessions, topology > id = 6 > 05:09:24,028 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > topology id = 6 > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > topology id = 6 > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t132) > ISPN000336: Finished cluster-wide rebalance for cache authorization, > topology id = 6 > 05:09:33,567 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,569 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,569 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,573 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,575 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,521 WARN [org.jgroups.protocols.pbcast.NAKACK] > (Incoming-19,ee,ip-B) JGRP000011: ip-B: dropped message 54375 from > non-member ip-C (view=[ip-A|3] (2) [ip-A, ip-B]) Warning > 05:09:33,527 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,529 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,529 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,530 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,533 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,518 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,525 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,525 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,527 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,527 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > 05:09:33,577 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > ISPN000310: Starting cluster-wide rebalance for cache authorization, > topology CacheTopology{id=10, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > actualMembers=[ip-A, ip-B, ip-C]} > 05:09:33,579 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > topology CacheTopology{id=10, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > actualMembers=[ip-A, ip-B, ip-C]} > 05:09:33,580 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > topology CacheTopology{id=10, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > actualMembers=[ip-A, ip-B, ip-C]} > 05:09:33,582 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t15) > ISPN000310: Starting cluster-wide rebalance for cache sessions, topology > CacheTopology{id=10, rebalanceId=3, > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > actualMembers=[ip-A, ip-B, ip-C]} > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > topology id = 10 > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > ISPN000336: Finished cluster-wide rebalance for cache authorization, > topology id = 10 > 05:09:33,590 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > topology id = 10 > 05:09:33,601 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t133) > ISPN000336: Finished cluster-wide rebalance for cache sessions, topology > id = 10 > 05:09:34,001 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > message to thread pool: java.util.concurrent.RejectedExecutionException: > Task org.jgroups.protocols.TP$SingleMessageHandler at 17c86a0c rejected > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size > = 4, active threads = 4, queued tasks = 100, completed tasks = 1589693]. > Msg: RequestCorrelator: id=200, type=REQ, id=607, rsp_expected=true, > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=206], TCP: [cluster_name=ee] > ERROR > 05:09:34,010 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > message to thread pool: java.util.concurrent.RejectedExecutionException: > Task org.jgroups.protocols.TP$SingleMessageHandler at 4fec3655 rejected > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size > = 4, active threads = 4, queued tasks = 100, completed tasks = 1589694]. > Msg: RequestCorrelator: id=200, type=REQ, id=609, rsp_expected=true, > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=208], TCP: [cluster_name=ee] > ERROR > > (last line repeated many, many times) > ---------------------->%----------------------- > > > > Infinispan subsystem configuration in standalone-ha.xml: > > ---------------------->%----------------------- > > > > > > > > > > > > > > > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > module="org.wildfly.clustering.web.infinispan"> > > owners="2"> > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > owners="2"> > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > ---------------------->%----------------------- > > JGroups subsystem configuration: > > ---------------------->%----------------------- > > > > > > > > > S3AccessKey > S3SecretAccessKey > S3PingBucketName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > with kind regards, > > Edwin de Jong > > -- Simacan B.V. Data Engineer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From Harshad.Keluskar at Criti.in Thu Aug 10 09:16:39 2017 From: Harshad.Keluskar at Criti.in (Harshad Keluskar) Date: Thu, 10 Aug 2017 13:16:39 +0000 Subject: [keycloak-user] Error: [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] Message-ID: <0f3e3a7e5b2b4db79f3c10d0e22bba73@CRITIMAIL.creativeit.in> We have three servers with below listed services. * Keycloak for IDP * Apereo CAS for Delegate Authentication * Liferay CE7 for portals We followed and configured all steps which suggested for respective tools / applications. And configured authorized SSLs (from godaddy) certificates for above mentioned servers. Liferay authenticates against CAS using the CAS protocol. CAS delegates authentication to keycloak using OpenID Connect. I'm getting an error while trying check the whole workflow. Please see below for the more details and error. When I tap on "Sign IN" on Liferay portal, it redirects me to keycloak authentication page via CAS (Auth Delegation) and after entering the valid credentials in the keycloak page, it provides an error in the cas logs which is mentioned below: > 2017-08-09 18:29:30,906 DEBUG > [org.pac4j.oidc.credentials.extractor.OidcExtractor] - response successful> 2017-08-09 18:29:30,906 WARN > [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - > Defaulting to: private_key_jwt> And I got this error message on browser screen: > "Unauthorized Access Either the authentication request was > rejected/cancelled, or the authentication provider denied access due > to permissions, etc. Review logs to find the root cause of the issue." It would be great, if you could help me to get this resolved. Thanks, Harshad. From nirmal.hbti at gmail.com Thu Aug 10 09:23:31 2017 From: nirmal.hbti at gmail.com (NiRmAl KuMaR) Date: Thu, 10 Aug 2017 18:53:31 +0530 Subject: [keycloak-user] Keycloak vulnerabilities reported via OWASP Dependency Check Message-ID: Hi Keycloak, We have been playing around with Keycloak since sometime now and found it to be a wonderful product. As the next step we were planning to use it on our production systems but came across with the following vulnerabilities (gathered from *OWASP Dependency Check * tool). These vulnerabilities are now stopping us to adapt and use Keycloak as our SSO solution. I did not find any JIRA addressing this problem. Can you please let us know if these concerns were raised earlier too or any other path that can help us in mitigating the problem? *Dependency* *CPE* *GAV* *Highest Severity* *CVE Count* *CPE Confidence* *Evidence Count* *jackson-annotations-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-annotations:2.5.4 * *Medium* *1* *LOW* *25* *jackson-core-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-core:2.5.4 * *Medium* *1* *LOW* *25* *jackson-databind-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-databind:2.5.4 * *Medium* *1* *LOW* *25* *jackson-jaxrs-base-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.5.4 * *High* *2* *LOW* *24* *netty-all-4.0.32.Final.jar* *cpe:/a:netty_project:netty:4.0.32 * *io.netty:netty-all:4.0.32.Final * *High* *1* *HIGHEST* *14* *undertow-js-1.0.1.Final.jar* *cpe:/a:redhat:undertow:1.0.1* *io.undertow.js:undertow-js:1.0.1.Final * *Medium* *1* *LOW* *20* *cdi-api-1.2.jar* *cpe:/a:redhat:jboss_weld:1.2* *javax.enterprise:cdi-api:1.2 * *Medium* *1* *LOW* *23* *openjdk-orb-8.0.5.Final.jar* *cpe:/a:oracle:openjdk:8.0.5* *org.jboss.openjdk-orb:openjdk-orb:8.0.5.Final* *Low* *1* *LOW* *19* *cxf-services-sts-core-3.1.4.jar* *cpe:/a:apache:cxf:3.1.4* *org.apache.cxf.services.sts:cxf-services-sts-core:3.1.4 * *Medium* *3* *LOW* *22* *cxf-xjc-dv-3.0.5.jar* *cpe:/a:apache:cxf:3.0.5* *org.apache.cxf.xjcplugins:cxf-xjc-dv:3.0.5 * *Medium* *4* *LOW* *18* *cxf-core-3.1.4.jar* *cpe:/a:apache:cxf:3.1.4* *org.apache.cxf:cxf-core:3.1.4 * *Medium* *3* *LOW* *22* *proton-j-0.8.jar* *cpe:/a:apache:qpid:0.8 * *org.apache.qpid:proton-j:0.8 * *Medium* *10* *HIGHEST* *17* *cpe:/a:apache:qpid_proton:0.8.0 * *xalan-2.7.1.jbossorg-2.jar* *cpe:/a:apache:xalan-java:2.7.1 * *High* *1* *HIGHEST* *29* *jackson-core-asl-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-core-asl:1.9.13 * *High* *2* *LOW* *22* *jackson-jaxrs-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-jaxrs:1.9.13 * *High* *2* *LOW* *21* *jackson-mapper-asl-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-mapper-asl:1.9.13 * *High* *2* *LOW* *21* *jackson-xc-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-xc:1.9.13 * *High* *2* *LOW* *21* *wildfly-clustering-jgroups-extension-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-extension:10.0.0.Final * *High* *1* *LOW* *21* *mod_cluster-container-spi-1.3.1.Final.jar* *cpe:/a:redhat:mod_cluster:1.3.1 * *org.jboss.mod_cluster:mod_cluster-container-spi:1.3.1.Final* *Medium* *1* *HIGHEST* *18* *mod_cluster-core-1.3.1.Final.jar* *cpe:/a:redhat:mod_cluster:1.3.1 * *org.jboss.mod_cluster:mod_cluster-core:1.3.1.Final* *Medium* *1* *HIGHEST* *18* *jose-jwt-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:jose-jwt:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-atom-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-atom-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-cdi-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-cdi:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-crypto-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-crypto:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-jackson-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jackson-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-jackson2-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jackson2-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-jaxb-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jaxb-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *async-http-servlet-3.0-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:async-http-servlet-3.0:3.0.14.Final * *Medium* *4* *LOW* *19* *resteasy-jaxrs-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jaxrs:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-jettison-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jettison-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-jsapi-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jsapi:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-json-p-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-json-p-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-multipart-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-multipart-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-spring-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-spring:3.0.14.Final * *Medium* *4* *LOW* *20* *resteasy-validator-provider-11-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-validator-provider-11:3.0.14.Final * *Medium* *4* *LOW* *21* *resteasy-yaml-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-yaml-provider:3.0.14.Final * *Medium* *4* *LOW* *20* *jaxws-undertow-httpspi-1.0.1.Final.jar* *cpe:/a:redhat:undertow:1.0.1* *org.jboss.ws.projects:jaxws-undertow-httpspi:1.0.1.Final * *Medium* *1* *LOW* *15* *picketlink-common-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-common:2.5.5.SP1 * *Medium* *3* *LOW* *14* *picketlink-config-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-config:2.5.5.SP1* *Medium* *3* *LOW* *11* *picketlink-api-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-api:2.5.5.SP1 * *Medium* *3* *LOW* *14* *picketlink-impl-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-impl:2.5.5.SP1 * *Medium* *3* *LOW* *13* *picketlink-wildfly8-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink.distribution:picketlink-wildfly8:2.5.5.SP1 * *Medium* *3* *LOW* *22* *picketlink-federation-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-federation:2.5.5.SP1 * *Medium* *3* *LOW* *17* *picketlink-idm-api-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-api:2.5.5.SP1 * *Medium* *3* *LOW* *13* *picketlink-idm-impl-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-impl:2.5.5.SP1 * *Medium* *3* *LOW* *14* *picketlink-idm-simple-schema-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-simple-schema:2.5.5.SP1 * *Medium* *3* *LOW* *15* *wildfly-clustering-jgroups-api-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-api:10.0.0.Final* *High* *1* *LOW* *18* *wildfly-clustering-jgroups-spi-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-spi:10.0.0.Final* *High* *1* *LOW* *18* *wildfly-iiop-openjdk-10.0.0.Final.jar* *cpe:/a:oracle:openjdk:10.0.0* *org.wildfly:wildfly-iiop-openjdk:10.0.0.Final* *Low* *1* *LOW* *18* *wildfly-jberet-10.0.0.Final.jar* *cpe:/a:redhat:jboss_wildfly_application_server:10.0.0 * *org.wildfly:wildfly-jberet:10.0.0.Final* *Medium* *3* *HIGHEST* *19* *keycloak-authz-policy-drools-3.2.1.Final.jar* *cpe:/a:redhat:drools:3.2.1* *org.keycloak:keycloak-authz-policy-drools:3.2.1.Final* *High* *1* *LOW* *18* Many Thanks, -Nirmal From douglas.drouillard at gmail.com Thu Aug 10 09:45:17 2017 From: douglas.drouillard at gmail.com (Doug Drouillard) Date: Thu, 10 Aug 2017 09:45:17 -0400 Subject: [keycloak-user] token introspection Message-ID: You don't necessarily 'need' it, but it makes the project an order of magnitude more complicated to understand. The adapters are magic, but if we aren't already familiar with something like Spring, then we really have no way to fully understand what is going on. The other adapters such as undertow as equally as intense. We don't need to understand all infrastructure of course, but given there is an integration into an existing workflow it makes it hard to use. I would contribute a simple / clean Java example but I am still not sure what that would even mean. Most threads I see around inspection say just use XXX and don't worry. But I have found that to be dubious. The aerogear team used using a Auth0 JWT inspection library which seems like it is working. The project is very well documented and there are tons of examples, but I see every 2 weeks or so someone asks about token introspection as they are trying to learn the best way to use Keycloak and basically get 3 responses in until they get a 'dont worry about it' response, which really doesn't help as it is rare to solve a more complicated problem without understanding the basic problem. We get the fear of missing using token inspection, but it sucks as a user not to be able to get a clear example of 'Here is how you used to do it with manually token inspection, now compare to the adapters' as opposed to 'read this intense doc and just simply integrate this adapter which you don't understand' which has been what I have personally seen in digging through 3 years of emails. Or the even better - "just google for industry best practices on token inspection and use the existing libraries". For you on the team it probably seems like such a trivial use case not even worth mentioning but if you are new to Oauth/Keycloak/JWT and adapters, a simple use case even if it was absolutely evil and going to cause WW3 would be useful. Even as a blog post. The use case is, I use keycloak to do a social sign-in, I get the token back, using only self-contained Java (so calling libraries but not using any json configs or adapters), how would I inspect the token to pull out the email address and verify that token is still valid and actually came from my keycloak server instead of being spoofed? I know this is what adapters/json configs do for you (at least in theory, I never got adapters to work), and there are existing libraries, but an all in one laid out example direct from keycloak team would be awesome! On Thu, Aug 10, 2017 at 8:58 AM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: DB deadlock for concurrent logins (Vikrant Singh) > 2. Re: token introspection (Pedro Igor Silva) > 3. Re: JGroups failure: failed submitting DONT_BUNDLE message to > thread pool (Hynek Mlnarik) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 10 Aug 2017 17:06:33 +0530 > From: Vikrant Singh > Subject: Re: [keycloak-user] DB deadlock for concurrent logins > To: "keycloak-us." > Message-ID: > gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Yes, but password migration should only be happening during first login. I > have checked the CREDENTIAL table in DB and user have already migrated to > new hashing algorithm and no of iterations, but still keycloak is trying to > run Update query for each login attempt. > > -Vikrant > > On Thu, Aug 10, 2017 at 4:18 PM, > wrote: > > > > > > I believe that the default hashing algorithm has changed to SHA-256 as > > SHA-1 was recently in the news for being able to create hash > > collisions. Because of this change, each login will update the password > > hash stored with the 1st login of the user. > > > > Not sure why MariaDB would deadlock. Don't know enough about how that > > database performs locks. It is trying to update a foreign key that has > > an index associated with it. Maybe that has something to do with it. > > > > > > > > On 8/9/17 5:35 PM, Vikrant Singh wrote: > > > Hi, > > > > > > I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB > > 10.2.7 > > > for DB, recently upgraded from 3.1.0.Final. > > > > > > Deployment is consist of 3 keycloak servers along with 3 DB instances. > As > > > part of kubernetes rediness check, a token is requested for a local > user > > in > > > master realm every 10 sec. The concurrent token request for same user > is > > > causing the deadlock exception in DB. Following is the exception being > > > logged in keycloak. > > > > > > > > > Caused by: java.sql.SQLException: Deadlock found when trying to get > > > lock; try restarting transaction > > > > > > Query is: select userentity0_.ID as ID1_71_, > > > userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as > > > EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, > > > userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as > > > ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, > > > userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as > > > LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, > > > userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, > > > userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ > > > where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters > > > ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > exceptionWithQuery( > > LogQueryTool.java:146) > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > ... 76 more > > > > > > > > > Caused by: java.sql.SQLException: Lock wait timeout exceeded; try > > > restarting transaction > > > > > > Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, > > > CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, > > > SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters > > > ['pbkdf2-sha256',0,1501750736628,,0,27500,0, > > .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' > > Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ > > 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > exceptionWithQuery( > > LogQueryTool.java:146) > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > ... 78 more > > > > > > > > > Why keycloak is trying to update the user credential for every login. > > > and why is deadlock occurring? Any help truly appreciated. > > > > > > > > > Thanks, > > > > > > Vikrant > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 2 > Date: Thu, 10 Aug 2017 08:53:23 -0300 > From: Pedro Igor Silva > Subject: Re: [keycloak-user] token introspection > To: Simon Payne > Cc: keycloak-user > Message-ID: > gmail.com> > Content-Type: text/plain; charset="UTF-8" > > No, we don't. Like Bill said, you don't really need it. Basically, what we > support is described in docs [1]. > > [1] > http://www.keycloak.org/docs/3.1/authorization_services/ > topics/enforcer/keycloak-enforcement-filter.html > > > On Thu, Aug 10, 2017 at 6:11 AM, Simon Payne > wrote: > > > do we have token introspection implemented in any of the client adapters > > (other than spring boot)? > > > > thanks > > > > > > On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne > > wrote: > > > > > thanks Pedro, > > > > > > however, i think our use cases are not exactly the same. it appears > your > > > component is set to allow authentication of user where mine is bearer > > only. > > > > > > the only other differences i can see between our projects is that i am > > > running gradle with keycloak 3.2.0 and that i have also added compile( > > > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > > > > > Lucian, i don't have a project which i can share at the moment as other > > > code is included, if you would still like to see something i can make a > > > shareable version. > > > > > > Thanks > > > > > > > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva > > > wrote: > > > > > >> Hey Lucian, we have this https://github.com/keycloak/ke > > >> ycloak-quickstarts/tree/latest/app-authz-springboot. > > >> > > >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian > wrote: > > >> > > >>> Simon, > > >>> Do you have a demo app with that? I am just curious to see a > > >>> spring(boot) app with authorizations...I remember that I tried > > something > > >>> with authorizations, and the authorization context was null(I know > > there > > >>> are some Jira issues about it), but I still could not get it to work > in > > >>> 2.5.5 > > >>> AuthorizationContext authzContext = > > >>> keycloakSecurityContext.getAuthorizationContext(); > > >>> Thanks,Lucian > > >>> > > >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > > >>> simonpayne58 at gmail.com> wrote: > > >>> > > >>> yes correct. > > >>> > > >>> there is a definite change in behavior with the addition of the > > >>> keycloak.policy-enforcer-config.online-introspection=true flag, as > > >>> without > > >>> this single line in my property file it works correctly as a bearer > > only > > >>> resource server. Addition of this line results in the incorrect call > > to > > >>> token exchange endpoint. > > >>> > > >>> thanks > > >>> > > >>> > > >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke > wrote: > > >>> > > >>> > Doesn't look like the switch is hooked up to anything. As it is, > it > > >>> > looks like this switch was added for RPT validation, not access > token > > >>> > validation, and not ever implemented. You just want the adapter to > > >>> > validate the access token with the auth server for bearer token > > >>> > requests, right? > > >>> > > > >>> > > > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: > > >>> > > I'm looking at the code on server and I dont' see that it > requires > > >>> any > > >>> > > special switch to use it. The endpoint is: > > >>> > > > > >>> > > @Post > > >>> > > > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > >>> > > > > >>> > > Takes form params. > > >>> > > > > >>> > > token > > >>> > > > > >>> > > token_type_hint (optional and defaults to "access_token") > > >>> > > > > >>> > > > > >>> > > > > >>> > > > > >>> > > > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: > > >>> > >> after some debugging i figured that > > >>> > >> keycloak.policy-enforcer-config.online-introspection=true > > switched > > >>> on > > >>> > this > > >>> > >> functionality, however it appears to error on a 400 after > making a > > >>> call > > >>> > to > > >>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > > >>> > >> > > >>> > >> I'm assuming this is a bug? > > >>> > >> > > >>> > >> Thanks > > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne < > > simonpayne58 at gmail.com > > >>> > > > >>> > wrote: > > >>> > >> > > >>> > >>> Hi All, > > >>> > >>> > > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > > >>> > introspection. > > >>> > >>> > > >>> > >>> I've managed to achieve this manually, i.e. by sending a post > via > > >>> > postman, > > >>> > >>> but i'm unable to figure out whether this can be achieved via > the > > >>> > keycloak > > >>> > >>> adapters, specifically spring boot. > > >>> > >>> > > >>> > >>> any help in this area would be appreciated. > > >>> > >>> > > >>> > >>> thanks > > >>> > >>> > > >>> > >>> Simon. > > >>> > >>> > > >>> > >> _______________________________________________ > > >>> > >> keycloak-user mailing list > > >>> > >> keycloak-user at lists.jboss.org > > >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > _______________________________________________ > > >>> > > keycloak-user mailing list > > >>> > > keycloak-user at lists.jboss.org > > >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > > >>> > _______________________________________________ > > >>> > keycloak-user mailing list > > >>> > keycloak-user at lists.jboss.org > > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >> > > >> > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 3 > Date: Thu, 10 Aug 2017 14:32:50 +0200 > From: Hynek Mlnarik > Subject: Re: [keycloak-user] JGroups failure: failed submitting > DONT_BUNDLE message to thread pool > To: Edwin de Jong > Cc: keycloak-user > Message-ID: > gmail.com> > Content-Type: text/plain; charset="UTF-8" > > You seem to be facing https://issues.jboss.org/browse/WFLY-6179. Once > keycloak updates to WF 10.1/11.x, this issue should be resolved. > > On Wed, Aug 9, 2017 at 1:32 PM, Edwin de Jong > wrote: > > Dear Keycloak users (and devs), > > > > This morning, we faced a production level issue on our Keycloak Cluster, > > running in a 3-node formation on EC2. Symptoms were a high failure rate > > of requests (> 20%) and high latency (> 10 seconds). We are currently > > trying to figure out what went wrong. We would appreciate it if someone > > with knowledge op JGroups / Inifinispan could chime in with a working > > hypothesis. > > > > About priority: we are currently running nominally. We have brought down > > two of the instances and brought up two new instances. The cluster is > > working again as expected. > > > > Below I'll give information about our setup, the relevant log-messages > > and links to some screenshots of our monitoring: > > > > EC2 instances are C4.Large (3x) > > Keycloak Version 3.1.0-FINAL > > > > Normal CPU usage is around 1% or less. It peaked to 16% during the > incident. > > Memory usage is normal. > > > > Screenshots: > > > > - datadog statistics of our services calling keycloak: > https://ibb.co/dsDTKv > > - AWS EC2 instance Cloudwatch statistics: network out rate (in bytes per > > MINUTE): https://ibb.co/j8jhCF > > - AWS EC2 instance Cloudwatch statistics: network in rate (in bytes per > > MINUTE): https://ibb.co/ggLuRa > > > > Log lines, just before failure (to help reduce clutter, I've removed the > > date and replaced the IP addresses with "IP-A", "IP-B", "IP-C"). The > > last message is repeated around 500.000 times in the span of around 1 > > minute. > > > > ---------------------->%----------------------- > > 05:09:23,925 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > server: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,926 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,926 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > web: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,926 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,928 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,990 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > server: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,990 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,991 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > web: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,992 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,992 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > 05:09:23,996 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > topology CacheTopology{id=6, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > 05:09:24,001 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > > ISPN000310: Starting cluster-wide rebalance for cache sessions, topology > > CacheTopology{id=6, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > 05:09:24,004 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > topology CacheTopology{id=6, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > 05:09:24,014 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t18) > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > topology CacheTopology{id=6, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > 05:09:24,027 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > ISPN000336: Finished cluster-wide rebalance for cache sessions, topology > > id = 6 > > 05:09:24,028 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > topology id = 6 > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > topology id = 6 > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t132) > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > topology id = 6 > > 05:09:33,567 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,569 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,569 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,573 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,575 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,521 WARN [org.jgroups.protocols.pbcast.NAKACK] > > (Incoming-19,ee,ip-B) JGRP000011: ip-B: dropped message 54375 from > > non-member ip-C (view=[ip-A|3] (2) [ip-A, ip-B]) Warning > > 05:09:33,527 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,529 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,529 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,530 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,533 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,518 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,525 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,525 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,527 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,527 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > 05:09:33,577 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > topology CacheTopology{id=10, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > actualMembers=[ip-A, ip-B, ip-C]} > > 05:09:33,579 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > topology CacheTopology{id=10, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > actualMembers=[ip-A, ip-B, ip-C]} > > 05:09:33,580 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t12) > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > topology CacheTopology{id=10, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > actualMembers=[ip-A, ip-B, ip-C]} > > 05:09:33,582 INFO [org.infinispan.CLUSTER] (transport-thread--p14-t15) > > ISPN000310: Starting cluster-wide rebalance for cache sessions, topology > > CacheTopology{id=10, rebalanceId=3, > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > actualMembers=[ip-A, ip-B, ip-C]} > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > topology id = 10 > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > topology id = 10 > > 05:09:33,590 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > topology id = 10 > > 05:09:33,601 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t133) > > ISPN000336: Finished cluster-wide rebalance for cache sessions, topology > > id = 10 > > 05:09:34,001 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > message to thread pool: java.util.concurrent.RejectedExecutionException: > > Task org.jgroups.protocols.TP$SingleMessageHandler at 17c86a0c rejected > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size > > = 4, active threads = 4, queued tasks = 100, completed tasks = 1589693]. > > Msg: RequestCorrelator: id=200, type=REQ, id=607, rsp_expected=true, > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=206], TCP: [cluster_name=ee] > > ERROR > > 05:09:34,010 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > message to thread pool: java.util.concurrent.RejectedExecutionException: > > Task org.jgroups.protocols.TP$SingleMessageHandler at 4fec3655 rejected > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool size > > = 4, active threads = 4, queued tasks = 100, completed tasks = 1589694]. > > Msg: RequestCorrelator: id=200, type=REQ, id=609, rsp_expected=true, > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=208], TCP: [cluster_name=ee] > > ERROR > > > > (last line repeated many, many times) > > ---------------------->%----------------------- > > > > > > > > Infinispan subsystem configuration in standalone-ha.xml: > > > > ---------------------->%----------------------- > > > > > > > > > > > > > > > > > > > > > > owners="3"/> > > > > > > > > > > > > > > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > > > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > > owners="2"> > > > > > > > > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > > > > owners="2"> > > > > > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > JGroups subsystem configuration: > > > > ---------------------->%----------------------- > > > > > > > > > > > > > > > > > > S3AccessKey > > > S3SecretAccessKey > > S3PingBucketName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > with kind regards, > > > > Edwin de Jong > > > > -- Simacan B.V. Data Engineer > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 44, Issue 23 > ********************************************* > From Anton.Arntz at planonsoftware.com Thu Aug 10 10:00:44 2017 From: Anton.Arntz at planonsoftware.com (Anton Arntz) Date: Thu, 10 Aug 2017 14:00:44 +0000 Subject: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive In-Reply-To: References: <3043eb42-366e-6e9a-eb7c-2fc1fcacc8d4@redhat.com> Message-ID: Yes, SAML is used for accessing ADFS. The ADFS/Domain manager of our customer is troubleshooting on their end. The KeyCloak source is trusted, in fact it seems to be one of their users causing this issue. For the rest of the users this setup works fine and it doesn't generate the redirect storm. We didn't enable the debug logging yet since it's our production gear and that would fill up our gear really fast. I do believe if the customer can't find the issue on the ADFS end, we have no option left but to enable it so we can see the contents of the response. The certificate KeyInfo is set to CERT_SUBJECT. I think we assisted the customer and used the guide you are referring to :) Thanks for writing it by the way. -----Original Message----- From: Hynek Mlnarik [mailto:hmlnarik at redhat.com] Sent: woensdag 9 augustus 2017 15:45 To: Anton Arntz Cc: Bill Burke ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly unresponsive I assume the protocol for accessing ADFS is SAML, is that correct? Can anything relevant be found in ADFS Event log? Is the Keycloak source trusted? What is content of the ADFS messages? If that is SAML status response with error code, what is the error code? You can view the content of SAML messages either in browser (if fronchannel is used) or by raising debug level in keycloak [1]. Is the certificate KeyInfo set correctly to CERT_SUBJECT? [1] Troubleshooting section of http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html On Wed, Aug 9, 2017 at 2:50 PM, Anton Arntz wrote: > Correct, the first step is a redirect from KeyCloak to the ADFS server to authenticate the user. > This initial redirect happens only once. > After that we see more than 1000 requests hitting our KeyCloak URL with a redirect from that ADFS server and redirecting back to the ADFS server. > I mean like this: > KeyCloak -> ADFS > ADFS -> KeyCloak > KeyCloak -> ADFS > ADFS -> KeyCloak > KeyCloak -> ADFS > ADFS -> KeyCloak > We reached out to our customer to check if one of their users has a different cookie configuration in his/her browser. > Best way forward seems to be to locate the storm generator first. > > -----Original Message----- > From: Bill Burke [mailto:bburke at redhat.com] > Sent: dinsdag 8 augustus 2017 15:35 > To: Anton Arntz ; > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly > unresponsive > > How can ADFS make requests to Keycloak? Wouldn't it be other way around? > > > On 8/8/17 4:53 AM, Anton Arntz wrote: >> You are absolutely right, but at the time this was all the information I had and just wanted to check if anyone else had a similar experience. >> We narrowed it down to 1 realm receiving a lot of requests. All the requests are originating from the customer's ADFS that fills up our log. It seems that those requests aren't even logged at the keycloak realm, but the "logout all sessions" button in the sessions part of the realm does stop the storm. >> To answer your questions, customers didn't see the login page and keycloak didn't process HTTP requests anymore. KeyCloak is just one instance. I don't know the amount of database connections at that time. Will certainly look into those metrics next time. >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill >> Burke >> Sent: dinsdag 1 augustus 2017 16:31 >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] KeyCloak 3.1.0 on OpenShift randomly >> unresponsive >> >> You'll need to narrow down the problem more. i.e. What does "can't login anymore" mean? Do customers still see login pages? Can Keycloak still receive and process HTTP requests? Or is there connection denied? Is Keycloak clustered? Or is it one instance? How many open database connections does the DB have? >> >> On 8/1/17 5:47 AM, Anton Arntz wrote: >>> We are currently facing an issue on our production environment in which the KeyCloak server becomes unresponsive at (what still looks like) random. >>> Tried to look into memory, cpu load and disk usage of the specific OpenShift gear and gone through all of the logs but nothing out of the ordinary could be found. >>> Looks like the application continues to run and still keeps logging, but none of the customers (realms) is able to login anymore. >>> Has anyone experienced the same with this KeyCloak version? >>> >>> Kind regards, >>> Anton Arntz >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From mposolda at redhat.com Thu Aug 10 10:18:51 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 10 Aug 2017 16:18:51 +0200 Subject: [keycloak-user] DB deadlock for concurrent logins In-Reply-To: References: Message-ID: <50b57451-12be-d377-fc60-0c296b0b5b03@redhat.com> I've did some investigation and found that you're right and we update password on every login. I've created JIRA for it: https://issues.jboss.org/browse/KEYCLOAK-5282 . Fortunately there is a workaround. If you setup password policy as described in the "Workaround" in KEYCLOAK-5282 the password won't be updated on every login. Note that you need to set "Hash Iterations" to some non-default value like 27600. If you keep default 27500, it won't work due to the other bug: https://issues.jboss.org/browse/KEYCLOAK-5281 So hopefully after this, you won't see an issue anymore. Still the concurrent update of password probably should work without DB locking issues. So keeping the original JIRA you created open: https://issues.jboss.org/browse/KEYCLOAK-5272 Marek On 10/08/17 13:36, Vikrant Singh wrote: > Yes, but password migration should only be happening during first login. I > have checked the CREDENTIAL table in DB and user have already migrated to > new hashing algorithm and no of iterations, but still keycloak is trying to > run Update query for each login attempt. > > -Vikrant > > On Thu, Aug 10, 2017 at 4:18 PM, > wrote: >> >> I believe that the default hashing algorithm has changed to SHA-256 as >> SHA-1 was recently in the news for being able to create hash >> collisions. Because of this change, each login will update the password >> hash stored with the 1st login of the user. >> >> Not sure why MariaDB would deadlock. Don't know enough about how that >> database performs locks. It is trying to update a foreign key that has >> an index associated with it. Maybe that has something to do with it. >> >> >> >> On 8/9/17 5:35 PM, Vikrant Singh wrote: >>> Hi, >>> >>> I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB >> 10.2.7 >>> for DB, recently upgraded from 3.1.0.Final. >>> >>> Deployment is consist of 3 keycloak servers along with 3 DB instances. As >>> part of kubernetes rediness check, a token is requested for a local user >> in >>> master realm every 10 sec. The concurrent token request for same user is >>> causing the deadlock exception in DB. Following is the exception being >>> logged in keycloak. >>> >>> >>> Caused by: java.sql.SQLException: Deadlock found when trying to get >>> lock; try restarting transaction >>> >>> Query is: select userentity0_.ID as ID1_71_, >>> userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as >>> EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, >>> userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as >>> ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, >>> userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as >>> LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, >>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, >>> userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ >>> where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters >>> ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] >>> >>> at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery( >> LogQueryTool.java:146) >>> at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. >> executeQuery(AbstractQueryProtocol.java:221) >>> at org.mariadb.jdbc.MariaDbPreparedStatementClient >> .executeInternal(MariaDbPreparedStatementClient.java:218) >>> ... 76 more >>> >>> >>> Caused by: java.sql.SQLException: Lock wait timeout exceeded; try >>> restarting transaction >>> >>> Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, >>> CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, >>> SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters >>> ['pbkdf2-sha256',0,1501750736628,,0,27500,0,>> .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' >> Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ >> 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] >>> at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery( >> LogQueryTool.java:146) >>> at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. >> executeQuery(AbstractQueryProtocol.java:221) >>> at org.mariadb.jdbc.MariaDbPreparedStatementClient >> .executeInternal(MariaDbPreparedStatementClient.java:218) >>> ... 78 more >>> >>> >>> Why keycloak is trying to update the user credential for every login. >>> and why is deadlock occurring? Any help truly appreciated. >>> >>> >>> Thanks, >>> >>> Vikrant >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vikrant02.work at gmail.com Thu Aug 10 10:41:33 2017 From: vikrant02.work at gmail.com (Vikrant Singh) Date: Thu, 10 Aug 2017 20:11:33 +0530 Subject: [keycloak-user] DB deadlock for concurrent logins In-Reply-To: <50b57451-12be-d377-fc60-0c296b0b5b03@redhat.com> References: <50b57451-12be-d377-fc60-0c296b0b5b03@redhat.com> Message-ID: Thanks a lot, will try the workaround and see if it helps. On Thu, Aug 10, 2017 at 7:48 PM, Marek Posolda wrote: > I've did some investigation and found that you're right and we update > password on every login. I've created JIRA for it: > https://issues.jboss.org/browse/KEYCLOAK-5282 . > > Fortunately there is a workaround. If you setup password policy as > described in the "Workaround" in KEYCLOAK-5282 the password won't be > updated on every login. Note that you need to set "Hash Iterations" to some > non-default value like 27600. If you keep default 27500, it won't work due > to the other bug: https://issues.jboss.org/browse/KEYCLOAK-5281 > > So hopefully after this, you won't see an issue anymore. Still the > concurrent update of password probably should work without DB locking > issues. So keeping the original JIRA you created open: > https://issues.jboss.org/browse/KEYCLOAK-5272 > > Marek > > > On 10/08/17 13:36, Vikrant Singh wrote: > >> Yes, but password migration should only be happening during first login. I >> have checked the CREDENTIAL table in DB and user have already migrated to >> new hashing algorithm and no of iterations, but still keycloak is trying >> to >> run Update query for each login attempt. >> >> -Vikrant >> >> On Thu, Aug 10, 2017 at 4:18 PM, >> wrote: >> >>> >>> I believe that the default hashing algorithm has changed to SHA-256 as >>> SHA-1 was recently in the news for being able to create hash >>> collisions. Because of this change, each login will update the password >>> hash stored with the 1st login of the user. >>> >>> Not sure why MariaDB would deadlock. Don't know enough about how that >>> database performs locks. It is trying to update a foreign key that has >>> an index associated with it. Maybe that has something to do with it. >>> >>> >>> >>> On 8/9/17 5:35 PM, Vikrant Singh wrote: >>> >>>> Hi, >>>> >>>> I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB >>>> >>> 10.2.7 >>> >>>> for DB, recently upgraded from 3.1.0.Final. >>>> >>>> Deployment is consist of 3 keycloak servers along with 3 DB instances. >>>> As >>>> part of kubernetes rediness check, a token is requested for a local user >>>> >>> in >>> >>>> master realm every 10 sec. The concurrent token request for same user is >>>> causing the deadlock exception in DB. Following is the exception being >>>> logged in keycloak. >>>> >>>> >>>> Caused by: java.sql.SQLException: Deadlock found when trying to get >>>> lock; try restarting transaction >>>> >>>> Query is: select userentity0_.ID as ID1_71_, >>>> userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as >>>> EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, >>>> userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as >>>> ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, >>>> userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as >>>> LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, >>>> userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, >>>> userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ >>>> where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters >>>> ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] >>>> >>>> at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQue >>>> ry( >>>> >>> LogQueryTool.java:146) >>> >>>> at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. >>>> >>> executeQuery(AbstractQueryProtocol.java:221) >>> >>>> at org.mariadb.jdbc.MariaDbPreparedStatementClient >>>> >>> .executeInternal(MariaDbPreparedStatementClient.java:218) >>> >>>> ... 76 more >>>> >>>> >>>> Caused by: java.sql.SQLException: Lock wait timeout exceeded; try >>>> restarting transaction >>>> >>>> Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, >>>> CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, >>>> SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters >>>> ['pbkdf2-sha256',0,1501750736628,,0,27500,0,>>> .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' >>>> >>> Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ >>> 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] >>> >>>> at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQue >>>> ry( >>>> >>> LogQueryTool.java:146) >>> >>>> at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. >>>> >>> executeQuery(AbstractQueryProtocol.java:221) >>> >>>> at org.mariadb.jdbc.MariaDbPreparedStatementClient >>>> >>> .executeInternal(MariaDbPreparedStatementClient.java:218) >>> >>>> ... 78 more >>>> >>>> >>>> Why keycloak is trying to update the user credential for every login. >>>> and why is deadlock occurring? Any help truly appreciated. >>>> >>>> >>>> Thanks, >>>> >>>> Vikrant >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From simonpayne58 at gmail.com Thu Aug 10 11:12:40 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 10 Aug 2017 16:12:40 +0100 Subject: [keycloak-user] token introspection In-Reply-To: References: Message-ID: In my organisation the support for token introspection comes with the added security that if an access token is revoked, then the activity ceases. Using JWT verification, a potential fraudulent use of access token has until token expiry as only refresh token is revoked. This is often enough for architects to make a decision one way or another depending upon the use case. As an aside, i have managed to get spring-security-oauth2 working against keycloak, but this library also appears to not support token introspection. However, spring security, in my opinion, is easier to inject custom services or filters to add a manual token introspection step if required. On Thu, Aug 10, 2017 at 2:45 PM, Doug Drouillard < douglas.drouillard at gmail.com> wrote: > You don't necessarily 'need' it, but it makes the project an order of > magnitude more complicated to understand. The adapters are magic, but if > we aren't already familiar with something like Spring, then we really have > no way to fully understand what is going on. The other adapters such as > undertow as equally as intense. We don't need to understand all > infrastructure of course, but given there is an integration into an > existing workflow it makes it hard to use. > > I would contribute a simple / clean Java example but I am still not sure > what that would even mean. Most threads I see around inspection say just > use XXX and don't worry. But I have found that to be dubious. > > The aerogear team used using a Auth0 JWT inspection library which seems > like it is working. > > The project is very well documented and there are tons of examples, but I > see every 2 weeks or so someone asks about token introspection as they are > trying to learn the best way to use Keycloak and basically get 3 responses > in until they get a 'dont worry about it' response, which really doesn't > help as it is rare to solve a more complicated problem without > understanding the basic problem. > > We get the fear of missing using token inspection, but it sucks as a user > not to be able to get a clear example of 'Here is how you used to do it > with manually token inspection, now compare to the adapters' as opposed to > 'read this intense doc and just simply integrate this adapter which you > don't understand' which has been what I have personally seen in digging > through 3 years of emails. Or the even better - "just google for industry > best practices on token inspection and use the existing libraries". For you > on the team it probably seems like such a trivial use case not even worth > mentioning but if you are new to Oauth/Keycloak/JWT and adapters, a simple > use case even if it was absolutely evil and going to cause WW3 would be > useful. Even as a blog post. > > The use case is, I use keycloak to do a social sign-in, I get the token > back, using only self-contained Java (so calling libraries but not using > any json configs or adapters), how would I inspect the token to pull out > the email address and verify that token is still valid and actually came > from my keycloak server instead of being spoofed? > > I know this is what adapters/json configs do for you (at least in theory, I > never got adapters to work), and there are existing libraries, but an all > in one laid out example direct from keycloak team would be awesome! > > On Thu, Aug 10, 2017 at 8:58 AM, > wrote: > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > or, via email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of keycloak-user digest..." > > > > > > Today's Topics: > > > > 1. Re: DB deadlock for concurrent logins (Vikrant Singh) > > 2. Re: token introspection (Pedro Igor Silva) > > 3. Re: JGroups failure: failed submitting DONT_BUNDLE message to > > thread pool (Hynek Mlnarik) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Thu, 10 Aug 2017 17:06:33 +0530 > > From: Vikrant Singh > > Subject: Re: [keycloak-user] DB deadlock for concurrent logins > > To: "keycloak-us." > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > Yes, but password migration should only be happening during first login. > I > > have checked the CREDENTIAL table in DB and user have already migrated to > > new hashing algorithm and no of iterations, but still keycloak is trying > to > > run Update query for each login attempt. > > > > -Vikrant > > > > On Thu, Aug 10, 2017 at 4:18 PM, > > wrote: > > > > > > > > > I believe that the default hashing algorithm has changed to SHA-256 as > > > SHA-1 was recently in the news for being able to create hash > > > collisions. Because of this change, each login will update the > password > > > hash stored with the 1st login of the user. > > > > > > Not sure why MariaDB would deadlock. Don't know enough about how that > > > database performs locks. It is trying to update a foreign key that has > > > an index associated with it. Maybe that has something to do with it. > > > > > > > > > > > > On 8/9/17 5:35 PM, Vikrant Singh wrote: > > > > Hi, > > > > > > > > I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB > > > 10.2.7 > > > > for DB, recently upgraded from 3.1.0.Final. > > > > > > > > Deployment is consist of 3 keycloak servers along with 3 DB > instances. > > As > > > > part of kubernetes rediness check, a token is requested for a local > > user > > > in > > > > master realm every 10 sec. The concurrent token request for same user > > is > > > > causing the deadlock exception in DB. Following is the exception > being > > > > logged in keycloak. > > > > > > > > > > > > Caused by: java.sql.SQLException: Deadlock found when trying to get > > > > lock; try restarting transaction > > > > > > > > Query is: select userentity0_.ID as ID1_71_, > > > > userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL > as > > > > EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, > > > > userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as > > > > ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, > > > > userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as > > > > LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, > > > > userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, > > > > userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ > > > > where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters > > > > ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] > > > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > > exceptionWithQuery( > > > LogQueryTool.java:146) > > > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > > > ... 76 more > > > > > > > > > > > > Caused by: java.sql.SQLException: Lock wait timeout exceeded; try > > > > restarting transaction > > > > > > > > Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, > > > > CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, > > > > SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters > > > > ['pbkdf2-sha256',0,1501750736628,,0,27500,0, > > > .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' > > > Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ > > > 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] > > > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > > exceptionWithQuery( > > > LogQueryTool.java:146) > > > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > > > ... 78 more > > > > > > > > > > > > Why keycloak is trying to update the user credential for every login. > > > > and why is deadlock occurring? Any help truly appreciated. > > > > > > > > > > > > Thanks, > > > > > > > > Vikrant > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > > > Message: 2 > > Date: Thu, 10 Aug 2017 08:53:23 -0300 > > From: Pedro Igor Silva > > Subject: Re: [keycloak-user] token introspection > > To: Simon Payne > > Cc: keycloak-user > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > No, we don't. Like Bill said, you don't really need it. Basically, what > we > > support is described in docs [1]. > > > > [1] > > http://www.keycloak.org/docs/3.1/authorization_services/ > > topics/enforcer/keycloak-enforcement-filter.html > > > > > > On Thu, Aug 10, 2017 at 6:11 AM, Simon Payne > > wrote: > > > > > do we have token introspection implemented in any of the client > adapters > > > (other than spring boot)? > > > > > > thanks > > > > > > > > > On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne > > > wrote: > > > > > > > thanks Pedro, > > > > > > > > however, i think our use cases are not exactly the same. it appears > > your > > > > component is set to allow authentication of user where mine is bearer > > > only. > > > > > > > > the only other differences i can see between our projects is that i > am > > > > running gradle with keycloak 3.2.0 and that i have also added > compile( > > > > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > > > > > > > Lucian, i don't have a project which i can share at the moment as > other > > > > code is included, if you would still like to see something i can > make a > > > > shareable version. > > > > > > > > Thanks > > > > > > > > > > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva > > > > wrote: > > > > > > > >> Hey Lucian, we have this https://github.com/keycloak/ke > > > >> ycloak-quickstarts/tree/latest/app-authz-springboot. > > > >> > > > >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian > > wrote: > > > >> > > > >>> Simon, > > > >>> Do you have a demo app with that? I am just curious to see a > > > >>> spring(boot) app with authorizations...I remember that I tried > > > something > > > >>> with authorizations, and the authorization context was null(I know > > > there > > > >>> are some Jira issues about it), but I still could not get it to > work > > in > > > >>> 2.5.5 > > > >>> AuthorizationContext authzContext = > > > >>> keycloakSecurityContext.getAuthorizationContext(); > > > >>> Thanks,Lucian > > > >>> > > > >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > > > >>> simonpayne58 at gmail.com> wrote: > > > >>> > > > >>> yes correct. > > > >>> > > > >>> there is a definite change in behavior with the addition of the > > > >>> keycloak.policy-enforcer-config.online-introspection=true flag, > as > > > >>> without > > > >>> this single line in my property file it works correctly as a bearer > > > only > > > >>> resource server. Addition of this line results in the incorrect > call > > > to > > > >>> token exchange endpoint. > > > >>> > > > >>> thanks > > > >>> > > > >>> > > > >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke > > wrote: > > > >>> > > > >>> > Doesn't look like the switch is hooked up to anything. As it is, > > it > > > >>> > looks like this switch was added for RPT validation, not access > > token > > > >>> > validation, and not ever implemented. You just want the adapter > to > > > >>> > validate the access token with the auth server for bearer token > > > >>> > requests, right? > > > >>> > > > > >>> > > > > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: > > > >>> > > I'm looking at the code on server and I dont' see that it > > requires > > > >>> any > > > >>> > > special switch to use it. The endpoint is: > > > >>> > > > > > >>> > > @Post > > > >>> > > > > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > >>> > > > > > >>> > > Takes form params. > > > >>> > > > > > >>> > > token > > > >>> > > > > > >>> > > token_type_hint (optional and defaults to "access_token") > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: > > > >>> > >> after some debugging i figured that > > > >>> > >> keycloak.policy-enforcer-config.online-introspection=true > > > switched > > > >>> on > > > >>> > this > > > >>> > >> functionality, however it appears to error on a 400 after > > making a > > > >>> call > > > >>> > to > > > >>> > >> the /auth/realms/master/protocol/openid-connect/token > endpoint. > > > >>> > >> > > > >>> > >> I'm assuming this is a bug? > > > >>> > >> > > > >>> > >> Thanks > > > >>> > >> > > > >>> > >> > > > >>> > >> > > > >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne < > > > simonpayne58 at gmail.com > > > >>> > > > > >>> > wrote: > > > >>> > >> > > > >>> > >>> Hi All, > > > >>> > >>> > > > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > > > >>> > introspection. > > > >>> > >>> > > > >>> > >>> I've managed to achieve this manually, i.e. by sending a post > > via > > > >>> > postman, > > > >>> > >>> but i'm unable to figure out whether this can be achieved via > > the > > > >>> > keycloak > > > >>> > >>> adapters, specifically spring boot. > > > >>> > >>> > > > >>> > >>> any help in this area would be appreciated. > > > >>> > >>> > > > >>> > >>> thanks > > > >>> > >>> > > > >>> > >>> Simon. > > > >>> > >>> > > > >>> > >> _______________________________________________ > > > >>> > >> keycloak-user mailing list > > > >>> > >> keycloak-user at lists.jboss.org > > > >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > _______________________________________________ > > > >>> > > keycloak-user mailing list > > > >>> > > keycloak-user at lists.jboss.org > > > >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > > >>> > _______________________________________________ > > > >>> > keycloak-user mailing list > > > >>> > keycloak-user at lists.jboss.org > > > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > > >>> _______________________________________________ > > > >>> keycloak-user mailing list > > > >>> keycloak-user at lists.jboss.org > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> _______________________________________________ > > > >>> keycloak-user mailing list > > > >>> keycloak-user at lists.jboss.org > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > >> > > > >> > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Thu, 10 Aug 2017 14:32:50 +0200 > > From: Hynek Mlnarik > > Subject: Re: [keycloak-user] JGroups failure: failed submitting > > DONT_BUNDLE message to thread pool > > To: Edwin de Jong > > Cc: keycloak-user > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > You seem to be facing https://issues.jboss.org/browse/WFLY-6179. Once > > keycloak updates to WF 10.1/11.x, this issue should be resolved. > > > > On Wed, Aug 9, 2017 at 1:32 PM, Edwin de Jong > > > wrote: > > > Dear Keycloak users (and devs), > > > > > > This morning, we faced a production level issue on our Keycloak > Cluster, > > > running in a 3-node formation on EC2. Symptoms were a high failure rate > > > of requests (> 20%) and high latency (> 10 seconds). We are currently > > > trying to figure out what went wrong. We would appreciate it if someone > > > with knowledge op JGroups / Inifinispan could chime in with a working > > > hypothesis. > > > > > > About priority: we are currently running nominally. We have brought > down > > > two of the instances and brought up two new instances. The cluster is > > > working again as expected. > > > > > > Below I'll give information about our setup, the relevant log-messages > > > and links to some screenshots of our monitoring: > > > > > > EC2 instances are C4.Large (3x) > > > Keycloak Version 3.1.0-FINAL > > > > > > Normal CPU usage is around 1% or less. It peaked to 16% during the > > incident. > > > Memory usage is normal. > > > > > > Screenshots: > > > > > > - datadog statistics of our services calling keycloak: > > https://ibb.co/dsDTKv > > > - AWS EC2 instance Cloudwatch statistics: network out rate (in bytes > per > > > MINUTE): https://ibb.co/j8jhCF > > > - AWS EC2 instance Cloudwatch statistics: network in rate (in bytes per > > > MINUTE): https://ibb.co/ggLuRa > > > > > > Log lines, just before failure (to help reduce clutter, I've removed > the > > > date and replaced the IP addresses with "IP-A", "IP-B", "IP-C"). The > > > last message is repeated around 500.000 times in the span of around 1 > > > minute. > > > > > > ---------------------->%----------------------- > > > 05:09:23,925 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > server: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > web: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,928 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,990 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > server: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,990 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,991 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > web: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,992 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,992 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,996 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,001 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache sessions, > topology > > > CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,004 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,014 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,027 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache sessions, > topology > > > id = 6 > > > 05:09:24,028 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > > topology id = 6 > > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > > topology id = 6 > > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t132) > > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > > topology id = 6 > > > 05:09:33,567 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,569 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,569 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,573 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,575 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,521 WARN [org.jgroups.protocols.pbcast.NAKACK] > > > (Incoming-19,ee,ip-B) JGRP000011: ip-B: dropped message 54375 from > > > non-member ip-C (view=[ip-A|3] (2) [ip-A, ip-B]) Warning > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,529 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,529 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,530 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,533 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,518 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,525 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,525 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,577 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,579 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,580 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,582 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t15) > > > ISPN000310: Starting cluster-wide rebalance for cache sessions, > topology > > > CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > > topology id = 10 > > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > > topology id = 10 > > > 05:09:33,590 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > > topology id = 10 > > > 05:09:33,601 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t133) > > > ISPN000336: Finished cluster-wide rebalance for cache sessions, > topology > > > id = 10 > > > 05:09:34,001 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > > message to thread pool: java.util.concurrent. > RejectedExecutionException: > > > Task org.jgroups.protocols.TP$SingleMessageHandler at 17c86a0c rejected > > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool > size > > > = 4, active threads = 4, queued tasks = 100, completed tasks = > 1589693]. > > > Msg: RequestCorrelator: id=200, type=REQ, id=607, rsp_expected=true, > > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=206], TCP: > [cluster_name=ee] > > > ERROR > > > 05:09:34,010 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > > message to thread pool: java.util.concurrent. > RejectedExecutionException: > > > Task org.jgroups.protocols.TP$SingleMessageHandler at 4fec3655 rejected > > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool > size > > > = 4, active threads = 4, queued tasks = 100, completed tasks = > 1589694]. > > > Msg: RequestCorrelator: id=200, type=REQ, id=609, rsp_expected=true, > > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=208], TCP: > [cluster_name=ee] > > > ERROR > > > > > > (last line repeated many, many times) > > > ---------------------->%----------------------- > > > > > > > > > > > > Infinispan subsystem configuration in standalone-ha.xml: > > > > > > ---------------------->%----------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > owners="3"/> > > > owners="3"/> > > > owners="3"/> > > > > > > > > > > > > > > > > > > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > > > > > > > > > > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > > > > > owners="2"> > > > > > > > > > > > > > > > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > > > > > > > owners="2"> > > > > > > > > > > > > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > > > JGroups subsystem configuration: > > > > > > ---------------------->%----------------------- > > > default-stack="tcp"> > > > > > > > > > > > > > > > > > > > > > > > > S3AccessKey > > > > > S3SecretAccessKey > > > S3PingBucketName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > > > with kind regards, > > > > > > Edwin de Jong > > > > > > -- Simacan B.V. Data Engineer > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > > --Hynek > > > > > > ------------------------------ > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > End of keycloak-user Digest, Vol 44, Issue 23 > > ********************************************* > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From simonpayne58 at gmail.com Thu Aug 10 11:49:29 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 10 Aug 2017 16:49:29 +0100 Subject: [keycloak-user] JSON Web Encryption Message-ID: does keycloak offer access token encryption? so far i can only see that keycloak signs the JWT rather than encrypting the content. Thanks Simon. From MPoettgen at clifford-thames.com Thu Aug 10 11:56:02 2017 From: MPoettgen at clifford-thames.com (Michael Poettgen) Date: Thu, 10 Aug 2017 15:56:02 +0000 Subject: [keycloak-user] Delegated User Self-Administration Message-ID: Has anyone done delegated user administration with larger numbers of organizations? Thanks, Michael From: Michael Poettgen Sent: Monday, August 7, 2017 5:14 PM To: 'keycloak-user at lists.jboss.org' Subject: Delegated User Self-Administration Hello Everyone, I've got questions on how to properly do delegated user self-administration with Keycloak. Some background information: * We are working with hundreds or even thousands of organizations for which we want to manage access to our applications. * Some of these organizations are our internal divisions for which we have active directories. Users from these organizations can be integrated through "User Storage Federation" and they will continue to be maintained in the respective directories. * Some of these organizations are part of larger organizations which have proper identity providers. Users from these organizations can be integrated through "Identity Brokering" and they will continue to be maintained in the respective identity providers. * For the remaining external organizations (and there are a lot of them) we would have to maintain user accounts ourselves and we would like to delegate that maintenance work to a designated user self-administrator within the external organization. * A user self-administrator should be able to view, create, lock and unlock user accounts within the same organization. * Optionally a user self-administrator should be able to grant or revoke access to particular (sets of) applications for the users he is allowed to administer. I do understand that this could probably be achieved through separate realms and "Dedicated Realm Admin Consoles", but as far as I understand these realms would be entirely separate. This would mean that we would have to set up clients hundreds of times for each of the organizations. We would have to figure out how to direct each user to the proper realm for authentication and each organization would have its own login page. * Does Keycloak have something like the notion of "sub-realms" where a user can authenticate against a realm, if there is a corresponding user account in the realm itself or in one of the sub-realms? * It is probably possible to use the "User Storage SPI" to write a custom User Storage Federation Provider, but does that make sense? Would it perform well? * Another option would probably be to write a custom User Self-Administration application using the "Admin REST API". (Unfortunately there is not even an API to retrieve users filtered by anything other than base properties, so the application could end up retrieving thousands of user accounts to find five accounts belonging to a particular organization.) * The third option would be to customize Keycloak itself, but we are no Java experts, so is this advisable? * Has anyone implemented a scenario like this with Keycloak? * Does anyone know whether there are any plans to extend Keycloak to better support a scenario like this? Thanks, Michael This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. From Nicolas.Geadah at vec.virginia.gov Thu Aug 10 17:45:27 2017 From: Nicolas.Geadah at vec.virginia.gov (Geadah, Nicolas (VEC)) Date: Thu, 10 Aug 2017 21:45:27 +0000 Subject: [keycloak-user] Does the REST API support event creation Message-ID: Is it possible to create auditing events directly using the REST API? I'm not finding any method by which I could create events (or admin events) directly by calling the REST service. Ideally some activities in our external applications would create keycloak event entries, but that does not look like it's possible. Thanks! From tgc at dma.dk Fri Aug 11 03:00:45 2017 From: tgc at dma.dk (Tomas Groth Christensen) Date: Fri, 11 Aug 2017 07:00:45 +0000 Subject: [keycloak-user] Disable Sticky Sessions? In-Reply-To: References: <1502266398.32143.33.camel@dma.dk> Message-ID: <1502434845.32143.74.camel@dma.dk> ons, 09 08 2017 kl. 14:37 +-0200, skrev Marek Posolda: +AD4- On 09/08/17 10:13, Tomas Groth Christensen wrote: +AD4- +AD4- +AD4- +AD4- Hi, +AD4- +AD4- +AD4- +AD4- I am using keycloak as a broker where the user in a browser can +AD4- +AD4- choose +AD4- +AD4- which identity provider to use for authentication and this works +AD4- +AD4- just +AD4- +AD4- fine. +AD4- +AD4- +AD4- +AD4- We have also set up a +ACI-headless flow+ACI- where an application using +AD4- +AD4- the +AD4- +AD4- kc+AF8-idp+AF8-hint can preselect a special identity provider which can +AD4- +AD4- authenticate the user (with a special authenticator) without user +AD4- +AD4- interaction. This used to work fine, but with Keycloak 3.2.x this +AD4- +AD4- breaks, since now Keycloak requires cookies to be enabled. As far +AD4- +AD4- as I +AD4- +AD4- can tell this is because the AUTH+AF8-SESSION+AF8-ID cookie used for +AD4- +AD4- +ACI-Sticky +AD4- +AD4- sessions+ACI- is now a hard requirement. +AD4- +AD4- +AD4- +AD4- Is there a way to disable this hard requirement on cookies? +AD4- Am I understand correctly that you're using browser flow from the+AKA- +AD4- non-browser applications? Yes, that is correct. I know it is not the +ACI-right+ACI- way of doing things, but until this hard dependency on cookies was introduces, it actually worked without issues. And it will continue to work if we enable cookies. +AD4- ATM it's not possible to disable this. That was what I feared - but thank you for your answer. Best regards, Tomas From bburke at redhat.com Fri Aug 11 11:46:48 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Aug 2017 11:46:48 -0400 Subject: [keycloak-user] token introspection In-Reply-To: References: Message-ID: <3ec2fad4-cabc-6c12-1926-6affb983cd2a@redhat.com> On 8/10/17 9:45 AM, Doug Drouillard wrote: > You don't necessarily 'need' it, but it makes the project an order of > magnitude more complicated to understand. The adapters are magic, but if > we aren't already familiar with something like Spring, then we really have > no way to fully understand what is going on. The other adapters such as > undertow as equally as intense. We don't need to understand all > infrastructure of course, but given there is an integration into an > existing workflow it makes it hard to use. You don't need token introspection if you are following the OAuth2 protocol correctly. Token introspection is redundant in this case. It is only potentially useful for validating bearer token requests depending on the access token implementation. > I would contribute a simple / clean Java example but I am still not sure > what that would even mean. Most threads I see around inspection say just > use XXX and don't worry. But I have found that to be dubious. > > The aerogear team used using a Auth0 JWT inspection library which seems > like it is working. > > The project is very well documented and there are tons of examples, but I > see every 2 weeks or so someone asks about token introspection as they are > trying to learn the best way to use Keycloak and basically get 3 responses > in until they get a 'dont worry about it' response, which really doesn't > help as it is rare to solve a more complicated problem without > understanding the basic problem. Keycloak access tokens are digitally signed by the realm. This is spelled out in our documentation. For bearer token requests, our adapters validate this signature against the public key of the realm. Keycloak token introspection is only useful for determining if the access token has been revoked within the allowable timeout of the token. Our adapters don't support token introspection. We do not recommend token introspection for bearer token requests because then the Keycloak auth server would basically have to scale one-to-one with all the bearer token requests of every single service on your network. > We get the fear of missing using token inspection, but it sucks as a user > not to be able to get a clear example of 'Here is how you used to do it > with manually token inspection, now compare to the adapters' as opposed to > 'read this intense doc and just simply integrate this adapter which you > don't understand' which has been what I have personally seen in digging > through 3 years of emails. Or the even better - "just google for industry > best practices on token inspection and use the existing libraries". For you > on the team it probably seems like such a trivial use case not even worth > mentioning but if you are new to Oauth/Keycloak/JWT and adapters, a simple > use case even if it was absolutely evil and going to cause WW3 would be > useful. Even as a blog post. > > The use case is, I use keycloak to do a social sign-in, I get the token > back, using only self-contained Java (so calling libraries but not using > any json configs or adapters), how would I inspect the token to pull out > the email address and verify that token is still valid and actually came > from my keycloak server instead of being spoofed? I think your complaints are misguided. Either you trust the adapter's "magic" or you learn and completely understand the protocols yourself. In your particular example, you know that the email address, etc. that you pull out is not being spoofed because you are doing the OAuth2 auth code flow using HTTPS and your client HTTP library should be validating the cert when setting up an SSL connection to make the code to token exchange. This is completely spelled out in the OAuth2 and OpenID Connect specifications. > > I know this is what adapters/json configs do for you (at least in theory, I > never got adapters to work), and there are existing libraries, but an all > in one laid out example direct from keycloak team would be awesome! Sounds like you are implying that our adapters don't work? Must be user error on your part. If you want to criticize our docs and say they suck, that's perfectly fine. But to imply our adapters don't work is just plain wrong. Granted it can be difficult to debug setup issues at times, but our adapters don't work "in theory" ...The project is 4+ years old now and to imply that something as fundamental as our adapters don't work is well tiny bit insulting :) As far as a "laid out example": example on what? There are a ton of examples for setting up adapters. Keyclaok admin console can even generate a config file for you. If you want a "laid out example" of manually coding the OpenID connect or SAML protocols in Java...well, there you are on your own. We are OpenID Connect certified so, if you learn the protocol you should be able to manually code anything you want. IMO, OAuth2 and OpenID connect specifications are easy enough to understand. What is missing I think is documentation on how to validate bearer tokens if you are not using our adapters or security proxy. KEYCLOAK-5287 was just created and scheduled by me to track this. Bill From bburke at redhat.com Fri Aug 11 12:35:32 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 11 Aug 2017 12:35:32 -0400 Subject: [keycloak-user] JSON Web Encryption In-Reply-To: References: Message-ID: <7603fde5-ba00-5431-8838-0c78e305ad28@redhat.com> We don't offer JWE. IMO, JWE is only useful for bearer token requests involving untrusted clients or untrusted services. In all other cases JWE would be redundant. Why? You should/must be using TLS to transmit bearer tokens and JWE is just double encryption and redundant. Tokens are created and tailored per client, so you do have control on what goes into the created token on a per-client bases. So you could strip the JWT of everything but subject and role bindings and have the target service use the user info endpoint if it needed other information. I do think there are some things we solve the underlying reason of wanting JWE: * A token exchange service so that clients with an existing token can exchange it for a "downgraded" token to invoke on a less-trusted service. This is already implemented in master. * opaque/simple "callback tokens" or "token references". This would be an opaque string in which the bearer token service would have to ask the token introspection endpoint to validate the access token. And call the user info service to obtain additional information. * A global encryption method for JWT-based access tokens using JWE. Services would have to obtain a private shared key (PKI or HMAC secret) to decrypt the token. * A per-client encryption method for JWT-based access tokens using JWE. This type of access token could only be used to invoke on a specific service and would be encrypted only for access on that service. This case doesn't fall under the OAuth/OpenID Connect spec and would probably require a token exchange service. On 8/10/17 11:49 AM, Simon Payne wrote: > does keycloak offer access token encryption? > > so far i can only see that keycloak signs the JWT rather than encrypting > the content. > > Thanks > > Simon. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Aug 11 15:58:34 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 11 Aug 2017 16:58:34 -0300 Subject: [keycloak-user] token introspection In-Reply-To: References: Message-ID: I'm not sure about any example, but there are some references in our docs [1] [2]. They are not "clone & run" examples, but may be helpful to understand how to achieve token introspection. [1] https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html [2] https://keycloak.gitbooks.io/documentation/authorization_services/topics/service/protection/token-introspection.html On Thu, Aug 10, 2017 at 10:45 AM, Doug Drouillard < douglas.drouillard at gmail.com> wrote: > You don't necessarily 'need' it, but it makes the project an order of > magnitude more complicated to understand. The adapters are magic, but if > we aren't already familiar with something like Spring, then we really have > no way to fully understand what is going on. The other adapters such as > undertow as equally as intense. We don't need to understand all > infrastructure of course, but given there is an integration into an > existing workflow it makes it hard to use. > > I would contribute a simple / clean Java example but I am still not sure > what that would even mean. Most threads I see around inspection say just > use XXX and don't worry. But I have found that to be dubious. > > The aerogear team used using a Auth0 JWT inspection library which seems > like it is working. > > The project is very well documented and there are tons of examples, but I > see every 2 weeks or so someone asks about token introspection as they are > trying to learn the best way to use Keycloak and basically get 3 responses > in until they get a 'dont worry about it' response, which really doesn't > help as it is rare to solve a more complicated problem without > understanding the basic problem. > > We get the fear of missing using token inspection, but it sucks as a user > not to be able to get a clear example of 'Here is how you used to do it > with manually token inspection, now compare to the adapters' as opposed to > 'read this intense doc and just simply integrate this adapter which you > don't understand' which has been what I have personally seen in digging > through 3 years of emails. Or the even better - "just google for industry > best practices on token inspection and use the existing libraries". For you > on the team it probably seems like such a trivial use case not even worth > mentioning but if you are new to Oauth/Keycloak/JWT and adapters, a simple > use case even if it was absolutely evil and going to cause WW3 would be > useful. Even as a blog post. > > The use case is, I use keycloak to do a social sign-in, I get the token > back, using only self-contained Java (so calling libraries but not using > any json configs or adapters), how would I inspect the token to pull out > the email address and verify that token is still valid and actually came > from my keycloak server instead of being spoofed? > > I know this is what adapters/json configs do for you (at least in theory, I > never got adapters to work), and there are existing libraries, but an all > in one laid out example direct from keycloak team would be awesome! > > On Thu, Aug 10, 2017 at 8:58 AM, > wrote: > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > or, via email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of keycloak-user digest..." > > > > > > Today's Topics: > > > > 1. Re: DB deadlock for concurrent logins (Vikrant Singh) > > 2. Re: token introspection (Pedro Igor Silva) > > 3. Re: JGroups failure: failed submitting DONT_BUNDLE message to > > thread pool (Hynek Mlnarik) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Thu, 10 Aug 2017 17:06:33 +0530 > > From: Vikrant Singh > > Subject: Re: [keycloak-user] DB deadlock for concurrent logins > > To: "keycloak-us." > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > Yes, but password migration should only be happening during first login. > I > > have checked the CREDENTIAL table in DB and user have already migrated to > > new hashing algorithm and no of iterations, but still keycloak is trying > to > > run Update query for each login attempt. > > > > -Vikrant > > > > On Thu, Aug 10, 2017 at 4:18 PM, > > wrote: > > > > > > > > > I believe that the default hashing algorithm has changed to SHA-256 as > > > SHA-1 was recently in the news for being able to create hash > > > collisions. Because of this change, each login will update the > password > > > hash stored with the 1st login of the user. > > > > > > Not sure why MariaDB would deadlock. Don't know enough about how that > > > database performs locks. It is trying to update a foreign key that has > > > an index associated with it. Maybe that has something to do with it. > > > > > > > > > > > > On 8/9/17 5:35 PM, Vikrant Singh wrote: > > > > Hi, > > > > > > > > I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB > > > 10.2.7 > > > > for DB, recently upgraded from 3.1.0.Final. > > > > > > > > Deployment is consist of 3 keycloak servers along with 3 DB > instances. > > As > > > > part of kubernetes rediness check, a token is requested for a local > > user > > > in > > > > master realm every 10 sec. The concurrent token request for same user > > is > > > > causing the deadlock exception in DB. Following is the exception > being > > > > logged in keycloak. > > > > > > > > > > > > Caused by: java.sql.SQLException: Deadlock found when trying to get > > > > lock; try restarting transaction > > > > > > > > Query is: select userentity0_.ID as ID1_71_, > > > > userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL > as > > > > EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, > > > > userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as > > > > ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, > > > > userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as > > > > LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_, > > > > userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_, > > > > userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_ > > > > where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters > > > > ['ddafa525-baae-4c40-98f8-08c25a23f2c6','master'] > > > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > > exceptionWithQuery( > > > LogQueryTool.java:146) > > > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > > > ... 76 more > > > > > > > > > > > > Caused by: java.sql.SQLException: Lock wait timeout exceeded; try > > > > restarting transaction > > > > > > > > Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?, > > > > CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?, > > > > SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters > > > > ['pbkdf2-sha256',0,1501750736628,,0,27500,0, > > > .??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6',' > > > Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/ > > > 9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919'] > > > > > > > > at org.mariadb.jdbc.internal.util.LogQueryTool. > > exceptionWithQuery( > > > LogQueryTool.java:146) > > > > > > > > at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol. > > > executeQuery(AbstractQueryProtocol.java:221) > > > > > > > > at org.mariadb.jdbc.MariaDbPreparedStatementClient > > > .executeInternal(MariaDbPreparedStatementClient.java:218) > > > > > > > > ... 78 more > > > > > > > > > > > > Why keycloak is trying to update the user credential for every login. > > > > and why is deadlock occurring? Any help truly appreciated. > > > > > > > > > > > > Thanks, > > > > > > > > Vikrant > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > > > Message: 2 > > Date: Thu, 10 Aug 2017 08:53:23 -0300 > > From: Pedro Igor Silva > > Subject: Re: [keycloak-user] token introspection > > To: Simon Payne > > Cc: keycloak-user > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > No, we don't. Like Bill said, you don't really need it. Basically, what > we > > support is described in docs [1]. > > > > [1] > > http://www.keycloak.org/docs/3.1/authorization_services/ > > topics/enforcer/keycloak-enforcement-filter.html > > > > > > On Thu, Aug 10, 2017 at 6:11 AM, Simon Payne > > wrote: > > > > > do we have token introspection implemented in any of the client > adapters > > > (other than spring boot)? > > > > > > thanks > > > > > > > > > On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne > > > wrote: > > > > > > > thanks Pedro, > > > > > > > > however, i think our use cases are not exactly the same. it appears > > your > > > > component is set to allow authentication of user where mine is bearer > > > only. > > > > > > > > the only other differences i can see between our projects is that i > am > > > > running gradle with keycloak 3.2.0 and that i have also added > compile( > > > > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > > > > > > > Lucian, i don't have a project which i can share at the moment as > other > > > > code is included, if you would still like to see something i can > make a > > > > shareable version. > > > > > > > > Thanks > > > > > > > > > > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva > > > > wrote: > > > > > > > >> Hey Lucian, we have this https://github.com/keycloak/ke > > > >> ycloak-quickstarts/tree/latest/app-authz-springboot. > > > >> > > > >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian > > wrote: > > > >> > > > >>> Simon, > > > >>> Do you have a demo app with that? I am just curious to see a > > > >>> spring(boot) app with authorizations...I remember that I tried > > > something > > > >>> with authorizations, and the authorization context was null(I know > > > there > > > >>> are some Jira issues about it), but I still could not get it to > work > > in > > > >>> 2.5.5 > > > >>> AuthorizationContext authzContext = > > > >>> keycloakSecurityContext.getAuthorizationContext(); > > > >>> Thanks,Lucian > > > >>> > > > >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > > > >>> simonpayne58 at gmail.com> wrote: > > > >>> > > > >>> yes correct. > > > >>> > > > >>> there is a definite change in behavior with the addition of the > > > >>> keycloak.policy-enforcer-config.online-introspection=true flag, > as > > > >>> without > > > >>> this single line in my property file it works correctly as a bearer > > > only > > > >>> resource server. Addition of this line results in the incorrect > call > > > to > > > >>> token exchange endpoint. > > > >>> > > > >>> thanks > > > >>> > > > >>> > > > >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke > > wrote: > > > >>> > > > >>> > Doesn't look like the switch is hooked up to anything. As it is, > > it > > > >>> > looks like this switch was added for RPT validation, not access > > token > > > >>> > validation, and not ever implemented. You just want the adapter > to > > > >>> > validate the access token with the auth server for bearer token > > > >>> > requests, right? > > > >>> > > > > >>> > > > > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: > > > >>> > > I'm looking at the code on server and I dont' see that it > > requires > > > >>> any > > > >>> > > special switch to use it. The endpoint is: > > > >>> > > > > > >>> > > @Post > > > >>> > > > > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > >>> > > > > > >>> > > Takes form params. > > > >>> > > > > > >>> > > token > > > >>> > > > > > >>> > > token_type_hint (optional and defaults to "access_token") > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: > > > >>> > >> after some debugging i figured that > > > >>> > >> keycloak.policy-enforcer-config.online-introspection=true > > > switched > > > >>> on > > > >>> > this > > > >>> > >> functionality, however it appears to error on a 400 after > > making a > > > >>> call > > > >>> > to > > > >>> > >> the /auth/realms/master/protocol/openid-connect/token > endpoint. > > > >>> > >> > > > >>> > >> I'm assuming this is a bug? > > > >>> > >> > > > >>> > >> Thanks > > > >>> > >> > > > >>> > >> > > > >>> > >> > > > >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne < > > > simonpayne58 at gmail.com > > > >>> > > > > >>> > wrote: > > > >>> > >> > > > >>> > >>> Hi All, > > > >>> > >>> > > > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > > > >>> > introspection. > > > >>> > >>> > > > >>> > >>> I've managed to achieve this manually, i.e. by sending a post > > via > > > >>> > postman, > > > >>> > >>> but i'm unable to figure out whether this can be achieved via > > the > > > >>> > keycloak > > > >>> > >>> adapters, specifically spring boot. > > > >>> > >>> > > > >>> > >>> any help in this area would be appreciated. > > > >>> > >>> > > > >>> > >>> thanks > > > >>> > >>> > > > >>> > >>> Simon. > > > >>> > >>> > > > >>> > >> _______________________________________________ > > > >>> > >> keycloak-user mailing list > > > >>> > >> keycloak-user at lists.jboss.org > > > >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > _______________________________________________ > > > >>> > > keycloak-user mailing list > > > >>> > > keycloak-user at lists.jboss.org > > > >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > > >>> > _______________________________________________ > > > >>> > keycloak-user mailing list > > > >>> > keycloak-user at lists.jboss.org > > > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > > >>> _______________________________________________ > > > >>> keycloak-user mailing list > > > >>> keycloak-user at lists.jboss.org > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> _______________________________________________ > > > >>> keycloak-user mailing list > > > >>> keycloak-user at lists.jboss.org > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >>> > > > >> > > > >> > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Thu, 10 Aug 2017 14:32:50 +0200 > > From: Hynek Mlnarik > > Subject: Re: [keycloak-user] JGroups failure: failed submitting > > DONT_BUNDLE message to thread pool > > To: Edwin de Jong > > Cc: keycloak-user > > Message-ID: > > > gmail.com> > > Content-Type: text/plain; charset="UTF-8" > > > > You seem to be facing https://issues.jboss.org/browse/WFLY-6179. Once > > keycloak updates to WF 10.1/11.x, this issue should be resolved. > > > > On Wed, Aug 9, 2017 at 1:32 PM, Edwin de Jong > > > wrote: > > > Dear Keycloak users (and devs), > > > > > > This morning, we faced a production level issue on our Keycloak > Cluster, > > > running in a 3-node formation on EC2. Symptoms were a high failure rate > > > of requests (> 20%) and high latency (> 10 seconds). We are currently > > > trying to figure out what went wrong. We would appreciate it if someone > > > with knowledge op JGroups / Inifinispan could chime in with a working > > > hypothesis. > > > > > > About priority: we are currently running nominally. We have brought > down > > > two of the instances and brought up two new instances. The cluster is > > > working again as expected. > > > > > > Below I'll give information about our setup, the relevant log-messages > > > and links to some screenshots of our monitoring: > > > > > > EC2 instances are C4.Large (3x) > > > Keycloak Version 3.1.0-FINAL > > > > > > Normal CPU usage is around 1% or less. It peaked to 16% during the > > incident. > > > Memory usage is normal. > > > > > > Screenshots: > > > > > > - datadog statistics of our services calling keycloak: > > https://ibb.co/dsDTKv > > > - AWS EC2 instance Cloudwatch statistics: network out rate (in bytes > per > > > MINUTE): https://ibb.co/j8jhCF > > > - AWS EC2 instance Cloudwatch statistics: network in rate (in bytes per > > > MINUTE): https://ibb.co/ggLuRa > > > > > > Log lines, just before failure (to help reduce clutter, I've removed > the > > > date and replaced the IP addresses with "IP-A", "IP-B", "IP-C"). The > > > last message is repeated around 500.000 times in the span of around 1 > > > minute. > > > > > > ---------------------->%----------------------- > > > 05:09:23,925 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > server: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > web: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,926 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,928 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-17,ee,ip-B) ISPN000094: Received new cluster view for channel > > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,990 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > server: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,990 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > keycloak: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,991 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > web: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,992 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > hibernate: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,992 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-A) ISPN000094: Received new cluster view for channel > > > ejb: [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:23,996 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,001 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache sessions, > topology > > > CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,004 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,014 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t18) > > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > > topology CacheTopology{id=6, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: 54+26, ip-B: > > > 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[ip-A: > > > 40+40, ip-B: 40+40]}, unionCH=null, actualMembers=[ip-A, ip-B]} > > > 05:09:24,027 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache sessions, > topology > > > id = 6 > > > 05:09:24,028 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > > topology id = 6 > > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > > topology id = 6 > > > 05:09:24,029 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t132) > > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > > topology id = 6 > > > 05:09:33,567 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,569 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,569 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,573 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,575 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-1,ee,ip-C) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,521 WARN [org.jgroups.protocols.pbcast.NAKACK] > > > (Incoming-19,ee,ip-B) JGRP000011: ip-B: dropped message 54375 from > > > non-member ip-C (view=[ip-A|3] (2) [ip-A, ip-B]) Warning > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,529 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,529 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,530 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,533 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-20,ee,ip-B) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,518 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel server: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,525 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel keycloak: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,525 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel web: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel hibernate: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 > > > subgroups: [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,527 INFO > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > > (Incoming-7,ee,ip-A) ISPN000093: Received new, MERGED cluster view for > > > channel ejb: MergeView::[ip-A|4] (3) [ip-A, ip-B, ip-C], 2 subgroups: > > > [ip-A|2] (3) [ip-A, ip-C, ip-B], [ip-A|3] (2) [ip-A, ip-B] > > > 05:09:33,577 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache authorization, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,579 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,580 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t12) > > > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > > > topology CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,582 INFO [org.infinispan.CLUSTER] > (transport-thread--p14-t15) > > > ISPN000310: Starting cluster-wide rebalance for cache sessions, > topology > > > CacheTopology{id=10, rebalanceId=3, > > > currentCH=DefaultConsistentHash{ns=80, owners = (3)[ip-A: 27+53, ip-C: > > > 27+53, ip-B: 26+54]}, pendingCH=DefaultConsistentHash{ns=80, owners = > > > (3)[ip-A: 27+53, ip-B: 26+54, ip-C: 27+53]}, unionCH=null, > > > actualMembers=[ip-A, ip-B, ip-C]} > > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > > > topology id = 10 > > > 05:09:33,589 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t130) > > > ISPN000336: Finished cluster-wide rebalance for cache authorization, > > > topology id = 10 > > > 05:09:33,590 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t131) > > > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > > > topology id = 10 > > > 05:09:33,601 INFO [org.infinispan.CLUSTER] (remote-thread--p7-t133) > > > ISPN000336: Finished cluster-wide rebalance for cache sessions, > topology > > > id = 10 > > > 05:09:34,001 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > > message to thread pool: java.util.concurrent. > RejectedExecutionException: > > > Task org.jgroups.protocols.TP$SingleMessageHandler at 17c86a0c rejected > > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool > size > > > = 4, active threads = 4, queued tasks = 100, completed tasks = > 1589693]. > > > Msg: RequestCorrelator: id=200, type=REQ, id=607, rsp_expected=true, > > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=206], TCP: > [cluster_name=ee] > > > ERROR > > > 05:09:34,010 ERROR [org.jgroups.protocols.TCP] (Connection.Receiver > > > [IP-A:35361 - IP-C:7600],ee,ip-A) ip-A: failed submitting DONT_BUNDLE > > > message to thread pool: java.util.concurrent. > RejectedExecutionException: > > > Task org.jgroups.protocols.TP$SingleMessageHandler at 4fec3655 rejected > > > from java.util.concurrent.ThreadPoolExecutor at 52cae691[Running, pool > size > > > = 4, active threads = 4, queued tasks = 100, completed tasks = > 1589694]. > > > Msg: RequestCorrelator: id=200, type=REQ, id=609, rsp_expected=true, > > > FORK: ee:keycloak, NAKACK: [XMIT_RSP, seqno=208], TCP: > [cluster_name=ee] > > > ERROR > > > > > > (last line repeated many, many times) > > > ---------------------->%----------------------- > > > > > > > > > > > > Infinispan subsystem configuration in standalone-ha.xml: > > > > > > ---------------------->%----------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > owners="3"/> > > > owners="3"/> > > > owners="3"/> > > > > > > > > > > > > > > > > > > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > > > > > > > > > > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > > > > > owners="2"> > > > > > > > > > > > > > > > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > > > > > > > owners="2"> > > > > > > > > > > > > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > > > JGroups subsystem configuration: > > > > > > ---------------------->%----------------------- > > > default-stack="tcp"> > > > > > > > > > > > > > > > > > > > > > > > > S3AccessKey > > > > > S3SecretAccessKey > > > S3PingBucketName > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------->%----------------------- > > > > > > with kind regards, > > > > > > Edwin de Jong > > > > > > -- Simacan B.V. Data Engineer > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > > --Hynek > > > > > > ------------------------------ > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > End of keycloak-user Digest, Vol 44, Issue 23 > > ********************************************* > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From niko at n-k.de Sun Aug 13 09:28:50 2017 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Sun, 13 Aug 2017 15:28:50 +0200 Subject: [keycloak-user] Keycloak Spring Boot Bearer Authentication In-Reply-To: References: Message-ID: <77D80D87-0EBA-4F3D-AC54-7818514392D5@n-k.de> Hi Sebastien / James, are there any news on this? I saw the ticket (https://issues.jboss.org/browse/KEYCLOAK-5173 ) and PR (https://github.com/keycloak/keycloak/pull/4303 ), but last action is approx. 3 weeks ago and Jira issue isn?t updated in any way. I came across the same issue last week in a customer workshop and I would love to see this issue solved. If I can help in any way, please let me know! Cheers, - Niko > Am 10.07.2017 um 08:17 schrieb Sebastien Blanc : > > Hi, > > We don't have this currently for the Spring Boot Adapter and it would be > great if you could contribute on this, could you also please open a jira > ticket for that on https://issues.jboss.org/browse/KEYCLOAK ? > > > On Fri, Jul 7, 2017 at 10:33 PM, Mcshane, James P < > James.P.Mcshane at healthpartners.com> wrote: > >> I am working on a set of Spring Boot modules all within the same Realm in >> Keycloak. I would like the service to have bearer only authentication so >> that the service can only be accessed by authorized clients. For the >> spring-security adapter, I see the KeycloakRestTemplate, but the factory >> there requires the SecurityContextHolder, which isn?t present out of the >> box in the authentication mechanism for the spring-boot adapter. >> >> Is there a different rest template that could use the different container >> auth solutions provided by the KeycloakAutoConfiguration class? Clearly >> accessing the bearer authentication values from these systems is app server >> dependent, so it would seem to make sense to have a >> KeycloakClientRequestFactory provider that can handle the different types >> of container auth that is being done by the spring-boot adapter. Has this >> been done already, but not yet documented? In either case, I would be happy >> to contribute docs or code that deals with these different implementations. >> Thanks, >> >> James >> >> ________________________________ >> >> This e-mail and any files transmitted with it are confidential and are >> intended solely for the use of the individual or entity to whom they are >> addressed. If you are not the intended recipient or the individual >> responsible for delivering the e-mail to the intended recipient, please be >> advised that you have received this e-mail in error and that any use, >> dissemination, forwarding, printing, or copying of this e-mail is strictly >> prohibited. >> >> If you have received this communication in error, please return it to the >> sender immediately and delete the original message and any copy of it from >> your computer system. If you have any questions concerning this message, >> please contact the sender. Disclaimer R001.0 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cube_00 at hotmail.com Mon Aug 14 00:00:06 2017 From: cube_00 at hotmail.com (James .) Date: Mon, 14 Aug 2017 04:00:06 +0000 Subject: [keycloak-user] ADFS Support Without Keycloak Server Message-ID: Hi, I've read the announcement that Picketlink and Keycloak are merging. We currently use Picketlink to SSO with AD FS. Is that still possible with Keycloak or do I need a Keycloak server in between the application and ADFS? If I do need a server at the the moment are there any plans to change this during the merging of the two projects? Thank you, James. From hmlnarik at redhat.com Mon Aug 14 01:00:22 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 14 Aug 2017 07:00:22 +0200 Subject: [keycloak-user] ADFS Support Without Keycloak Server In-Reply-To: References: Message-ID: Keycloak adapters are based on SAML standard similarly to what Picketlink was, so you should be fine here. Note that this configuration is not tested though. Picketlink and Keycloak have merged over two years ago. Hence there is no such plan ATM. --Hynek On Mon, Aug 14, 2017 at 6:00 AM, James . wrote: > Hi, > > I've read the announcement that Picketlink and Keycloak are merging. > > We currently use Picketlink to SSO with AD FS. Is that still possible with Keycloak or do I need a Keycloak server in between the application and ADFS? > > If I do need a server at the the moment are there any plans to change this during the merging of the two projects? > > Thank you, > > James. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From mposolda at redhat.com Mon Aug 14 02:55:13 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Aug 2017 08:55:13 +0200 Subject: [keycloak-user] discovery and key security In-Reply-To: References: Message-ID: Those endpoints shouldn't contain any sensitive data. There are not "signing keys" itself, there are just public keys, which client applications can download, so they are able to verify access token. Also endpoint locations provided by .well-known are public, but the endpoints itself (eg. token endpoint) are properly secured. It's per OpenID Connect Discovery that endpoint doesn't need to be secured. It's just needed that endpoint use HTTPS to avoid man-in-the-middle attacks when attacker would trick the client application by return incorrect endpoints or public keys. Do you see anything concrete where exposing those information is security risk? Thanks, Marek On 10/08/17 11:18, Simon Payne wrote: > Hi, > > I have found that .well-known and jwks_uri endpoints are left unsecured > meaning that unauthenticated clients can discover auth server configuration > and signing keys. > > surely we should require minimum of basic authentication using client id > and secret? > > thanks > > Simon. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nick.pack at 6point6.co.uk Mon Aug 14 09:27:03 2017 From: nick.pack at 6point6.co.uk (Nikki Pack) Date: Mon, 14 Aug 2017 14:27:03 +0100 Subject: [keycloak-user] Accessing authenticator context from a required action Message-ID: Hi All, I am currently implementing a custom 2FA provider (SMS via AWS SNS), I have managed to get the authentication side of things behaving as expected, but I am struggling to work out the best way of implementing the required action for the registration side of things. The main issue I face, is that the authentication provider stores credentials for the SMS service provider, and I don?t seem to be able to access the authenticator context from the required action class (Not to mention the lack of configuration options for required actions) ? I am sure I am being stupid somewhere here. https://github.com/nickpack/keycloak-sms-authenticator-sns/blob/develop/src/ main/java/six/six/keycloak/authenticator/KeycloakSmsAuthenticator.java#L44 I basically need to be able to do this from the required action (You will see this is not implemented in that repo yet). Thanks in advance for any help. Regards, Nick From jimtyrrell at yahoo.com Mon Aug 14 10:32:10 2017 From: jimtyrrell at yahoo.com (Jim Tyrrell) Date: Mon, 14 Aug 2017 14:32:10 +0000 (UTC) Subject: [keycloak-user] Trying to get tomcat 8.0.x working. References: <1028942651.1257739.1502721130738.ref@mail.yahoo.com> Message-ID: <1028942651.1257739.1502721130738@mail.yahoo.com> I follow the docs here:Tomcat 6, 7 and 8 Adapters | Keycloak Documentation | | | Tomcat 6, 7 and 8 Adapters | Keycloak Documentation By Keycloak | | | The setup for a valve, context, and securing a folder mostly makes sense as that just follows the normal tomcat security setup that has been there forever. The one question, is the setting BASIC or KEYCLOAK in?? ? ? ? ? ? BASIC KEYCLOAK seems to be used in other configs, however, it locks up the deployment of my application in Tomcat. The big gap is the JSON config to drive this:Java Adapters Config | Keycloak Documentation | | | Java Adapters Config | Keycloak Documentation By Keycloak | | | A lot of magic info is "injected" into this file. ?Where and how am I getting values that go into this file is fairly undocumented in the context of getting this working for Tomcat? ?Does a minimal version of this file exist. The other gap is it seems I need to setup something around clients in the admin interface, but again the docs are thin.I do get to the point where I see an error "Invalid parameter: redirect_uri" ?Again I can't find any documentation around this and how do I get this all working in the context of Tomcat. Does a top to bottom blog posting exist around Tomcat 8.0.x, about how to go about doing this? Do integration tests exist around Tomcat configuration to make this work? Thanks in advance. From michal.keda at studentagency.cz Mon Aug 14 11:22:57 2017 From: michal.keda at studentagency.cz (Michal Keda) Date: Mon, 14 Aug 2017 17:22:57 +0200 Subject: [keycloak-user] user panel everywhere - no automatic redirect Message-ID: <334a2039-b5ee-ef72-304a-ca204d91e053@studentagency.cz> Hello, I want to implement simple panel showing information about user logged into sso. The catch is that I need this panel even on pages that should not redirect to KC server when no user is logged in. This seems like basic behaviour for any homepage (show if user is logged in, but do not force immidiate redirect if isn't), but RefreshableKeycloakSecurityContext starts to pop up in my HttpServletRequest only after I access some protected page (specified in web.xml). So my question is (I guess..) if it is possible to get currently logged user, on page that is not protected by KC. I am using tomcat 7, java 8 (+wicket) Best regards, Michal Keda -- Bc. Michal Keda program?tor telefon: +420 539 000 711 StudentAgency logo AUTOBUSY | VLAKY | DOVOLEN? | LETENKY | JAZYKOV? POBYTY | PRACOVN? A AU PAIR POBYTY STUDENT AGENCY k.s. D?m p?n? z Lip? n?m. Svobody 17 602 00 Brno infolinka: 800 100 300 fax: +420 539 000 540 *www.studentagency.cz* STUDENT AGENCY cestov?n? pro ka?d?ho v ka?d?m v?ku. From sthorger at redhat.com Tue Aug 15 02:57:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 15 Aug 2017 08:57:57 +0200 Subject: [keycloak-user] user panel everywhere - no automatic redirect In-Reply-To: <334a2039-b5ee-ef72-304a-ca204d91e053@studentagency.cz> References: <334a2039-b5ee-ef72-304a-ca204d91e053@studentagency.cz> Message-ID: Wouldn't http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal() do the trick? On 14 August 2017 at 17:22, Michal Keda wrote: > Hello, > I want to implement simple panel showing information about user logged > into sso. The catch is that I need this panel even on pages that should > not redirect to KC server when no user is logged in. > > This seems like basic behaviour for any homepage (show if user is logged > in, but do not force immidiate redirect if isn't), but > RefreshableKeycloakSecurityContext starts to pop up in my > HttpServletRequest only after I access some protected page (specified in > web.xml). > > So my question is (I guess..) if it is possible to get currently logged > user, on page that is not protected by KC. > > I am using tomcat 7, java 8 (+wicket) > > Best regards, > > Michal Keda > -- > > Bc. Michal Keda > program?tor > > telefon: +420 539 000 711 > > StudentAgency logo > AUTOBUSY | VLAKY | > DOVOLEN? | LETENKY > | JAZYKOV? POBYTY | > PRACOVN? A AU PAIR POBYTY > > STUDENT AGENCY k.s. > D?m p?n? z Lip? n?m. Svobody 17 > 602 00 Brno infolinka: 800 100 300 > fax: +420 539 000 540 *www.studentagency.cz* > > STUDENT AGENCY cestov?n? pro ka?d?ho v ka?d?m v?ku. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michal.keda at studentagency.cz Tue Aug 15 10:59:51 2017 From: michal.keda at studentagency.cz (Michal Keda) Date: Tue, 15 Aug 2017 16:59:51 +0200 Subject: [keycloak-user] user panel everywhere - no automatic redirect In-Reply-To: <00232764-ba22-676e-e896-5626c761a282@studentagency.cz> References: <00232764-ba22-676e-e896-5626c761a282@studentagency.cz> Message-ID: Both Principal userPrincipal = httpServletRequest.getUserPrincipal(); RefreshableKeycloakSecurityContext context = (RefreshableKeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()); are null when visiting unprotected homepage, even if user is logged (directly in keycloak) until I visit my protected page. Is this configuration error? Dne 15.8.2017 v 8:57 Stian Thorgersen napsal(a): > Wouldn't > http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal() > > do the trick? > > On 14 August 2017 at 17:22, Michal Keda > wrote: > > Hello, > I want to implement simple panel showing information about user logged > into sso. The catch is that I need this panel even on pages that > should > not redirect to KC server when no user is logged in. > > This seems like basic behaviour for any homepage (show if user is > logged > in, but do not force immidiate redirect if isn't), but > RefreshableKeycloakSecurityContext starts to pop up in my > HttpServletRequest only after I access some protected page > (specified in > web.xml). > > So my question is (I guess..) if it is possible to get currently > logged > user, on page that is not protected by KC. > > I am using tomcat 7, java 8 (+wicket) > > Best regards, > > Michal Keda > -- > > Bc. Michal Keda > program?tor > > telefon: +420 539 000 711 > > StudentAgency logo > AUTOBUSY | > VLAKY | > DOVOLEN? | > LETENKY > | > JAZYKOV? POBYTY | > > > PRACOVN? A AU PAIR POBYTY > > > STUDENT AGENCY k.s. > D?m p?n? z Lip? n?m. Svobody 17 > 602 00 Brno infolinka: 800 100 300 > fax: +420 539 000 540 > *www.studentagency.cz * > > STUDENT AGENCY cestov?n? pro ka?d?ho v ka?d?m v?ku. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sgrieger at grv.org.au Tue Aug 15 20:23:42 2017 From: sgrieger at grv.org.au (Stephan Grieger) Date: Wed, 16 Aug 2017 00:23:42 +0000 Subject: [keycloak-user] Both the access token and the refresh token have expired Message-ID: <346F87B1D0FFC8479ACE63BA3215758D79D58C@GRVExchange13.grv.local> I followed the example given at https://github.com/dylanplecki/KeycloakOwinAuthentication/wiki/ASP.NET-MVC-Tutorial and it works up until the part where you press the login button. I can navigate to the About page and I am taken to the login page. I enter the login name and password and press the login button and I get the error "Both the access token and the refresh token have expired". Does anyone know why this is and what the solution is? Thank you. From kuntalakrishna at gmail.com Wed Aug 16 05:31:32 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Wed, 16 Aug 2017 10:31:32 +0100 Subject: [keycloak-user] Keycloak evaluation Message-ID: Hi, We are evaluating Keycloak product for our Identity management solution. Need to understand whether Keycloak supports below features: 1. Send "magic link" with verification email to let the user silently login. 2. An API which is capable of sending communication emails to the users. Thanks and Regards, ?KK From nick.pack at 6point6.co.uk Wed Aug 16 06:38:04 2017 From: nick.pack at 6point6.co.uk (Nikki Pack) Date: Wed, 16 Aug 2017 11:38:04 +0100 Subject: [keycloak-user] Using credentials from another provider in an authenticator - failing second time around Message-ID: Hi All, I am currently developing an SMS based OTP solution, I?ve hit a strange issue which I cannot fathom hence my asking here. I create a credential (which is the mobile number) in a required action, and then use it in an authenticator later on (this actually generates/sends the OTP) - during registration this works as expected, if the user returns and logs in, the authenticator is failing due to not getting a value for the credential ? Am I missing something really obvious here? Code is all here: https://github.com/nickpack/keycloak-sms-authenticator-sns/tree/develop/src/ main/java/six/six/keycloak It is basically an adaptation of the ?secret-question? example and some code I found that somebody else had started on for a previous version of key cloak. Thanks in advance, Nick From kuntalakrishna at gmail.com Wed Aug 16 08:02:29 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Wed, 16 Aug 2017 13:02:29 +0100 Subject: [keycloak-user] Email verification redirect URL Message-ID: I am using Rest APIs to communicate with Keycloak for sending verification email (/send-verify-email?client_id=xxx&redirect_uri=application-url). This flow is working fine when user clicks on verfication link, "Back to application" link redirects me to intended "application-url". However with alternative flow, if the user does not click on this link and tries to login with his credentials, the user will be redirected to Account verification page. This sends one more email to the user with the link embedded in it. This link does not have provided/intended redirect_uri i.e. application-url. Instead it has redirect_uri to the default realm. I want to embed the same URI even in case another email is sent to the user for verification which is not happening in this case. Thanks and Regards, ?KK From gaetancollaud at gmail.com Wed Aug 16 08:20:18 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Wed, 16 Aug 2017 12:20:18 +0000 Subject: [keycloak-user] Keycloak evaluation In-Reply-To: References: Message-ID: Hi, I'm new to keycloak but I started developing some custom "extensions" so I may be able to answer you. 1. I don't think this is out of the box, but you can develop a custom "Authenticator" to login using a token and include it in email. I've done it for our company (the token part, not the email). 2. I don't thing the goal of keycloak is to send communications to users, so it may not be the best solution. I think it's best to export the users to a mailing list system. If you really want to use keycloak you cant can develop your own API and use the provider EmailTemplateProvider.class to send emails. It's also easy to get the list of users using the UserStorageProvider. Hope it can help Best regards, Ga?tan Le mer. 16 ao?t 2017 ? 11:33, Krishna Kuntala a ?crit : > Hi, > > We are evaluating Keycloak product for our Identity management solution. > Need to understand whether Keycloak supports below features: > > 1. Send "magic link" with verification email to let the user silently > login. > 2. An API which is capable of sending communication emails to the users. > > Thanks and Regards, > ?KK > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pablo.fernandez at cscs.ch Wed Aug 16 08:41:15 2017 From: pablo.fernandez at cscs.ch (Pablo Fernandez) Date: Wed, 16 Aug 2017 14:41:15 +0200 Subject: [keycloak-user] Restrict access from web app client Message-ID: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> Dear Keycloakers, I am (almost) new to Keycloak and having trouble, and I thought I should ask you after exhausting other options, so here I am. What I would like to find is a way to confine certain web apps (with a registered client in Keycloak) from accessing any other client that is not supposed to. Specifically, I have an oidc client named 'keystone' that handles all OpenStack authentication and another oidc client 'simplewebapp' that is a webapp that I want to give access to 'keystone' while NOT giving access to any of the other clients (e.g. account, admin-cli, broker, etc.) Is there a way to do this? I thought about Scopes, but I see they are basically linked to Roles that I think have nothing to do with what I am doing (I tried, though creating new roles but it seems to me they don't prevent anything from happening). If I have to use Scopes, then how? Is there a Role that I can use to deny - or exclusively grant - access to another client? I also tried changing the Default Policy in 'keystone' Authorization tab to something like this (the opposite of what I wanted to do, to make it fail and see if I can use this mechanism), without success: --- // by default, grants any permission associated with this policy //$evaluation.grant(); var context = $evaluation.getContext(); var contextAttributes = context.getAttributes(); if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { $evaluation.deny(); } $evaluation.grant(); --- I googled and browsed and tried many different setting combinations without success, so I hope someone here could give me a hint. Thanks! Pablo Fernandez From simonpayne58 at gmail.com Wed Aug 16 09:20:34 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Wed, 16 Aug 2017 14:20:34 +0100 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> Message-ID: Pablo, i'm not sure whether this will be your solution directly, but i found out recently that the 'aud' claim in the token is to represent the audience. Now, when i used the spring-security-oauth client library i found that it validated the resourceId against this aud claim. i thought it an unnecessary constraint at the time, but maybe it could be used to restrict access by tokens, which although may have the correct scope, have been issued to the incorrect or otherwise unknown client? Simon. On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez wrote: > Dear Keycloakers, > > I am (almost) new to Keycloak and having trouble, and I thought I should > ask you after exhausting other options, so here I am. > > What I would like to find is a way to confine certain web apps (with a > registered client in Keycloak) from accessing any other client that is > not supposed to. Specifically, I have an oidc client named 'keystone' > that handles all OpenStack authentication and another oidc client > 'simplewebapp' that is a webapp that I want to give access to 'keystone' > while NOT giving access to any of the other clients (e.g. account, > admin-cli, broker, etc.) > > Is there a way to do this? > > I thought about Scopes, but I see they are basically linked to Roles > that I think have nothing to do with what I am doing (I tried, though > creating new roles but it seems to me they don't prevent anything from > happening). If I have to use Scopes, then how? Is there a Role that I > can use to deny - or exclusively grant - access to another client? I > also tried changing the Default Policy in 'keystone' Authorization tab > to something like this (the opposite of what I wanted to do, to make it > fail and see if I can use this mechanism), without success: > > --- > // by default, grants any permission associated with this policy > //$evaluation.grant(); > var context = $evaluation.getContext(); > var contextAttributes = context.getAttributes(); > if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { > $evaluation.deny(); > } > $evaluation.grant(); > --- > > I googled and browsed and tried many different setting combinations > without success, so I hope someone here could give me a hint. > > Thanks! > Pablo Fernandez > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From antoine.roux at esrf.fr Wed Aug 16 10:50:32 2017 From: antoine.roux at esrf.fr (Antoine Roux) Date: Wed, 16 Aug 2017 16:50:32 +0200 Subject: [keycloak-user] Import a 4096 bits PEM file in a SAML client Message-ID: <6d71a46e-c1db-ebdf-accf-aef620d5aee1@esrf.fr> Hello, Has anyone already import a big public key in a SAML client? I'm trying to do it with a 4096 bits certificate (from https://auth.otc.t-systems.com/authui/saml/metadata.xml), but Keycloak reject it with an error :( Apparently, in the database, the table is created with a limit of 2048 characters. The first time this limit appears in the project was in 2014! https://github.com/keycloak/keycloak/commit/a1d1877751fa3698730d410237cd30bef5fe0db2#diff-1ad8ad74abf55edea2c4e84793fa348aR65 I opened an issue, but I'm wondering if there is a workaround... I can't believe no one import a such certificate. https://issues.jboss.org/browse/KEYCLOAK-5303 See you, Antoine From Abhinav.Dwivedi at aeris.net Wed Aug 16 12:13:05 2017 From: Abhinav.Dwivedi at aeris.net (Abhinav Dwivedi) Date: Wed, 16 Aug 2017 16:13:05 +0000 Subject: [keycloak-user] Keycloak HA issue References: Message-ID: Hi Could you help me to fix one issue I have use 2 container of key cloak HA and one container of mysql and when I try to create RELAM in one server its not reflect to the another server until I restart the service of second one could you help me please asap. Regards Abhinav From hmlnarik at redhat.com Wed Aug 16 14:41:01 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 16 Aug 2017 20:41:01 +0200 Subject: [keycloak-user] Email verification redirect URL In-Reply-To: References: Message-ID: What Keycloak version do you use? How does the user get to login in the alternative flow in the first place? The account verification continues in the flow to the application the user originally attempted to log in, or just states that the email has been verified for their account if the original application cannot be determined. On Wed, Aug 16, 2017 at 2:02 PM, Krishna Kuntala wrote: > I am using Rest APIs to communicate with Keycloak for sending verification > email (/send-verify-email?client_id=xxx&redirect_uri=application-url). This > flow is working fine when user clicks on verfication link, "Back to > application" link redirects me to intended "application-url". > > However with alternative flow, if the user does not click on this link and > tries to login with his credentials, the user will be redirected to Account > verification page. This sends one more email to the user with the link > embedded in it. This link does not have provided/intended redirect_uri i.e. > application-url. Instead it has redirect_uri to the default realm. > > I want to embed the same URI even in case another email is sent to the user > for verification which is not happening in this case. > > > Thanks and Regards, > KK > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From hmlnarik at redhat.com Wed Aug 16 14:41:33 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 16 Aug 2017 20:41:33 +0200 Subject: [keycloak-user] Keycloak evaluation In-Reply-To: References: Message-ID: On Wed, Aug 16, 2017 at 2:20 PM, Ga?tan Collaud wrote: > Hi, > > I'm new to keycloak but I started developing some custom "extensions" so I > may be able to answer you. > > 1. I don't think this is out of the box, but you can develop a custom > "Authenticator" to login using a token and include it in email. I've done > it for our company (the token part, not the email). Since Keycloak 3.2.0, you can create custom action token and its handler that would login the user. You can check documentation [1] and quickstarts [2] for further info. [1] https://github.com/keycloak/keycloak-documentation/blob/master/server_development/topics/action-token-spi.adoc [2] https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token-authenticator > > 2. I don't thing the goal of keycloak is to send communications to users, > so it may not be the best solution. I think it's best to export the users > to a mailing list system. If you really want to use keycloak you cant can > develop your own API and use the provider EmailTemplateProvider.class to > send emails. It's also easy to get the list of users using the > UserStorageProvider. > > Hope it can help > > Best regards, > > Ga?tan > > Le mer. 16 ao?t 2017 ? 11:33, Krishna Kuntala a > ?crit : > >> Hi, >> >> We are evaluating Keycloak product for our Identity management solution. >> Need to understand whether Keycloak supports below features: >> >> 1. Send "magic link" with verification email to let the user silently >> login. >> 2. An API which is capable of sending communication emails to the users. >> >> Thanks and Regards, >> KK >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From Abhinav.Dwivedi at aeris.net Wed Aug 16 15:31:59 2017 From: Abhinav.Dwivedi at aeris.net (Abhinav Dwivedi) Date: Wed, 16 Aug 2017 19:31:59 +0000 Subject: [keycloak-user] Email verification redirect URL In-Reply-To: References: , Message-ID: I am using the latest keycloak version. And i created the admin user from the add user script on both the servers instance. Regards Abhinav Get Outlook for Android ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Hynek Mlnarik Sent: Thursday, August 17, 2017 12:11:01 AM To: Krishna Kuntala Cc: keycloak-user Subject: Re: [keycloak-user] Email verification redirect URL What Keycloak version do you use? How does the user get to login in the alternative flow in the first place? The account verification continues in the flow to the application the user originally attempted to log in, or just states that the email has been verified for their account if the original application cannot be determined. On Wed, Aug 16, 2017 at 2:02 PM, Krishna Kuntala wrote: > I am using Rest APIs to communicate with Keycloak for sending verification > email (/send-verify-email?client_id=xxx&redirect_uri=application-url). This > flow is working fine when user clicks on verfication link, "Back to > application" link redirects me to intended "application-url". > > However with alternative flow, if the user does not click on this link and > tries to login with his credentials, the user will be redirected to Account > verification page. This sends one more email to the user with the link > embedded in it. This link does not have provided/intended redirect_uri i.e. > application-url. Instead it has redirect_uri to the default realm. > > I want to embed the same URI even in case another email is sent to the user > for verification which is not happening in this case. > > > Thanks and Regards, > KK > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From adam.keily at adelaide.edu.au Wed Aug 16 21:39:45 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 17 Aug 2017 01:39:45 +0000 Subject: [keycloak-user] User federation email verification Message-ID: Hi all, Using rhsso7.1. I've configured a realm to federate users from LDAP (several thousand existing corporate accounts) and allow registration of external users to the realm. The realm is configured to verify email. I only want users who register using a form or social IdP to have to verify their email though. With the realm setting 'Verify Email=On', it is prompting my LDAP users to verify their corporate email the first time they login. Is there a simple way to prevent LDAP federated users from having to verify their email address whilst still enforcing verification for registered accounts. With social IdP's I can set them to trust email but is there a way to do something similar with ldap federation users? Or would I need to build a custom user federation spi? Thanks Adam -- Adam Keily Identity and Access Management Specialist Security and Architecture The University of Adelaide Phone: +61883139112 Mobile: +61438898513 adam.keily at adelaide.edu.au CRICOS Provider Number 00123M ----------------------------------------------------------- IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. From bburke at redhat.com Wed Aug 16 23:08:40 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 16 Aug 2017 23:08:40 -0400 Subject: [keycloak-user] User federation email verification In-Reply-To: References: Message-ID: <77209938-637d-6661-d813-63d216475a68@redhat.com> We don't have a way to toggle email validation per user federation provider. I think there are two options for you: 1) Write an LDAPStorageMapper that hardcodes verify email to true on import from ldap. Plug that in and configure it 2) Turn off realm email validation. Turn on email validation for social providers. Write an extension to the Registration flow to perform email validation. On 8/16/17 9:39 PM, Adam Keily wrote: > Hi all, > > Using rhsso7.1. I've configured a realm to federate users from LDAP (several thousand existing corporate accounts) and allow registration of external users to the realm. > > The realm is configured to verify email. I only want users who register using a form or social IdP to have to verify their email though. With the realm setting 'Verify Email=On', it is prompting my LDAP users to verify their corporate email the first time they login. > > Is there a simple way to prevent LDAP federated users from having to verify their email address whilst still enforcing verification for registered accounts. With social IdP's I can set them to trust email but is there a way to do something similar with ldap federation users? Or would I need to build a custom user federation spi? > > Thanks > Adam > > -- > Adam Keily > Identity and Access Management Specialist > Security and Architecture > The University of Adelaide > Phone: +61883139112 > Mobile: +61438898513 > adam.keily at adelaide.edu.au > > CRICOS Provider Number 00123M > ----------------------------------------------------------- > IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pablo.fernandez at cscs.ch Thu Aug 17 02:36:28 2017 From: pablo.fernandez at cscs.ch (Pablo Fernandez) Date: Thu, 17 Aug 2017 08:36:28 +0200 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> Message-ID: <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Dear Simon, Thanks for your reply. I am not quite sure your proposal would work in our case (or maybe I don't understand it): do you mean that the client will ask for a specific audience to be put inside the token, and that the other service providers would have to check that the claim is targeted against the right audience? That creates a big overhead if you have many SPs, which we do. And anyway, how can you limit a certain client to be issued token of a certain audience within Keycloak? And furthermore, how can I limit the access to the /accounts API on Keycloak for a token given to certain clients? It would be great to have a mechanism inside Keycloak to limit the scopes of the various clients directly, without extra work on the clients or the SPs. Am I assuming something that is wrong? What is the Authorization tab (and/or the Scopes one) for? Thanks a lot again, BR/Pablo On 16/08/17 15:20, Simon Payne wrote: > Pablo, > > i'm not sure whether this will be your solution directly, but i found out > recently that the 'aud' claim in the token is to represent the audience. > Now, when i used the spring-security-oauth client library i found that it > validated the resourceId against this aud claim. > > i thought it an unnecessary constraint at the time, but maybe it could be > used to restrict access by tokens, which although may have the correct > scope, have been issued to the incorrect or otherwise unknown client? > > Simon. > > On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez > wrote: > >> Dear Keycloakers, >> >> I am (almost) new to Keycloak and having trouble, and I thought I should >> ask you after exhausting other options, so here I am. >> >> What I would like to find is a way to confine certain web apps (with a >> registered client in Keycloak) from accessing any other client that is >> not supposed to. Specifically, I have an oidc client named 'keystone' >> that handles all OpenStack authentication and another oidc client >> 'simplewebapp' that is a webapp that I want to give access to 'keystone' >> while NOT giving access to any of the other clients (e.g. account, >> admin-cli, broker, etc.) >> >> Is there a way to do this? >> >> I thought about Scopes, but I see they are basically linked to Roles >> that I think have nothing to do with what I am doing (I tried, though >> creating new roles but it seems to me they don't prevent anything from >> happening). If I have to use Scopes, then how? Is there a Role that I >> can use to deny - or exclusively grant - access to another client? I >> also tried changing the Default Policy in 'keystone' Authorization tab >> to something like this (the opposite of what I wanted to do, to make it >> fail and see if I can use this mechanism), without success: >> >> --- >> // by default, grants any permission associated with this policy >> //$evaluation.grant(); >> var context = $evaluation.getContext(); >> var contextAttributes = context.getAttributes(); >> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { >> $evaluation.deny(); >> } >> $evaluation.grant(); >> --- >> >> I googled and browsed and tried many different setting combinations >> without success, so I hope someone here could give me a hint. >> >> Thanks! >> Pablo Fernandez >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Abhinav.Dwivedi at aeris.net Thu Aug 17 02:44:17 2017 From: Abhinav.Dwivedi at aeris.net (Abhinav Dwivedi) Date: Thu, 17 Aug 2017 06:44:17 +0000 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: Team I am having issue in keycloak ha with mysql . So I have configure 2 keycloak docker instance and ne mysql instance. And created admin user from adduser script in keyclaok on both the instance . So when I create Realm on once instance its not reflect on another until I restart the another one. But when I delete the Realm its deleted on both on real time . Could any one help me on this its lil urgent. Regards Abhinav D -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pablo Fernandez Sent: Thursday, August 17, 2017 12:06 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Restrict access from web app client Dear Simon, Thanks for your reply. I am not quite sure your proposal would work in our case (or maybe I don't understand it): do you mean that the client will ask for a specific audience to be put inside the token, and that the other service providers would have to check that the claim is targeted against the right audience? That creates a big overhead if you have many SPs, which we do. And anyway, how can you limit a certain client to be issued token of a certain audience within Keycloak? And furthermore, how can I limit the access to the /accounts API on Keycloak for a token given to certain clients? It would be great to have a mechanism inside Keycloak to limit the scopes of the various clients directly, without extra work on the clients or the SPs. Am I assuming something that is wrong? What is the Authorization tab (and/or the Scopes one) for? Thanks a lot again, BR/Pablo On 16/08/17 15:20, Simon Payne wrote: > Pablo, > > i'm not sure whether this will be your solution directly, but i found > out recently that the 'aud' claim in the token is to represent the audience. > Now, when i used the spring-security-oauth client library i found that > it validated the resourceId against this aud claim. > > i thought it an unnecessary constraint at the time, but maybe it could > be used to restrict access by tokens, which although may have the > correct scope, have been issued to the incorrect or otherwise unknown client? > > Simon. > > On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez > > wrote: > >> Dear Keycloakers, >> >> I am (almost) new to Keycloak and having trouble, and I thought I >> should ask you after exhausting other options, so here I am. >> >> What I would like to find is a way to confine certain web apps (with >> a registered client in Keycloak) from accessing any other client that >> is not supposed to. Specifically, I have an oidc client named 'keystone' >> that handles all OpenStack authentication and another oidc client >> 'simplewebapp' that is a webapp that I want to give access to 'keystone' >> while NOT giving access to any of the other clients (e.g. account, >> admin-cli, broker, etc.) >> >> Is there a way to do this? >> >> I thought about Scopes, but I see they are basically linked to Roles >> that I think have nothing to do with what I am doing (I tried, though >> creating new roles but it seems to me they don't prevent anything >> from happening). If I have to use Scopes, then how? Is there a Role >> that I can use to deny - or exclusively grant - access to another >> client? I also tried changing the Default Policy in 'keystone' >> Authorization tab to something like this (the opposite of what I >> wanted to do, to make it fail and see if I can use this mechanism), without success: >> >> --- >> // by default, grants any permission associated with this policy >> //$evaluation.grant(); var context = $evaluation.getContext(); var >> contextAttributes = context.getAttributes(); if >> (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { >> $evaluation.deny(); >> } >> $evaluation.grant(); >> --- >> >> I googled and browsed and tried many different setting combinations >> without success, so I hope someone here could give me a hint. >> >> Thanks! >> Pablo Fernandez >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 17 03:16:58 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 17 Aug 2017 09:16:58 +0200 Subject: [keycloak-user] Both the access token and the refresh token have expired In-Reply-To: <346F87B1D0FFC8479ACE63BA3215758D79D58C@GRVExchange13.grv.local> References: <346F87B1D0FFC8479ACE63BA3215758D79D58C@GRVExchange13.grv.local> Message-ID: <6bddfc06-b004-10e3-0b6d-7568014f0673@redhat.com> This example is not created, maintained and supported by Keycloak team. You would need to contact the original author of the example. I suppose the message "Both the access token and the refresh token have expired" is thrown from the example itself, not from Keycloak? If you rather want to check official examples, Keycloak has quickstarts and bunch of examples in the keycloak-examples distribution. Marek On 16/08/17 02:23, Stephan Grieger wrote: > I followed the example given at https://github.com/dylanplecki/KeycloakOwinAuthentication/wiki/ASP.NET-MVC-Tutorial and it works up until the part where you press the login button. > > I can navigate to the About page and I am taken to the login page. I enter the login name and password and press the login button and I get the error "Both the access token and the refresh token have expired". > > Does anyone know why this is and what the solution is? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 17 03:30:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 17 Aug 2017 09:30:56 +0200 Subject: [keycloak-user] user panel everywhere - no automatic redirect In-Reply-To: References: <00232764-ba22-676e-e896-5626c761a282@studentagency.cz> Message-ID: <3e0929d6-7780-c0f0-c112-4605014736b6@redhat.com> Hi Michal, Nice to see Brno guy from StudentAgency using Keycloak :) I suppose you're using servlet adapter? The servlet specs actually enforces the security based on the URL request path declared in web.xml, which is not ideal for some applications though. However there are ways to solve this somehow. Few things: - OpenID Connect has support for "prompt=none" feature and Keycloak supports it. In shortcut, it allows the application to redirect to Keycloak. Keycloak would never display login screen. In case that user is not already logged, it directly redirects back to app with the error. If he is logged, it redirects back to the app with success. - So you can perhaps do something like at the beginning, try to visit: http://yourhost/yourapp/secured?prompt=none . In case that user is not logged, you will receive error from KC and hence you can redirect your app to the http://yourhost/yourapp/unsecured and display that the user is not yet logged. Otherwise user is logged. - Once user clicks "login" you will just redirect to http://yourhost/yourapp/secured, which will enforce displaying login screen on Keycloak side. - If the approach above is too quirky, you can perhaps achieve it some other way if user is already logged. Maybe use iframe talking to Keycloak? We have some support for session iframe in keycloak.js adapter OOTB, in servlet adapter there is no support OOTB, but I think you should be able to use it from your app. This may be a bit harder to setup though, but likely doable. Marek On 15/08/17 16:59, Michal Keda wrote: > Both > > Principal userPrincipal = httpServletRequest.getUserPrincipal(); > RefreshableKeycloakSecurityContext context = > (RefreshableKeycloakSecurityContext) > httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()); > > are null when visiting unprotected homepage, even if user is logged > (directly in keycloak) until I visit my protected page. > > Is this configuration error? > > Dne 15.8.2017 v 8:57 Stian Thorgersen napsal(a): >> Wouldn't >> http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal() >> >> do the trick? >> >> On 14 August 2017 at 17:22, Michal Keda > > wrote: >> >> Hello, >> I want to implement simple panel showing information about user logged >> into sso. The catch is that I need this panel even on pages that >> should >> not redirect to KC server when no user is logged in. >> >> This seems like basic behaviour for any homepage (show if user is >> logged >> in, but do not force immidiate redirect if isn't), but >> RefreshableKeycloakSecurityContext starts to pop up in my >> HttpServletRequest only after I access some protected page >> (specified in >> web.xml). >> >> So my question is (I guess..) if it is possible to get currently >> logged >> user, on page that is not protected by KC. >> >> I am using tomcat 7, java 8 (+wicket) >> >> Best regards, >> >> Michal Keda >> -- >> >> Bc. Michal Keda >> program?tor >> >> telefon: +420 539 000 711 >> >> StudentAgency logo >> AUTOBUSY | > > VLAKY | >> DOVOLEN? | >> LETENKY >> | > > JAZYKOV? POBYTY | >> > >> PRACOVN? A AU PAIR POBYTY >> > >> STUDENT AGENCY k.s. >> D?m p?n? z Lip? n?m. Svobody 17 >> 602 00 Brno infolinka: 800 100 300 >> fax: +420 539 000 540 >> *www.studentagency.cz * >> >> STUDENT AGENCY cestov?n? pro ka?d?ho v ka?d?m v?ku. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From M.Leuthold at prosoz.de Thu Aug 17 04:06:20 2017 From: M.Leuthold at prosoz.de (Leuthold, Michael) Date: Thu, 17 Aug 2017 08:06:20 +0000 Subject: [keycloak-user] js-Adapter, SPA and Browser History Message-ID: Hello, we using keycloak-js 3.0.0 to provide SSO over a couple of SPAs written in Angular using onLoad: 'login-required'. This basically works, however everytime when switching between applications, we see a history entries for the initial request which makes the browser back-button essentially useless when trying to navigate back. To simply reproduce this: when accessing an application from a blank page with no history will leaves us with one history entry to that very same application. Can anybody confirm this or report the opposite? Thanks, Michael PROSOZ Herten Softwareentwicklungs- und Beratungsgesellschaft f?r Gemeinden, St?dte und Kreise mbH * Gesch?ftsf?hrer: Horst Stoffner, Petra Hertel * Vorsitzender des Aufsichtsrates: Wolfgang Kumpf * Sitz der Gesellschaft: Herten * Registergericht: AG Recklinghausen, Registernummer HRB 3307 Diese E-Mail enth?lt vertrauliche Informationen und ist ausschlie?lich f?r den Adressaten bestimmt. Sollten Sie diese E-Mail irrt?mlich erhalten haben, informieren Sie uns hier?ber bitte unter info at prosoz.de oder unter der o. a. Telefonnummer, und l?schen Sie diese E-Mail aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail verboten sind. From kuntalakrishna at gmail.com Thu Aug 17 05:14:47 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Thu, 17 Aug 2017 10:14:47 +0100 Subject: [keycloak-user] Email verification redirect URL In-Reply-To: References: Message-ID: Hi Hynek, I am using 2.5.0.Final version of Keycloak. As I am testing it, I know the URL for client. When I hit that URL, I am redirected to login page. I can enter the newly created credentials (This email is not yet verified) which redirects me to Verify your email page and sends one more email with the link. On click of this link, it successfuly verifies the email but "Back to Application" points to different link (the redirect_uri is different in this link). Thanks and Regards, ?KK On Wed, Aug 16, 2017 at 7:41 PM, Hynek Mlnarik wrote: > What Keycloak version do you use? > > How does the user get to login in the alternative flow in the first > place? The account verification continues in the flow to the > application the user originally attempted to log in, or just states > that the email has been verified for their account if the original > application cannot be determined. > > On Wed, Aug 16, 2017 at 2:02 PM, Krishna Kuntala > wrote: > > I am using Rest APIs to communicate with Keycloak for sending > verification > > email (/send-verify-email?client_id=xxx&redirect_uri=application-url). > This > > flow is working fine when user clicks on verfication link, "Back to > > application" link redirects me to intended "application-url". > > > > However with alternative flow, if the user does not click on this link > and > > tries to login with his credentials, the user will be redirected to > Account > > verification page. This sends one more email to the user with the link > > embedded in it. This link does not have provided/intended redirect_uri > i.e. > > application-url. Instead it has redirect_uri to the default realm. > > > > I want to embed the same URI even in case another email is sent to the > user > > for verification which is not happening in this case. > > > > > > Thanks and Regards, > > KK > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > From sthorger at redhat.com Thu Aug 17 07:29:49 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 17 Aug 2017 13:29:49 +0200 Subject: [keycloak-user] May need to drop OpenShift v2 cartridge Message-ID: Our OpenShift v2 cartridge [1] is based on the WildFly cartridge [2]. We have a problem now as Keycloak 3.3 will be based on WildFly 11, while the WildFly cartridge hasn't been updated (and probably won't be) to WildFly 11. So we may need to drop OpenShift v2 support unless someone is willing to work on it. [1] https://github.com/keycloak/openshift-keycloak-cartridge [2] https://github.com/openshift-cartridges/openshift-wildfly-cartridge From ionut.culda at lola.tech Thu Aug 17 07:55:58 2017 From: ionut.culda at lola.tech (Ionut Culda) Date: Thu, 17 Aug 2017 14:55:58 +0300 Subject: [keycloak-user] Master Realm Disabled Message-ID: <58E95B6A-59C8-42B9-BF74-135D1C183BB4@lola.tech> Hello, I have disabled master realm of keycloak and i didn?t fine any way to re enable it. Is there any possibility to re-enable it? Thank you From simonpayne58 at gmail.com Thu Aug 17 11:05:12 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 17 Aug 2017 16:05:12 +0100 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: Hi, i'm not sure i follow your use case then. I read your question to mean 'how to restrict a resource server to only validating a token to tokens requested by white listed clients.' audience is keycloak defaults to the client id if not specified. you can override this to whatever you want by adding to the mappers tab. re-reading your email however, it sounds like scope or roles might be your solution. after adding the roles to either the user or service account then you need to add the relevant authorization to each client in the property file, mapping the resource to the role required. e.g. (springboot) keycloak.realm = master keycloak.auth-server-url = xxxxx keycloak.ssl-required = external keycloak.resource = xxxxxx keycloak.credentials.secret=xxxxxx keycloak.bearer-only= true keycloak.security-constraints[0].authRoles[0] = user keycloak.security-constraints[0].securityCollections[0].name = resources keycloak.security-constraints[0].securityCollections[0].patterns[0] = /* keycloak.security-constraints[1].authRoles[0] = super_user keycloak.security-constraints[1].securityCollections[0].name = secure resources keycloak.security-constraints[1].securityCollections[0].patterns[0] = /products Alternatively you can make use of the authorization services to achieve the same thing, but must enable at the client by using keycloak.policy-enforcer-config.enforcement-mode=ENFORCING I noticed that before the auth services would work i also had to include client side mapping of the minimum level of authorization. Hope this helps, Simon. On Thu, Aug 17, 2017 at 7:36 AM, Pablo Fernandez wrote: > Dear Simon, > > Thanks for your reply. > > I am not quite sure your proposal would work in our case (or maybe I > don't understand it): do you mean that the client will ask for a > specific audience to be put inside the token, and that the other service > providers would have to check that the claim is targeted against the > right audience? That creates a big overhead if you have many SPs, which > we do. And anyway, how can you limit a certain client to be issued token > of a certain audience within Keycloak? And furthermore, how can I limit > the access to the /accounts API on Keycloak for a token given to certain > clients? > > It would be great to have a mechanism inside Keycloak to limit the > scopes of the various clients directly, without extra work on the > clients or the SPs. Am I assuming something that is wrong? What is the > Authorization tab (and/or the Scopes one) for? > > Thanks a lot again, > BR/Pablo > > > On 16/08/17 15:20, Simon Payne wrote: > > Pablo, > > > > i'm not sure whether this will be your solution directly, but i found out > > recently that the 'aud' claim in the token is to represent the audience. > > Now, when i used the spring-security-oauth client library i found that it > > validated the resourceId against this aud claim. > > > > i thought it an unnecessary constraint at the time, but maybe it could be > > used to restrict access by tokens, which although may have the correct > > scope, have been issued to the incorrect or otherwise unknown client? > > > > Simon. > > > > On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez < > pablo.fernandez at cscs.ch> > > wrote: > > > >> Dear Keycloakers, > >> > >> I am (almost) new to Keycloak and having trouble, and I thought I should > >> ask you after exhausting other options, so here I am. > >> > >> What I would like to find is a way to confine certain web apps (with a > >> registered client in Keycloak) from accessing any other client that is > >> not supposed to. Specifically, I have an oidc client named 'keystone' > >> that handles all OpenStack authentication and another oidc client > >> 'simplewebapp' that is a webapp that I want to give access to 'keystone' > >> while NOT giving access to any of the other clients (e.g. account, > >> admin-cli, broker, etc.) > >> > >> Is there a way to do this? > >> > >> I thought about Scopes, but I see they are basically linked to Roles > >> that I think have nothing to do with what I am doing (I tried, though > >> creating new roles but it seems to me they don't prevent anything from > >> happening). If I have to use Scopes, then how? Is there a Role that I > >> can use to deny - or exclusively grant - access to another client? I > >> also tried changing the Default Policy in 'keystone' Authorization tab > >> to something like this (the opposite of what I wanted to do, to make it > >> fail and see if I can use this mechanism), without success: > >> > >> --- > >> // by default, grants any permission associated with this policy > >> //$evaluation.grant(); > >> var context = $evaluation.getContext(); > >> var contextAttributes = context.getAttributes(); > >> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { > >> $evaluation.deny(); > >> } > >> $evaluation.grant(); > >> --- > >> > >> I googled and browsed and tried many different setting combinations > >> without success, so I hope someone here could give me a hint. > >> > >> Thanks! > >> Pablo Fernandez > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Stepan.Vanecek at finnova.com Thu Aug 17 12:02:12 2017 From: Stepan.Vanecek at finnova.com (Vanecek Stepan) Date: Thu, 17 Aug 2017 16:02:12 +0000 Subject: [keycloak-user] Initial configuration Message-ID: <51096367-13D2-4B74-BCF3-48BB605F2578@finnova.com> Hello everyone, we are trying to automate the initial configuration of Kyecloak(realm creation,...). We would like to use KyecloakSession for that. At the moment, it is available in class MyEventListenerProvider that defines our Event Listener SPI's onEvent methods. Is it possible to use this KeycloakSession outside of that class as well? For example, we thought of running a separate thread in MyEventListenerProviderFactory in init function that would sleep until keycloak is up and then perform the initial configuration with KeycloakSession. If so, how? If not, is there any other possibility? Thank you very much in advance. Kind regards, Stepan Vanecek From sthorger at redhat.com Fri Aug 18 01:26:24 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Aug 2017 07:26:24 +0200 Subject: [keycloak-user] Master Realm Disabled In-Reply-To: <58E95B6A-59C8-42B9-BF74-135D1C183BB4@lola.tech> References: <58E95B6A-59C8-42B9-BF74-135D1C183BB4@lola.tech> Message-ID: Auch. You'll have to enable it directly in the database. On 17 August 2017 at 13:55, Ionut Culda wrote: > Hello, > I have disabled master realm of keycloak and i didn?t fine any way to re > enable it. Is there any possibility to re-enable it? > Thank you > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From gaetancollaud at gmail.com Fri Aug 18 02:32:34 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Fri, 18 Aug 2017 06:32:34 +0000 Subject: [keycloak-user] Initial configuration In-Reply-To: <51096367-13D2-4B74-BCF3-48BB605F2578@finnova.com> References: <51096367-13D2-4B74-BCF3-48BB605F2578@finnova.com> Message-ID: Hi, This question interest me as well. For now I do an export and when I have to create a new keycloak instance, I create the realm from the export that I made. I use docker to create a keycloak image with my custom providers. The only thing that is missing is the configuration at the first startup (that has to be done manually) Best regards, Gaetan Le jeu. 17 ao?t 2017 ? 18:39, Vanecek Stepan a ?crit : > Hello everyone, > > we are trying to automate the initial configuration of Kyecloak(realm > creation,...). We would like to use KyecloakSession for that. At the > moment, it is available in class MyEventListenerProvider that defines our > Event Listener SPI's onEvent methods. > > Is it possible to use this KeycloakSession outside of that class as well? > For example, we thought of running a separate thread in > MyEventListenerProviderFactory in init function that would sleep until > keycloak is up and then perform the initial configuration with > KeycloakSession. If so, how? If not, is there any other possibility? > > Thank you very much in advance. > > Kind regards, > Stepan Vanecek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pablo.fernandez at cscs.ch Fri Aug 18 05:00:46 2017 From: pablo.fernandez at cscs.ch (Pablo Fernandez) Date: Fri, 18 Aug 2017 11:00:46 +0200 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: Thanks Simon, Yes, I think we're getting closer. To avoid confusion, let me rename the originating client "A" and the resource client "B". Answer in-line: On 17/08/17 17:05, Simon Payne wrote: > Hi, i'm not sure i follow your use case then. I read your question to mean > 'how to restrict a resource server to only validating a token to tokens > requested by white listed clients.' It's almost right, but just inside Keycloak (so, without touching the client A itself or the resource server behind client B.) > audience is keycloak defaults to the client id if not specified. you can > override this to whatever you want by adding to the mappers tab. I was taking a look at the different types of Mappers for client A and did not find one for the audience. What kind of mapper should one use? Hardcoded claim? Then, the claim should be called 'aud', right? (I am doing everything through the web interface, btw) But then, if I do it this way, I will have to change each resource server, right? > re-reading your email however, it sounds like scope or roles might be your > solution. after adding the roles to either the user or service account I could add the role to the client A without using service accounts, right? > then you need to add the relevant authorization to each client in the > property file, mapping the resource to the role required. e.g. (springboot) > > keycloak.realm = master > keycloak.auth-server-url = xxxxx > keycloak.ssl-required = external > keycloak.resource = xxxxxx > keycloak.credentials.secret=xxxxxx > keycloak.bearer-only= true > > keycloak.security-constraints[0].authRoles[0] = user > keycloak.security-constraints[0].securityCollections[0].name = resources > keycloak.security-constraints[0].securityCollections[0].patterns[0] = /* > > keycloak.security-constraints[1].authRoles[0] = super_user > keycloak.security-constraints[1].securityCollections[0].name = secure resources > keycloak.security-constraints[1].securityCollections[0].patterns[0] = /products I understand you are refering to client B, right? Anyway, I don't find anywhere to change the property file from the web gui. I tried creating a new "auth-scope" in the Authorization section of client B, assigned it to the Default Resource, assigned them all to the Default Permission and all to the Default Policy (the one I defined with JS as for my first email: if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { $evaluation.deny(); } (BTW simplewebapp is client A) No luck :( am I doing something wrong? (I did not force any role on client A, and policy is set to Enforcing) > Alternatively you can make use of the authorization services to achieve the > same thing, but must enable at the client by using > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING I noticed that > before the auth services would work i also had to include client side > mapping of the minimum level of authorization. I guess here you are also speaking about client B, right? I did not understand what you mean by client side mapping of the minimum level of authorization. What client mapping? Are there levels of authorization? Thanks a lot for your help! BR/Pablo > > > Hope this helps, > > Simon. > > > > > > > On Thu, Aug 17, 2017 at 7:36 AM, Pablo Fernandez > wrote: > >> Dear Simon, >> >> Thanks for your reply. >> >> I am not quite sure your proposal would work in our case (or maybe I >> don't understand it): do you mean that the client will ask for a >> specific audience to be put inside the token, and that the other service >> providers would have to check that the claim is targeted against the >> right audience? That creates a big overhead if you have many SPs, which >> we do. And anyway, how can you limit a certain client to be issued token >> of a certain audience within Keycloak? And furthermore, how can I limit >> the access to the /accounts API on Keycloak for a token given to certain >> clients? >> >> It would be great to have a mechanism inside Keycloak to limit the >> scopes of the various clients directly, without extra work on the >> clients or the SPs. Am I assuming something that is wrong? What is the >> Authorization tab (and/or the Scopes one) for? >> >> Thanks a lot again, >> BR/Pablo >> >> >> On 16/08/17 15:20, Simon Payne wrote: >>> Pablo, >>> >>> i'm not sure whether this will be your solution directly, but i found out >>> recently that the 'aud' claim in the token is to represent the audience. >>> Now, when i used the spring-security-oauth client library i found that it >>> validated the resourceId against this aud claim. >>> >>> i thought it an unnecessary constraint at the time, but maybe it could be >>> used to restrict access by tokens, which although may have the correct >>> scope, have been issued to the incorrect or otherwise unknown client? >>> >>> Simon. >>> >>> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez < >> pablo.fernandez at cscs.ch> >>> wrote: >>> >>>> Dear Keycloakers, >>>> >>>> I am (almost) new to Keycloak and having trouble, and I thought I should >>>> ask you after exhausting other options, so here I am. >>>> >>>> What I would like to find is a way to confine certain web apps (with a >>>> registered client in Keycloak) from accessing any other client that is >>>> not supposed to. Specifically, I have an oidc client named 'keystone' >>>> that handles all OpenStack authentication and another oidc client >>>> 'simplewebapp' that is a webapp that I want to give access to 'keystone' >>>> while NOT giving access to any of the other clients (e.g. account, >>>> admin-cli, broker, etc.) >>>> >>>> Is there a way to do this? >>>> >>>> I thought about Scopes, but I see they are basically linked to Roles >>>> that I think have nothing to do with what I am doing (I tried, though >>>> creating new roles but it seems to me they don't prevent anything from >>>> happening). If I have to use Scopes, then how? Is there a Role that I >>>> can use to deny - or exclusively grant - access to another client? I >>>> also tried changing the Default Policy in 'keystone' Authorization tab >>>> to something like this (the opposite of what I wanted to do, to make it >>>> fail and see if I can use this mechanism), without success: >>>> >>>> --- >>>> // by default, grants any permission associated with this policy >>>> //$evaluation.grant(); >>>> var context = $evaluation.getContext(); >>>> var contextAttributes = context.getAttributes(); >>>> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { >>>> $evaluation.deny(); >>>> } >>>> $evaluation.grant(); >>>> --- >>>> >>>> I googled and browsed and tried many different setting combinations >>>> without success, so I hope someone here could give me a hint. >>>> >>>> Thanks! >>>> Pablo Fernandez >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Kristiaan.Jansen at planonsoftware.com Fri Aug 18 05:48:43 2017 From: Kristiaan.Jansen at planonsoftware.com (Kristiaan Jansen) Date: Fri, 18 Aug 2017 09:48:43 +0000 Subject: [keycloak-user] Test Message-ID: Test if my mail arrives at keycloak user group. From lists at merit.unu.edu Fri Aug 18 06:40:16 2017 From: lists at merit.unu.edu (mj) Date: Fri, 18 Aug 2017 12:40:16 +0200 Subject: [keycloak-user] default redirect url Message-ID: Hi, Our keycloak install is on https://keycloak.company.com, proxied by apache to localhost:8080 Some of our end-users remember that address, and browse directly to it. So they end-up in the "welcome to keycloak" page, with links to login the Admin Console etc. But is there a way to make the keycloak "account" client become the default page, so that the base url would be redirected to https://keycloak.company.com/auth/realms/our_realm/account Since apache proxies the base keycloak url (localhost:8080), I guess this would have to be done by keycloak itself. Is this possible? MJ From kuntalakrishna at gmail.com Fri Aug 18 07:27:49 2017 From: kuntalakrishna at gmail.com (Krishna Kuntala) Date: Fri, 18 Aug 2017 12:27:49 +0100 Subject: [keycloak-user] Assign role to user using keycloak settings Message-ID: Hi All, I have enabled the email verfication flow for user registration. However, I am wondering whether there is any way to assign a role to the user once Email has been verified. I understand that this could be achieved by calling REST APIs but can we do this through some keycloak configuration? Also, is there any way to assign a role after user successfully links his profile with one of the IdP (e.g. Google, Facebook)? Thanks and Regards, ?KK From psilva at redhat.com Fri Aug 18 08:48:39 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 18 Aug 2017 09:48:39 -0300 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: Hi Pablo, >From your first e-mail, you posted the following policy: --- // by default, grants any permission associated with this policy //$evaluation.grant(); var context = $evaluation.getContext(); var contextAttributes = context.getAttributes(); if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { $evaluation.deny(); } $evaluation.grant(); --- At the end of the script you are granting access, no matter what. You should try to change your code to avoid calling $evaluation.grant() after calling $evaluation.deny(). You don't really need to use a JS policy for such condition. Have you tried used the "Client Policy" ? Could you provide more details about the application you are protecting ? What is the adapter you are using ? I think we have some tests that are doing pretty much the same thing you are looking for [1]. Regards. Pedro Igor On Fri, Aug 18, 2017 at 6:00 AM, Pablo Fernandez wrote: > Thanks Simon, > > Yes, I think we're getting closer. To avoid confusion, let me rename the > originating client "A" and the resource client "B". > > Answer in-line: > > > On 17/08/17 17:05, Simon Payne wrote: > > Hi, i'm not sure i follow your use case then. I read your question to > mean > > 'how to restrict a resource server to only validating a token to tokens > > requested by white listed clients.' > It's almost right, but just inside Keycloak (so, without touching the > client A itself or the resource server behind client B.) > > > audience is keycloak defaults to the client id if not specified. you can > > override this to whatever you want by adding to the mappers tab. > > I was taking a look at the different types of Mappers for client A and > did not find one for the audience. What kind of mapper should one use? > Hardcoded claim? Then, the claim should be called 'aud', right? > (I am doing everything through the web interface, btw) > > But then, if I do it this way, I will have to change each resource > server, right? > > > re-reading your email however, it sounds like scope or roles might be > your > > solution. after adding the roles to either the user or service account > I could add the role to the client A without using service accounts, right? > > > then you need to add the relevant authorization to each client in the > > property file, mapping the resource to the role required. e.g. > (springboot) > > > > keycloak.realm = master > > keycloak.auth-server-url = xxxxx > > keycloak.ssl-required = external > > keycloak.resource = xxxxxx > > keycloak.credentials.secret=xxxxxx > > keycloak.bearer-only= true > > > > keycloak.security-constraints[0].authRoles[0] = user > > keycloak.security-constraints[0].securityCollections[0].name = resources > > keycloak.security-constraints[0].securityCollections[0].patterns[0] = /* > > > > keycloak.security-constraints[1].authRoles[0] = super_user > > keycloak.security-constraints[1].securityCollections[0].name = secure > resources > > keycloak.security-constraints[1].securityCollections[0].patterns[0] = > /products > > I understand you are refering to client B, right? Anyway, I don't find > anywhere to change the property file from the web gui. I tried creating > a new "auth-scope" in the Authorization section of client B, assigned it > to the Default Resource, assigned them all to the Default Permission and > all to the Default Policy (the one I defined with JS as for my first > email: if (contextAttributes.containsValue('kc.client.id', > 'simplewebapp')) { $evaluation.deny(); } > > (BTW simplewebapp is client A) > > No luck :( am I doing something wrong? > > (I did not force any role on client A, and policy is set to Enforcing) > > > Alternatively you can make use of the authorization services to achieve > the > > same thing, but must enable at the client by using > > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING I noticed > that > > before the auth services would work i also had to include client side > > mapping of the minimum level of authorization. > I guess here you are also speaking about client B, right? > > I did not understand what you mean by client side mapping of the minimum > level of authorization. What client mapping? Are there levels of > authorization? > > Thanks a lot for your help! > BR/Pablo > > > > > > > > > Hope this helps, > > > > Simon. > > > > > > > > > > > > > > On Thu, Aug 17, 2017 at 7:36 AM, Pablo Fernandez < > pablo.fernandez at cscs.ch> > > wrote: > > > >> Dear Simon, > >> > >> Thanks for your reply. > >> > >> I am not quite sure your proposal would work in our case (or maybe I > >> don't understand it): do you mean that the client will ask for a > >> specific audience to be put inside the token, and that the other service > >> providers would have to check that the claim is targeted against the > >> right audience? That creates a big overhead if you have many SPs, which > >> we do. And anyway, how can you limit a certain client to be issued token > >> of a certain audience within Keycloak? And furthermore, how can I limit > >> the access to the /accounts API on Keycloak for a token given to certain > >> clients? > >> > >> It would be great to have a mechanism inside Keycloak to limit the > >> scopes of the various clients directly, without extra work on the > >> clients or the SPs. Am I assuming something that is wrong? What is the > >> Authorization tab (and/or the Scopes one) for? > >> > >> Thanks a lot again, > >> BR/Pablo > >> > >> > >> On 16/08/17 15:20, Simon Payne wrote: > >>> Pablo, > >>> > >>> i'm not sure whether this will be your solution directly, but i found > out > >>> recently that the 'aud' claim in the token is to represent the > audience. > >>> Now, when i used the spring-security-oauth client library i found that > it > >>> validated the resourceId against this aud claim. > >>> > >>> i thought it an unnecessary constraint at the time, but maybe it could > be > >>> used to restrict access by tokens, which although may have the correct > >>> scope, have been issued to the incorrect or otherwise unknown client? > >>> > >>> Simon. > >>> > >>> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez < > >> pablo.fernandez at cscs.ch> > >>> wrote: > >>> > >>>> Dear Keycloakers, > >>>> > >>>> I am (almost) new to Keycloak and having trouble, and I thought I > should > >>>> ask you after exhausting other options, so here I am. > >>>> > >>>> What I would like to find is a way to confine certain web apps (with a > >>>> registered client in Keycloak) from accessing any other client that is > >>>> not supposed to. Specifically, I have an oidc client named 'keystone' > >>>> that handles all OpenStack authentication and another oidc client > >>>> 'simplewebapp' that is a webapp that I want to give access to > 'keystone' > >>>> while NOT giving access to any of the other clients (e.g. account, > >>>> admin-cli, broker, etc.) > >>>> > >>>> Is there a way to do this? > >>>> > >>>> I thought about Scopes, but I see they are basically linked to Roles > >>>> that I think have nothing to do with what I am doing (I tried, though > >>>> creating new roles but it seems to me they don't prevent anything from > >>>> happening). If I have to use Scopes, then how? Is there a Role that I > >>>> can use to deny - or exclusively grant - access to another client? I > >>>> also tried changing the Default Policy in 'keystone' Authorization tab > >>>> to something like this (the opposite of what I wanted to do, to make > it > >>>> fail and see if I can use this mechanism), without success: > >>>> > >>>> --- > >>>> // by default, grants any permission associated with this policy > >>>> //$evaluation.grant(); > >>>> var context = $evaluation.getContext(); > >>>> var contextAttributes = context.getAttributes(); > >>>> if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) > { > >>>> $evaluation.deny(); > >>>> } > >>>> $evaluation.grant(); > >>>> --- > >>>> > >>>> I googled and browsed and tried many different setting combinations > >>>> without success, so I hope someone here could give me a hint. > >>>> > >>>> Thanks! > >>>> Pablo Fernandez > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.bartko at drillinginfo.com Fri Aug 18 08:49:17 2017 From: john.bartko at drillinginfo.com (John Bartko) Date: Fri, 18 Aug 2017 12:49:17 +0000 Subject: [keycloak-user] default redirect url In-Reply-To: References: Message-ID: Since requests are proxied by Apache httpd, the intermediary web server could provide redirect behavior with configuration like: RewriteEngine On RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^/.*$ http://redirect-destination-host.example.com/path/to/account/client If there is no intermediary web server to leverage, Keycloak itself can also satisfy this use case. To override the content rendered in response to "GET /" and "GET /auth/" requests, the following files can be modified: - welcome-content/index.html - themes/keycloak/welcome/index.ftl Default redirect behavior can be obtained with static HTML like the following: Hope that helps, -John Bartko ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of mj Sent: Friday, August 18, 2017 5:40:16 AM To: keycloak-user Subject: [keycloak-user] default redirect url Hi, Our keycloak install is on https://keycloak.company.com, proxied by apache to localhost:8080 Some of our end-users remember that address, and browse directly to it. So they end-up in the "welcome to keycloak" page, with links to login the Admin Console etc. But is there a way to make the keycloak "account" client become the default page, so that the base url would be redirected to https://keycloak.company.com/auth/realms/our_realm/account Since apache proxies the base keycloak url (localhost:8080), I guess this would have to be done by keycloak itself. Is this possible? MJ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Fri Aug 18 09:13:38 2017 From: lists at merit.unu.edu (mj) Date: Fri, 18 Aug 2017 15:13:38 +0200 Subject: [keycloak-user] default redirect url In-Reply-To: References: Message-ID: Hi John, On 08/18/2017 02:49 PM, John Bartko wrote: > Since requests are proxied by Apache httpd, the intermediary web server > could provide redirect behavior with configuration like: > > > RewriteEngine On > RewriteCond %{REQUEST_URI} ^/$ > RewriteRule ^/.*$ > http://redirect-destination-host.example.com/path/to/account/client Super! This works great. I chose the above apache rewrite, since that would still work after keycloak upgrades. Also no need to remember patching files. Great, the help was much appreciated! MJ From bburke at redhat.com Fri Aug 18 10:39:37 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 18 Aug 2017 10:39:37 -0400 Subject: [keycloak-user] Initial configuration In-Reply-To: References: <51096367-13D2-4B74-BCF3-48BB605F2578@finnova.com> Message-ID: <35729541-1494-a91c-932b-4afc2238f25b@redhat.com> Have you seen the import/export stuff in our documentation? Keycloak can be booted to import configuration. Every SPI provider has init() and postInit() methods which are called at Boot. I wonder if we should have a Bootstrap SPI that was just empty that allowed people to do stuff at boot? On 8/18/17 2:32 AM, Ga?tan Collaud wrote: > Hi, > > This question interest me as well. > > For now I do an export and when I have to create a new keycloak instance, I > create the realm from the export that I made. > > I use docker to create a keycloak image with my custom providers. The only > thing that is missing is the configuration at the first startup (that has > to be done manually) > > Best regards, > > Gaetan > > Le jeu. 17 ao?t 2017 ? 18:39, Vanecek Stepan a > ?crit : > >> Hello everyone, >> >> we are trying to automate the initial configuration of Kyecloak(realm >> creation,...). We would like to use KyecloakSession for that. At the >> moment, it is available in class MyEventListenerProvider that defines our >> Event Listener SPI's onEvent methods. >> >> Is it possible to use this KeycloakSession outside of that class as well? >> For example, we thought of running a separate thread in >> MyEventListenerProviderFactory in init function that would sleep until >> keycloak is up and then perform the initial configuration with >> KeycloakSession. If so, how? If not, is there any other possibility? >> >> Thank you very much in advance. >> >> Kind regards, >> Stepan Vanecek >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pablo.fernandez at cscs.ch Fri Aug 18 11:32:35 2017 From: pablo.fernandez at cscs.ch (Pablo Fernandez) Date: Fri, 18 Aug 2017 17:32:35 +0200 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: Dear Pedro, Answers inline: On 18/08/17 14:48, Pedro Igor Silva wrote: > Hi Pablo, > > From your first e-mail, you posted the following policy: > > --- > // by default, grants any permission associated with this policy > //$evaluation.grant(); > var context = $evaluation.getContext(); > var contextAttributes = context.getAttributes(); > if (contextAttributes.containsValue('kc.client.id > ', 'simplewebapp')) { > $evaluation.deny(); > } > $evaluation.grant(); > --- > > At the end of the script you are granting access, no matter what. You > should try to change your code to avoid calling $evaluation.grant() > after calling $evaluation.deny(). I just tried to put the grant() call inside an else (if condition then deny else grant), but with the same result: the policy always returns PERMIT (I just discovered the Evaluate tab). In fact, when I see the authorization data (in the eval tab again) I don't see the kc.client.id context attributes... but that's maybe a defect of the evaluation? This is the info I get from the auth data, the only reference to simplewebapp (client 1) is in resource_access: { "exp": 0, "nbf": 0, "iat": 0, "iss": "https://myidp.domain.country:8443/auth/realms/keystonerealm", "aud": "5e91cb22-991c-4874-b8fe-8add2d48b463", "sub": "daf782c3-24d7-41fa-8bf1-4ace50b218c9", "azp": "5e91cb22-991c-4874-b8fe-8add2d48b463", "auth_time": 0, "realm_access": { "roles": [ "manage-account", "realm-admin", "offline_access", "uma_authorization", "view-profile" ] }, "resource_access": { "simplewebapp": { "roles": [] }, "keystone": { "roles": [] } }, "authorization": { "permissions": [] }, "LDAP_ENTRY_DN": [ "uid=pablof,ou=group,dc=aa,dc=bb" ], "uidNumber": [ "21471" ], "name": "Pablo ", "preferred_username": "pablof", "given_name": "Pablo", "createTimestamp": [ "20170630074958Z" ], "modifyTimestamp": [ "20170630074958Z" ], "LDAP_ID": [ "pablof" ] } But then again I could not find a way to create a policy (for client 2) based on resources from another client. Something that puzzles me is that, even if I make enough conditions to make my policy issue DENY, I can still log in with client 1 into client 2. Is there anything else I have to do to make the login fail? > > You don't really need to use a JS policy for such condition. Have you > tried used the "Client Policy" ? Yes, this is one of the things that I tried... but oddly enough, I always get the same answer (DENY if set to Possitive logic, PERMIT if set to Negative) regardless of the client 1 that I am using to access my client 2. > > Could you provide more details about the application you are > protecting ? What is the adapter you are using ? I think we have some > tests that are doing pretty much the same thing you are looking for [1]. What do you mean by adapter in the application to protect? If what you mean is how does client 2 accept/reject tokens, it's an Apache app (it's actually OpenStack Keystone) with this config: OIDCClaimPrefix "OIDC-" OIDCResponseType "code" OIDCScope "openid profile" OIDCProviderMetadataURL https://myidp.domain.country:8443/auth/realms/keystonerealm/.well-known/openid-configuration OIDCClientID keystone OIDCClientSecret mysecret OIDCProviderTokenEndpointAuth client_secret_basic OIDCCryptoPassphrase mypass OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect OIDCOAuthVerifyJwksUri "https://myidp.domain.country:8443/auth/realms/keystonerealm/protocol/openid-connect/certs" If you mean client 1 (which is the one I want to limit the scope of its actions), that's a simple webapp querying everything via REST api. But please keep in mind that I want to protect users coming from client 1 from accessing services included in Keycloak itself (like the /account API) and there is little I can do to protect it via the APACHE OIDC module... and, ideally, I would like to do all this restricting inside Keycloak, without touching every Apache (or whatever client 2) that I have around here. BTW, I think you are missing an URL for example [1] you wanted to show me. Could you please re-post it? I have the impression that I am missing something fundamental... but I don't know what it can be. Thanks a lot to everyone who is helping me out! BR/Pablo > > Regards. > Pedro Igor > > On Fri, Aug 18, 2017 at 6:00 AM, Pablo Fernandez > > wrote: > > Thanks Simon, > > Yes, I think we're getting closer. To avoid confusion, let me > rename the > originating client "A" and the resource client "B". > > Answer in-line: > > > On 17/08/17 17:05, Simon Payne wrote: > > Hi, i'm not sure i follow your use case then. I read your > question to mean > > 'how to restrict a resource server to only validating a token to > tokens > > requested by white listed clients.' > It's almost right, but just inside Keycloak (so, without touching the > client A itself or the resource server behind client B.) > > > audience is keycloak defaults to the client id if not > specified. you can > > override this to whatever you want by adding to the mappers tab. > > I was taking a look at the different types of Mappers for client A and > did not find one for the audience. What kind of mapper should one use? > Hardcoded claim? Then, the claim should be called 'aud', right? > (I am doing everything through the web interface, btw) > > But then, if I do it this way, I will have to change each resource > server, right? > > > re-reading your email however, it sounds like scope or roles > might be your > > solution. after adding the roles to either the user or service > account > I could add the role to the client A without using service > accounts, right? > > > then you need to add the relevant authorization to each client > in the > > property file, mapping the resource to the role required. e.g. > (springboot) > > > > keycloak.realm = master > > keycloak.auth-server-url = xxxxx > > keycloak.ssl-required = external > > keycloak.resource = xxxxxx > > keycloak.credentials.secret=xxxxxx > > keycloak.bearer-only= true > > > > keycloak.security-constraints[0].authRoles[0] = user > > keycloak.security-constraints[0].securityCollections[0].name = > resources > > > keycloak.security-constraints[0].securityCollections[0].patterns[0] > = /* > > > > keycloak.security-constraints[1].authRoles[0] = super_user > > keycloak.security-constraints[1].securityCollections[0].name = > secure resources > > > keycloak.security-constraints[1].securityCollections[0].patterns[0] > = /products > > I understand you are refering to client B, right? Anyway, I don't find > anywhere to change the property file from the web gui. I tried > creating > a new "auth-scope" in the Authorization section of client B, > assigned it > to the Default Resource, assigned them all to the Default > Permission and > all to the Default Policy (the one I defined with JS as for my first > email: if (contextAttributes.containsValue('kc.client.id > ', > 'simplewebapp')) { $evaluation.deny(); } > > (BTW simplewebapp is client A) > > No luck :( am I doing something wrong? > > (I did not force any role on client A, and policy is set to Enforcing) > > > Alternatively you can make use of the authorization services to > achieve the > > same thing, but must enable at the client by using > > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING I > noticed that > > before the auth services would work i also had to include client > side > > mapping of the minimum level of authorization. > I guess here you are also speaking about client B, right? > > I did not understand what you mean by client side mapping of the > minimum > level of authorization. What client mapping? Are there levels of > authorization? > > Thanks a lot for your help! > BR/Pablo > > > > > > > > > Hope this helps, > > > > Simon. > > > > > > > > > > > > > > On Thu, Aug 17, 2017 at 7:36 AM, Pablo Fernandez > > > > wrote: > > > >> Dear Simon, > >> > >> Thanks for your reply. > >> > >> I am not quite sure your proposal would work in our case (or > maybe I > >> don't understand it): do you mean that the client will ask for a > >> specific audience to be put inside the token, and that the > other service > >> providers would have to check that the claim is targeted > against the > >> right audience? That creates a big overhead if you have many > SPs, which > >> we do. And anyway, how can you limit a certain client to be > issued token > >> of a certain audience within Keycloak? And furthermore, how can > I limit > >> the access to the /accounts API on Keycloak for a token given > to certain > >> clients? > >> > >> It would be great to have a mechanism inside Keycloak to limit the > >> scopes of the various clients directly, without extra work on the > >> clients or the SPs. Am I assuming something that is wrong? What > is the > >> Authorization tab (and/or the Scopes one) for? > >> > >> Thanks a lot again, > >> BR/Pablo > >> > >> > >> On 16/08/17 15:20, Simon Payne wrote: > >>> Pablo, > >>> > >>> i'm not sure whether this will be your solution directly, but > i found out > >>> recently that the 'aud' claim in the token is to represent the > audience. > >>> Now, when i used the spring-security-oauth client library i > found that it > >>> validated the resourceId against this aud claim. > >>> > >>> i thought it an unnecessary constraint at the time, but maybe > it could be > >>> used to restrict access by tokens, which although may have the > correct > >>> scope, have been issued to the incorrect or otherwise unknown > client? > >>> > >>> Simon. > >>> > >>> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez < > >> pablo.fernandez at cscs.ch > > >>> wrote: > >>> > >>>> Dear Keycloakers, > >>>> > >>>> I am (almost) new to Keycloak and having trouble, and I > thought I should > >>>> ask you after exhausting other options, so here I am. > >>>> > >>>> What I would like to find is a way to confine certain web > apps (with a > >>>> registered client in Keycloak) from accessing any other > client that is > >>>> not supposed to. Specifically, I have an oidc client named > 'keystone' > >>>> that handles all OpenStack authentication and another oidc client > >>>> 'simplewebapp' that is a webapp that I want to give access to > 'keystone' > >>>> while NOT giving access to any of the other clients (e.g. > account, > >>>> admin-cli, broker, etc.) > >>>> > >>>> Is there a way to do this? > >>>> > >>>> I thought about Scopes, but I see they are basically linked > to Roles > >>>> that I think have nothing to do with what I am doing (I > tried, though > >>>> creating new roles but it seems to me they don't prevent > anything from > >>>> happening). If I have to use Scopes, then how? Is there a > Role that I > >>>> can use to deny - or exclusively grant - access to another > client? I > >>>> also tried changing the Default Policy in 'keystone' > Authorization tab > >>>> to something like this (the opposite of what I wanted to do, > to make it > >>>> fail and see if I can use this mechanism), without success: > >>>> > >>>> --- > >>>> // by default, grants any permission associated with this policy > >>>> //$evaluation.grant(); > >>>> var context = $evaluation.getContext(); > >>>> var contextAttributes = context.getAttributes(); > >>>> if (contextAttributes.containsValue('kc.client.id > ', 'simplewebapp')) { > >>>> $evaluation.deny(); > >>>> } > >>>> $evaluation.grant(); > >>>> --- > >>>> > >>>> I googled and browsed and tried many different setting > combinations > >>>> without success, so I hope someone here could give me a hint. > >>>> > >>>> Thanks! > >>>> Pablo Fernandez > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Fri Aug 18 13:38:02 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 18 Aug 2017 14:38:02 -0300 Subject: [keycloak-user] Restrict access from web app client In-Reply-To: References: <9e0bbdb4-8af0-1c0d-9154-3853b8df5bef@cscs.ch> <7167b4e4-29b4-fc50-4df6-1a2a677d3297@cscs.ch> Message-ID: The "kc.client.id" is a built-in attribute that our policy evaluation engine makes available to policies before processing them. It basically maps to the "azp" claim within the token. When using the evaluation tool, you can also select a client in order to change the value of this claim and simulate evaluations based on a specific client acting on behalf of an user. I did a simple test here where I have a resource server with a single resource protect by a policy just like that JS policy you wrote. When I change the client, I'm able to see different results for the evaluation. But I think what you are trying to do is beyond what we support. You mentioned that you want to protect specific Keycloak internal services such as Account Service. That is not possible ... Sorry for the missing link, this what I was supposed to send https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzFunctionalAdapterTest.java#L283 . But this example is all about a RS protecting their resources where only a specific client is allowed to access. It is not related with protecting/accessing Keycloak internal services .... On Fri, Aug 18, 2017 at 12:32 PM, Pablo Fernandez wrote: > Dear Pedro, > > Answers inline: > > On 18/08/17 14:48, Pedro Igor Silva wrote: > > Hi Pablo, > > > > From your first e-mail, you posted the following policy: > > > > --- > > // by default, grants any permission associated with this policy > > //$evaluation.grant(); > > var context = $evaluation.getContext(); > > var contextAttributes = context.getAttributes(); > > if (contextAttributes.containsValue('kc.client.id > > ', 'simplewebapp')) { > > $evaluation.deny(); > > } > > $evaluation.grant(); > > --- > > > > At the end of the script you are granting access, no matter what. You > > should try to change your code to avoid calling $evaluation.grant() > > after calling $evaluation.deny(). > > I just tried to put the grant() call inside an else (if condition then > deny else grant), but with the same result: the policy always returns > PERMIT (I just discovered the Evaluate tab). In fact, when I see the > authorization data (in the eval tab again) I don't see the kc.client.id > context attributes... but that's maybe a defect of the evaluation? > This is the info I get from the auth data, the only reference to > simplewebapp (client 1) is in resource_access: > > { > "exp": 0, > "nbf": 0, > "iat": 0, > "iss": "https://myidp.domain.country:8443/auth/realms/keystonerealm", > "aud": "5e91cb22-991c-4874-b8fe-8add2d48b463", > "sub": "daf782c3-24d7-41fa-8bf1-4ace50b218c9", > "azp": "5e91cb22-991c-4874-b8fe-8add2d48b463", > "auth_time": 0, > "realm_access": { > "roles": [ > "manage-account", > "realm-admin", > "offline_access", > "uma_authorization", > "view-profile" > ] > }, > "resource_access": { > "simplewebapp": { > "roles": [] > }, > "keystone": { > "roles": [] > } > }, > "authorization": { > "permissions": [] > }, > "LDAP_ENTRY_DN": [ > "uid=pablof,ou=group,dc=aa,dc=bb" > ], > "uidNumber": [ > "21471" > ], > "name": "Pablo ", > "preferred_username": "pablof", > "given_name": "Pablo", > "createTimestamp": [ > "20170630074958Z" > ], > "modifyTimestamp": [ > "20170630074958Z" > ], > "LDAP_ID": [ > "pablof" > ] > } > > But then again I could not find a way to create a policy (for client 2) > based on resources from another client. > > Something that puzzles me is that, even if I make enough conditions to > make my policy issue DENY, I can still log in with client 1 into client > 2. Is there anything else I have to do to make the login fail? > > > > > > You don't really need to use a JS policy for such condition. Have you > > tried used the "Client Policy" ? > > Yes, this is one of the things that I tried... but oddly enough, I > always get the same answer (DENY if set to Possitive logic, PERMIT if > set to Negative) regardless of the client 1 that I am using to access my > client 2. > > > > > Could you provide more details about the application you are > > protecting ? What is the adapter you are using ? I think we have some > > tests that are doing pretty much the same thing you are looking for [1]. > > What do you mean by adapter in the application to protect? If what you > mean is how does client 2 accept/reject tokens, it's an Apache app (it's > actually OpenStack Keystone) with this config: > > OIDCClaimPrefix "OIDC-" > OIDCResponseType "code" > OIDCScope "openid profile" > OIDCProviderMetadataURL > https://myidp.domain.country:8443/auth/realms/keystonerealm/.well-known/ > openid-configuration > OIDCClientID keystone > OIDCClientSecret mysecret > OIDCProviderTokenEndpointAuth client_secret_basic > OIDCCryptoPassphrase mypass > OIDCRedirectURI > http://localhost:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect > OIDCOAuthVerifyJwksUri > "https://myidp.domain.country:8443/auth/realms/ > keystonerealm/protocol/openid-connect/certs" > > If you mean client 1 (which is the one I want to limit the scope of its > actions), that's a simple webapp querying everything via REST api. > > But please keep in mind that I want to protect users coming from client > 1 from accessing services included in Keycloak itself (like the /account > API) and there is little I can do to protect it via the APACHE OIDC > module... and, ideally, I would like to do all this restricting inside > Keycloak, without touching every Apache (or whatever client 2) that I > have around here. > > BTW, I think you are missing an URL for example [1] you wanted to show > me. Could you please re-post it? > > I have the impression that I am missing something fundamental... but I > don't know what it can be. > > Thanks a lot to everyone who is helping me out! > BR/Pablo > > > > > > > Regards. > > Pedro Igor > > > > On Fri, Aug 18, 2017 at 6:00 AM, Pablo Fernandez > > > wrote: > > > > Thanks Simon, > > > > Yes, I think we're getting closer. To avoid confusion, let me > > rename the > > originating client "A" and the resource client "B". > > > > Answer in-line: > > > > > > On 17/08/17 17:05, Simon Payne wrote: > > > Hi, i'm not sure i follow your use case then. I read your > > question to mean > > > 'how to restrict a resource server to only validating a token to > > tokens > > > requested by white listed clients.' > > It's almost right, but just inside Keycloak (so, without touching the > > client A itself or the resource server behind client B.) > > > > > audience is keycloak defaults to the client id if not > > specified. you can > > > override this to whatever you want by adding to the mappers tab. > > > > I was taking a look at the different types of Mappers for client A > and > > did not find one for the audience. What kind of mapper should one > use? > > Hardcoded claim? Then, the claim should be called 'aud', right? > > (I am doing everything through the web interface, btw) > > > > But then, if I do it this way, I will have to change each resource > > server, right? > > > > > re-reading your email however, it sounds like scope or roles > > might be your > > > solution. after adding the roles to either the user or service > > account > > I could add the role to the client A without using service > > accounts, right? > > > > > then you need to add the relevant authorization to each client > > in the > > > property file, mapping the resource to the role required. e.g. > > (springboot) > > > > > > keycloak.realm = master > > > keycloak.auth-server-url = xxxxx > > > keycloak.ssl-required = external > > > keycloak.resource = xxxxxx > > > keycloak.credentials.secret=xxxxxx > > > keycloak.bearer-only= true > > > > > > keycloak.security-constraints[0].authRoles[0] = user > > > keycloak.security-constraints[0].securityCollections[0].name = > > resources > > > > > keycloak.security-constraints[0].securityCollections[0].patterns[0] > > = /* > > > > > > keycloak.security-constraints[1].authRoles[0] = super_user > > > keycloak.security-constraints[1].securityCollections[0].name = > > secure resources > > > > > keycloak.security-constraints[1].securityCollections[0].patterns[0] > > = /products > > > > I understand you are refering to client B, right? Anyway, I don't > find > > anywhere to change the property file from the web gui. I tried > > creating > > a new "auth-scope" in the Authorization section of client B, > > assigned it > > to the Default Resource, assigned them all to the Default > > Permission and > > all to the Default Policy (the one I defined with JS as for my first > > email: if (contextAttributes.containsValue('kc.client.id > > ', > > 'simplewebapp')) { $evaluation.deny(); } > > > > (BTW simplewebapp is client A) > > > > No luck :( am I doing something wrong? > > > > (I did not force any role on client A, and policy is set to > Enforcing) > > > > > Alternatively you can make use of the authorization services to > > achieve the > > > same thing, but must enable at the client by using > > > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING I > > noticed that > > > before the auth services would work i also had to include client > > side > > > mapping of the minimum level of authorization. > > I guess here you are also speaking about client B, right? > > > > I did not understand what you mean by client side mapping of the > > minimum > > level of authorization. What client mapping? Are there levels of > > authorization? > > > > Thanks a lot for your help! > > BR/Pablo > > > > > > > > > > > > > > > Hope this helps, > > > > > > Simon. > > > > > > > > > > > > > > > > > > > > > On Thu, Aug 17, 2017 at 7:36 AM, Pablo Fernandez > > > > > > wrote: > > > > > >> Dear Simon, > > >> > > >> Thanks for your reply. > > >> > > >> I am not quite sure your proposal would work in our case (or > > maybe I > > >> don't understand it): do you mean that the client will ask for a > > >> specific audience to be put inside the token, and that the > > other service > > >> providers would have to check that the claim is targeted > > against the > > >> right audience? That creates a big overhead if you have many > > SPs, which > > >> we do. And anyway, how can you limit a certain client to be > > issued token > > >> of a certain audience within Keycloak? And furthermore, how can > > I limit > > >> the access to the /accounts API on Keycloak for a token given > > to certain > > >> clients? > > >> > > >> It would be great to have a mechanism inside Keycloak to limit the > > >> scopes of the various clients directly, without extra work on the > > >> clients or the SPs. Am I assuming something that is wrong? What > > is the > > >> Authorization tab (and/or the Scopes one) for? > > >> > > >> Thanks a lot again, > > >> BR/Pablo > > >> > > >> > > >> On 16/08/17 15:20, Simon Payne wrote: > > >>> Pablo, > > >>> > > >>> i'm not sure whether this will be your solution directly, but > > i found out > > >>> recently that the 'aud' claim in the token is to represent the > > audience. > > >>> Now, when i used the spring-security-oauth client library i > > found that it > > >>> validated the resourceId against this aud claim. > > >>> > > >>> i thought it an unnecessary constraint at the time, but maybe > > it could be > > >>> used to restrict access by tokens, which although may have the > > correct > > >>> scope, have been issued to the incorrect or otherwise unknown > > client? > > >>> > > >>> Simon. > > >>> > > >>> On Wed, Aug 16, 2017 at 1:41 PM, Pablo Fernandez < > > >> pablo.fernandez at cscs.ch > > > >>> wrote: > > >>> > > >>>> Dear Keycloakers, > > >>>> > > >>>> I am (almost) new to Keycloak and having trouble, and I > > thought I should > > >>>> ask you after exhausting other options, so here I am. > > >>>> > > >>>> What I would like to find is a way to confine certain web > > apps (with a > > >>>> registered client in Keycloak) from accessing any other > > client that is > > >>>> not supposed to. Specifically, I have an oidc client named > > 'keystone' > > >>>> that handles all OpenStack authentication and another oidc > client > > >>>> 'simplewebapp' that is a webapp that I want to give access to > > 'keystone' > > >>>> while NOT giving access to any of the other clients (e.g. > > account, > > >>>> admin-cli, broker, etc.) > > >>>> > > >>>> Is there a way to do this? > > >>>> > > >>>> I thought about Scopes, but I see they are basically linked > > to Roles > > >>>> that I think have nothing to do with what I am doing (I > > tried, though > > >>>> creating new roles but it seems to me they don't prevent > > anything from > > >>>> happening). If I have to use Scopes, then how? Is there a > > Role that I > > >>>> can use to deny - or exclusively grant - access to another > > client? I > > >>>> also tried changing the Default Policy in 'keystone' > > Authorization tab > > >>>> to something like this (the opposite of what I wanted to do, > > to make it > > >>>> fail and see if I can use this mechanism), without success: > > >>>> > > >>>> --- > > >>>> // by default, grants any permission associated with this policy > > >>>> //$evaluation.grant(); > > >>>> var context = $evaluation.getContext(); > > >>>> var contextAttributes = context.getAttributes(); > > >>>> if (contextAttributes.containsValue('kc.client.id > > ', 'simplewebapp')) { > > >>>> $evaluation.deny(); > > >>>> } > > >>>> $evaluation.grant(); > > >>>> --- > > >>>> > > >>>> I googled and browsed and tried many different setting > > combinations > > >>>> without success, so I hope someone here could give me a hint. > > >>>> > > >>>> Thanks! > > >>>> Pablo Fernandez > > >>>> > > >>>> > > >>>> > > >>>> _______________________________________________ > > >>>> keycloak-user mailing list > > >>>> keycloak-user at lists.jboss.org > > > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >>>> > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >> > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >> > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From imxxx021 at umn.edu Fri Aug 18 17:11:15 2017 From: imxxx021 at umn.edu (Danny Im) Date: Fri, 18 Aug 2017 16:11:15 -0500 Subject: [keycloak-user] Unable to get first and last name of newly created user during register event Message-ID: Hi, I created a class implementing the EventListenerProvider interface, and on the 'register' event, when I retrieve the newly created user, both the first and last name are set to null. The newly created user has their first and last name set later on, but I was wondering if it was possible to get that information during the 'register' event. public class MyListenerProvider implements EventListenerProvider { private KeycloakSession session; public MyListenerProvider(KeycloakSession session) { this.session = session; } public void onEvent(Event event) { EventType eventType = event.getType(); if(eventType.equals(EventType.REGISTER)) { String realmId = event.getRealmId(); String userId = event.getUserId(); RealmModel realm = session.getContext().getRealm(); UserModel user = session.users().getUserById(userId, realm); String username = user.getUsername(); // the following are null for newly created users String firstName = user.getFirstName(); String lastName = user.getLastName(); } } public void onEvent(AdminEvent event, boolean includeRepresentation) { } public void close() { } } Thanks! -- Danny Im Software Developer Polar Geospatial Center University of Minnesota From lists at merit.unu.edu Sat Aug 19 06:06:40 2017 From: lists at merit.unu.edu (mj) Date: Sat, 19 Aug 2017 12:06:40 +0200 Subject: [keycloak-user] password policy | federation to AD Message-ID: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> Hi, REALM federated to active directory, with password requirements like: - required 1 uppercase - required 1 digit - required 1 lowercase - required 1 special character - min 8 characters - cannot contain username - max age 180 days Now, when I logon keycloak, I am asked to change my password. Correct. But when I provide a bad password like "123", I would expect keycloak to say something like: "ERROR: this password does not meet the password complexity requirements, please use ..." etc. However, the only message I receive with a password like "xyz" is: "Could not modify attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" So how is the user supposed to know what the configured password requirements are..? This is on keycloak 3.1.0 btw. Advise? MJ From lists at merit.unu.edu Mon Aug 21 03:16:31 2017 From: lists at merit.unu.edu (mj) Date: Mon, 21 Aug 2017 09:16:31 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> Message-ID: Aha, I guess my question is related to my question: https://issues.jboss.org/browse/KEYCLOAK-4052 Does the ticket mean that we can expect this to work in 3.4.0? Thanks, MJ On 08/19/2017 12:06 PM, mj wrote: > But when I provide a bad password like "123", I would expect keycloak to > say something like: "ERROR: this password does not meet the password > complexity requirements, please use ..." etc. From mposolda at redhat.com Mon Aug 21 05:39:26 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 21 Aug 2017 11:39:26 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> Message-ID: <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> Are your password policies configured on MSAD side or on Keycloak side? KEYCLOAK-4052 is about the password policies are configured on Keycloak side, which you want to apply even before sending password_update request to LDAP. However if you have password policies configured on MSAD side, it won't help you. Marek On 21/08/17 09:16, mj wrote: > Aha, I guess my question is related to my question: > > https://issues.jboss.org/browse/KEYCLOAK-4052 > > Does the ticket mean that we can expect this to work in 3.4.0? > > Thanks, > MJ > > On 08/19/2017 12:06 PM, mj wrote: >> But when I provide a bad password like "123", I would expect keycloak to >> say something like: "ERROR: this password does not meet the password >> complexity requirements, please use ..." etc. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Mon Aug 21 05:58:14 2017 From: lists at merit.unu.edu (lists) Date: Mon, 21 Aug 2017 11:58:14 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> Message-ID: <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> Hi Marek, I have them configured on both, bith sides similar. We have local users (with "regular" workstations logons, and thus the password policies as configured in the MSAD side) And we have users that (almost) never logon locally, but only though webinterfaces secured by LDAP/OpenID Connect or SAML2. (and so: the keycloak password policies apply) We were under the impression that keycloak would help to enforce similar password policies like this for (mostly) all our users. So, is this actually expected to land in 3.4? And if yes, since keycloak is at 3.2, any idication when 3.4 would be available? MJ On 21-8-2017 11:39, Marek Posolda wrote: > Are your password policies configured on MSAD side or on Keycloak side? > > KEYCLOAK-4052 is about the password policies are configured on Keycloak > side, which you want to apply even before sending password_update > request to LDAP. However if you have password policies configured on > MSAD side, it won't help you. > > Marek > > > On 21/08/17 09:16, mj wrote: >> Aha, I guess my question is related to my question: >> >> https://issues.jboss.org/browse/KEYCLOAK-4052 >> >> Does the ticket mean that we can expect this to work in 3.4.0? >> >> Thanks, >> MJ >> >> On 08/19/2017 12:06 PM, mj wrote: >>> But when I provide a bad password like "123", I would expect keycloak to >>> say something like: "ERROR: this password does not meet the password >>> complexity requirements, please use ..." etc. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From kedward777 at gmail.com Mon Aug 21 09:29:25 2017 From: kedward777 at gmail.com (ken edward) Date: Mon, 21 Aug 2017 09:29:25 -0400 Subject: [keycloak-user] Ideas on how to implement fallback form based login? Message-ID: Hello, I have implemented the keycloak tomcat adapter with ADFS as the IDP. All works fine, but should the user not authenticate via SAML, how can I implement a fall back to a form based authentication? Ken From juan.amat at nokia.com Mon Aug 21 14:44:48 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Mon, 21 Aug 2017 18:44:48 +0000 Subject: [keycloak-user] Admin URL configuration Message-ID: Hello, I have a question about the Admin URL configuration for an OIDC client. I have an application deployed on Wildfly 10.1. This application is not distributable, stateful and relies on sticky session (using the JSESSIONID cookie). Now on the same machine I have 2 wildfly instances. Question is what value should I provide in the for the Admin URL? I see that we have this ${application.session.host} but AFAIU this will not help as the host will be the same for both. Ciao. From juan.amat at nokia.com Mon Aug 21 15:09:23 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Mon, 21 Aug 2017 19:09:23 +0000 Subject: [keycloak-user] Cookie Store Message-ID: Hello, I was doing some experiment with the cookie store with the wildfly oidc adapater and In one scenario I was not able to login as the cookie was too long. This happened because the user that I was login as had a lot of Roles. This is with keycloak 2.5.5 (but I do not think that this matters). This could be a problem as using the cookie store is one of the suggested option for Application clustering. I guess that one option would be to split the cookie in multiple cookies. Should I open a ticket about that or did I miss something? From juan.amat at nokia.com Mon Aug 21 15:52:11 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Mon, 21 Aug 2017 19:52:11 +0000 Subject: [keycloak-user] basic-auth Message-ID: Hello, As we need to support some legacy applications we are enabling basic auth in the wildfly adapater of our REST oidc clients. What I have noticed is that for every REST call, a 'session' is created on the keycloak server. Is there a way to not create this session? We do have perf tests that will call those REST apis a lot and I am concerned that we will use memory for nothing. Another concern is that during those perf tests we noticed that the keycloak server was using a lot of CPU. A large part of it was used checking the password (the same user was used for all those calls). For legacy reason we cannot ask the caller to first get a token and use it for subsequent calls. So I am wondering if there is a way to configure some 'authentication cache'. (I guess that I am asking for something like the JBossCachedAuthenticationManager for those who know JBoss EAP/Wildfly). In fact I would not even care about the token too and just an OK/NOK from the keycloak server would be needed. This is probably too much to ask and I could do all this from my end. But then to support new clients that are OAuth aware I would need to replicate what the adapter is doing. From mevans at aconex.com Mon Aug 21 22:47:55 2017 From: mevans at aconex.com (Matt Evans) Date: Tue, 22 Aug 2017 02:47:55 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages Message-ID: We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... Matt From mposolda at redhat.com Tue Aug 22 02:43:53 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 22 Aug 2017 08:43:53 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> Message-ID: KEYCLOAK-4052 will help with the case when you want to enforce Keycloak password policies when updating the password of Keycloak user, who is mapped to LDAP provider. However LDAP password policies will be applied too. And in your case, MSAD policies are applied already. In other words, KEYCLOAK-4052 won't help you with the error "Could not modify attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" . The case you mentioned should be already supported, but it workds just for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you need to have MSAD User Account Controls mapper enabled. Marek On 21/08/17 11:58, lists wrote: > Hi Marek, > > I have them configured on both, bith sides similar. > > We have local users (with "regular" workstations logons, and thus the > password policies as configured in the MSAD side) > > And we have users that (almost) never logon locally, but only though > webinterfaces secured by LDAP/OpenID Connect or SAML2. (and so: the > keycloak password policies apply) > > We were under the impression that keycloak would help to enforce > similar password policies like this for (mostly) all our users. > > So, is this actually expected to land in 3.4? And if yes, since > keycloak is at 3.2, any idication when 3.4 would be available? > > MJ > > On 21-8-2017 11:39, Marek Posolda wrote: >> Are your password policies configured on MSAD side or on Keycloak side? >> >> KEYCLOAK-4052 is about the password policies are configured on >> Keycloak side, which you want to apply even before sending >> password_update request to LDAP. However if you have password >> policies configured on MSAD side, it won't help you. >> >> Marek >> >> >> On 21/08/17 09:16, mj wrote: >>> Aha, I guess my question is related to my question: >>> >>> https://issues.jboss.org/browse/KEYCLOAK-4052 >>> >>> Does the ticket mean that we can expect this to work in 3.4.0? >>> >>> Thanks, >>> MJ >>> >>> On 08/19/2017 12:06 PM, mj wrote: >>>> But when I provide a bad password like "123", I would expect >>>> keycloak to >>>> say something like: "ERROR: this password does not meet the password >>>> complexity requirements, please use ..." etc. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From hmlnarik at redhat.com Tue Aug 22 02:48:19 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 22 Aug 2017 08:48:19 +0200 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: Message-ID: You seem to want what is called IdP-initiated workflow that works for SAML apps [1] but not for OIDC. See this thread [2] for furtner info. [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/clients/saml/idp-initiated-login.html [2] http://lists.jboss.org/pipermail/keycloak-user/2017-February/009642.html On Tue, Aug 22, 2017 at 4:47 AM, Matt Evans wrote: > We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. > > This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. > > Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... > > Matt > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From gaetancollaud at gmail.com Tue Aug 22 02:56:04 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Tue, 22 Aug 2017 06:56:04 +0000 Subject: [keycloak-user] basic-auth In-Reply-To: References: Message-ID: Hi, I'm interested in this question. For legacy reason, I have to maintain the basic auth possibility. And I noticed the huge amount of sessions too. For the cache it's in the user federation. You may want to adjust the cache policy (although it will be dependent on the implementation you use). I know that keycloak cache the users but I'm not sure about the password check. Best regards, Gaetan Le lun. 21 ao?t 2017 ? 21:59, Amat, Juan (Nokia - US) a ?crit : > Hello, > > As we need to support some legacy applications we are enabling basic auth > in the wildfly adapater of our REST oidc clients. > > What I have noticed is that for every REST call, a 'session' is created on > the keycloak server. > Is there a way to not create this session? > We do have perf tests that will call those REST apis a lot and I am > concerned that we will use memory for nothing. > > Another concern is that during those perf tests we noticed that the > keycloak server was using a lot of CPU. > A large part of it was used checking the password (the same user was used > for all those calls). > For legacy reason we cannot ask the caller to first get a token and use it > for subsequent calls. > So I am wondering if there is a way to configure some 'authentication > cache'. > (I guess that I am asking for something like the > JBossCachedAuthenticationManager for those who know JBoss EAP/Wildfly). > > In fact I would not even care about the token too and just an OK/NOK from > the keycloak server would be needed. > This is probably too much to ask and I could do all this from my end. > But then to support new clients that are OAuth aware I would need to > replicate what the adapter is doing. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jitendrachouhan03 at gmail.com Tue Aug 22 04:17:13 2017 From: jitendrachouhan03 at gmail.com (Jitendra Chouhan) Date: Tue, 22 Aug 2017 13:47:13 +0530 Subject: [keycloak-user] Regarding Keycloak IDP Initiated Logout for SAML client Message-ID: Hi, I am using Keycloak 3.1.0.Final version and configured HANA 2.0 system as a SAML client. I want to test out Keycloak IDP initiated logout for the HANA client but I am not seeing any option in Keycloak settings for it. I could see only "IDP Initiated SSO URL Name" but same feature is not there for SLO. I referred sample SAML examples provided as part of keycloak distribution are not using SAML IDP initiated flow for login and logout. How can I achieve SLO for the SAML client in case of idp initiated SAML? Please let me know for any other information regarding this. Thanks, Jitendra Chouhan From lists at merit.unu.edu Tue Aug 22 04:38:58 2017 From: lists at merit.unu.edu (lists) Date: Tue, 22 Aug 2017 10:38:58 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> Message-ID: Hi Marek, But I am under the impression that KEYCLOAK-4052 would not allow the user to provide a password that does not meet the complexity requirements configured in keycloak? And if I would configure keycloak to require complexer passwords than MSAD does, the user password change would succeed? Because currently keycloak accepts 'abc' as a password, and samba doesn't. If keycloak would require the user to provide a GOOD password, samba would also accept it. (because the basic password-change-functionality works fine) I would only like keycloak to NOT accept '123' as a valid password, but take into account it's own configured password complexity when changing the MSAD password. Is that not what KEYCLOAK-4052 is about? MJ On 22-8-2017 8:43, Marek Posolda wrote: > KEYCLOAK-4052 will help with the case when you want to enforce Keycloak > password policies when updating the password of Keycloak user, who is > mapped to LDAP provider. However LDAP password policies will be applied > too. And in your case, MSAD policies are applied already. In other > words, KEYCLOAK-4052 won't help you with the error "Could not modify > attribute for DN [CN=username,CN=Users,DC=ad,DC=company,DC=com]" . > > The case you mentioned should be already supported, but it workds just > for MSAD. AFAIK it doesn't work for some others like Samba AD. Also you > need to have MSAD User Account Controls mapper enabled. > > Marek > > From cschneiderpublic at gmail.com Tue Aug 22 05:17:47 2017 From: cschneiderpublic at gmail.com (Christian Schneider) Date: Tue, 22 Aug 2017 09:17:47 +0000 Subject: [keycloak-user] Realm configuration under Version Control Message-ID: Hi, we wan't to have our Keycloak-Realm configuration under Version Control. The goal is that every stage (Development, Integration, Testing and Production) should have an own configuration file for the realm (without users of course, they should stay over time). When we want to change something, it should be done over the configuration file. My initial Idea was to user the migration import and export parameters for that. First export the current configuration on every stage, commit it, and then import it on startup. But the problem is, that the realm is first dropped (including the users) and then imported. After that, all existing users are removed :(. What is your strategy to have the keycloak configuration under version control? So that every change is transparent and documented? Best Regards, Christian. From ssilvert at redhat.com Tue Aug 22 06:56:19 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 22 Aug 2017 06:56:19 -0400 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: Message-ID: What do they want to happen after they log in? On 8/21/2017 10:47 PM, Matt Evans wrote: > We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. > > This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. > > Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... > > Matt > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jw at blue-yonder.com Tue Aug 22 08:27:17 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Tue, 22 Aug 2017 14:27:17 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation Message-ID: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Hi, we configured AzureAD to use our keycloak instance, like this: ? $cer="$our_cert_string" $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" $dom="test.domain.cloud" Set-MsolDomainAuthentication -DomainName $dom? -Authentication Federated -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP ? When I know try to login on the azure portal, I get successfully redirected to?https://keycloak.internal/auth/realms/azure/protocol/saml?, but then I get the following error from keycloak: 2017-08-22 11:49:47,735 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-3) org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, sessionId=null, time=1503402587482, error=invalid_authn_request, type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} ? The SAML AuthnRequest sent by M$ looks as follows: 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-3) urn:federation:MicrosoftOnline ? What we can see, is that the destination (optional?) attribute is missing. See?http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html ? Why is keycloak doing some strict checking about the optional destination parameter? ? Cheers Jonas ? From java at neposoft.com Tue Aug 22 13:04:07 2017 From: java at neposoft.com (java_os) Date: Tue, 22 Aug 2017 13:04:07 -0400 Subject: [keycloak-user] sso timeouts ?? Message-ID: I am using Standard Flow Enabled with javascript adapter connecting to rest bearer-only apis. SSO Session idle set 2h. User is using the app, it redirects to login page before 2h is reached. Anyone here knows what is the right realm setting if I want to have a user working on a sso session for a number of hours? I guess not fully understand the Token lifespan vs SSO session timeout and which one rules, etc. From mevans at aconex.com Tue Aug 22 21:03:25 2017 From: mevans at aconex.com (Matt Evans) Date: Wed, 23 Aug 2017 01:03:25 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: Message-ID: Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. I wonder if the best we can do in this situation is perhaps: 1) enable POST, so that the client app can POST the OIDC request and include the OIDC auth parameters as post body parameters 2) allow a default url to be set in the realm (or a default client?) 3) allow keycloak to redirect to the default url/client if it receives a GET request on the realm auth endpoint without the required parameters Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan Silvert Sent: Tuesday, 22 August 2017 8:56 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Bookmarking keycloak login pages What do they want to happen after they log in? On 8/21/2017 10:47 PM, Matt Evans wrote: > We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. > > This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. > > Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... > > Matt > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mevans at aconex.com Tue Aug 22 21:15:53 2017 From: mevans at aconex.com (Matt Evans) Date: Wed, 23 Aug 2017 01:15:53 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: Message-ID: Ok thanks! I know about idp initiated sso for SAML, didn't realise that there wasn't an equivalent for OIDC. -----Original Message----- From: Hynek Mlnarik [mailto:hmlnarik at redhat.com] Sent: Tuesday, 22 August 2017 4:48 PM To: Matt Evans Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Bookmarking keycloak login pages You seem to want what is called IdP-initiated workflow that works for SAML apps [1] but not for OIDC. See this thread [2] for furtner info. [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/clients/saml/idp-initiated-login.html [2] http://lists.jboss.org/pipermail/keycloak-user/2017-February/009642.html On Tue, Aug 22, 2017 at 4:47 AM, Matt Evans wrote: > We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. > > This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. > > Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... > > Matt > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From manglade at nextoo.fr Wed Aug 23 05:41:03 2017 From: manglade at nextoo.fr (Matthias ANGLADE) Date: Wed, 23 Aug 2017 11:41:03 +0200 Subject: [keycloak-user] Issue with authorization configuration in a Spring Boot environment Message-ID: Hi, I'm facing an issue. I'm running a Spring Boot App and wishes to use the authorizations services. Permissions are defined in Keycloak for my client and using the evaluation the work as expected. On my app though I have an issue, authorization are checked correctly (using the right resources etc) I can see in the logs that the verification are done correctly but the access is always granted whereas it should be denied in certains cases. When I test the permission that should be denied using the evaluation page of Keycloak access is correctly denied. To activate the authorization in the app I added the following settings : keycloak.policy-enforcer-config.on-deny-redirect-to=/ keycloak.securityConstraints[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].name=protected keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* Any ideas ? From mposolda at redhat.com Wed Aug 23 07:49:14 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Aug 2017 13:49:14 +0200 Subject: [keycloak-user] password policy | federation to AD In-Reply-To: References: <1e37521a-a055-e84d-9976-ee6c75707620@merit.unu.edu> <9a01997a-d6ff-8b44-bfeb-654c95e079bc@redhat.com> <2536f5f1-e3ec-5476-6c82-732f8a7fb7d0@merit.unu.edu> Message-ID: <94134b6f-14c2-4c55-fb30-4b123ef374c2@redhat.com> Ah, I see your point now. I can't guarantee that we will fix KEYCLOAK-4052 for 3.4. At least I am likely not going to look into that due to other priorities. But maybe someone else will. BTV. The error you mentioned is the known issue for Samba AD. We have mapper (MSADUserAccountControlStorageMapper ), which is able to translate the error message from MSAD during password update and recognize if update failed due to password policy or other reason. However this works just for MSAD, but doesn't work for Samba. It seems that Samba has bit different error messages and hence it fails. The solution might be to implement another mapper just for Samba AD (hopefully subclass of MSADUserAccountControlStorageMapper, so it doesn't need to be completely rewritten). If you want to contribute that, it will be nice. We're not going to support Samba AD in near future and hence we won't do it on our own. At least not now. Marek On 22/08/17 10:38, lists wrote: > Hi Marek, > > But I am under the impression that KEYCLOAK-4052 would not allow the > user to provide a password that does not meet the complexity > requirements configured in keycloak? > > And if I would configure keycloak to require complexer passwords than > MSAD does, the user password change would succeed? > > Because currently keycloak accepts 'abc' as a password, and samba > doesn't. If keycloak would require the user to provide a GOOD > password, samba would also accept it. > > (because the basic password-change-functionality works fine) > > I would only like keycloak to NOT accept '123' as a valid password, > but take into account it's own configured password complexity when > changing the MSAD password. > > Is that not what KEYCLOAK-4052 is about? > > MJ > > On 22-8-2017 8:43, Marek Posolda wrote: >> KEYCLOAK-4052 will help with the case when you want to enforce >> Keycloak password policies when updating the password of Keycloak >> user, who is mapped to LDAP provider. However LDAP password policies >> will be applied too. And in your case, MSAD policies are applied >> already. In other words, KEYCLOAK-4052 won't help you with the error >> "Could not modify attribute for DN >> [CN=username,CN=Users,DC=ad,DC=company,DC=com]" . >> >> The case you mentioned should be already supported, but it workds >> just for MSAD. AFAIK it doesn't work for some others like Samba AD. >> Also you need to have MSAD User Account Controls mapper enabled. >> >> Marek >> >> From Edgar at info.nl Wed Aug 23 07:52:28 2017 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 23 Aug 2017 11:52:28 +0000 Subject: [keycloak-user] Lifespan query parameter missing in UserResource#executeActionsEmail in keycloak-admin-client library Message-ID: <06C6B6A7-B768-4B05-B156-1FE40EDFD023@info.nl> Hi all, It seems the keycloak-admin-client library?s UserResource#executeActionsEmail is missing the ?lifespan? parameter while this is present in the REST endpoint of the Keycloak admin API. We very much would like to set this parameter while using the admin client lib so I took the liberty of creating a JIRA issue for this: https://issues.jboss.org/browse/KEYCLOAK-5262 cheers Edgar From ssilvert at redhat.com Wed Aug 23 08:10:25 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 23 Aug 2017 08:10:25 -0400 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: Message-ID: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated". The usual procedure is to log in and then set the bookmark to the main page of the application. If that main page URL has "auth crud" in it then something is wrong. They should not bookmark the login page. They bookmark the page presented after login. Then if you use the bookmark it will go straight to the application if you are already logged in. If you are not logged in it presents the login page. On 8/22/2017 9:03 PM, Matt Evans wrote: > Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. > > The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. > > I wonder if the best we can do in this situation is perhaps: > > 1) enable POST, so that the client app can POST the OIDC request and include the OIDC auth parameters as post body parameters > 2) allow a default url to be set in the realm (or a default client?) > 3) allow keycloak to redirect to the default url/client if it receives a GET request on the realm auth endpoint without the required parameters > > Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan Silvert > Sent: Tuesday, 22 August 2017 8:56 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Bookmarking keycloak login pages > > What do they want to happen after they log in? > > On 8/21/2017 10:47 PM, Matt Evans wrote: >> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. >> >> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. >> >> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... >> >> Matt >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Aug 23 08:18:21 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 23 Aug 2017 09:18:21 -0300 Subject: [keycloak-user] Issue with authorization configuration in a Spring Boot environment In-Reply-To: References: Message-ID: Can you give an example of a resource definition that matches a protected resource in your application ? For instance, if you are protecting "/protected/resource" you should either have a resource in Keycloak mapping to "/*" or "/protected/resource". This mapping is defined by resource's *URI* property. Regards. Pedro Igor On Wed, Aug 23, 2017 at 6:41 AM, Matthias ANGLADE wrote: > Hi, > > I'm facing an issue. I'm running a Spring Boot App and wishes to use the > authorizations services. Permissions are defined in Keycloak for my client > and using the evaluation the work as expected. On my app though I have an > issue, authorization are checked correctly (using the right resources etc) > I can see in the logs that the verification are done correctly but the > access is always granted whereas it should be denied in certains cases. > > When I test the permission that should be denied using the evaluation page > of Keycloak access is correctly denied. > > To activate the authorization in the app I added the following settings : > > keycloak.policy-enforcer-config.on-deny-redirect-to=/ > keycloak.securityConstraints[0].authRoles[0]=user > keycloak.securityConstraints[0].securityCollections[0].name=protected > keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* > > > Any ideas ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kedward777 at gmail.com Wed Aug 23 10:31:51 2017 From: kedward777 at gmail.com (ken edward) Date: Wed, 23 Aug 2017 10:31:51 -0400 Subject: [keycloak-user] How to use tomcat adapter for both saml and basic/form authentication? Message-ID: Hello, I have implemented the keycloak tomcat adapter with ADFS as the IDP. All works fine, but if the user can not authenticate via SAML, how can I implement a fall back to a form based authentication? Ken From jitendrachouhan03 at gmail.com Wed Aug 23 12:21:50 2017 From: jitendrachouhan03 at gmail.com (Jitendra Chouhan) Date: Wed, 23 Aug 2017 21:51:50 +0530 Subject: [keycloak-user] Regarding Keycloak IDP Initiated Logout for SAML client In-Reply-To: References: Message-ID: We have referred samples and documentation but not able to locate settings for "IDP-initiated SLO" in keycloak configuration. Does anybody has any insight on below question? Thanks Jitendra Chouhan On Tue, Aug 22, 2017 at 1:47 PM, Jitendra Chouhan < jitendrachouhan03 at gmail.com> wrote: > Hi, > > > > I am using Keycloak 3.1.0.Final version and configured HANA 2.0 system as > a SAML client. I want to test out Keycloak IDP initiated logout for the > HANA client but I am not seeing any option in Keycloak settings for it. I > could see only "IDP Initiated SSO URL Name" but same feature is not there > for SLO. I referred sample SAML examples provided as part of keycloak > distribution are not using SAML IDP initiated flow for login and logout. > > > > How can I achieve SLO for the SAML client in case of idp initiated SAML? > Please let me know for any other information regarding this. > > > Thanks, > > Jitendra Chouhan > From john.d.ament at gmail.com Wed Aug 23 12:24:17 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 23 Aug 2017 16:24:17 +0000 Subject: [keycloak-user] Avoiding creating a new session when doing a prompt=login Message-ID: Hi I have a use case where I need to prompt a user to enter credentials during a sequence of events. In this case, we're using keycloak's login screen to capture the information and triggering it via the javascript adapter. Doing a prompt=login has an unfortunate side effect that the existing session gets rewritten. This causes the adapter to begin failing, the refresh token and access token are no longer valid. It seems that there's no way to reinitialize the iframe after this occurs, and I'm not sure that's the best way to do it. Is there any way to have keycloak not create a new session in this flow? John From ivan at akvo.org Wed Aug 23 14:35:03 2017 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Wed, 23 Aug 2017 20:35:03 +0200 Subject: [keycloak-user] sso timeouts ?? In-Reply-To: References: Message-ID: Hi, Check - https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/timeouts.html Everytime your SPA requests a new access_token (using the refresh token) it bumps the SSO idle timeout. On 08/22/2017 07:04 PM, java_os wrote: > I am using Standard Flow Enabled with javascript adapter connecting to > rest bearer-only apis. > SSO Session idle set 2h. User is using the app, it redirects to login page > before 2h is reached. > Anyone here knows what is the right realm setting if I want to have a user > working on a sso session for a number of hours? > I guess not fully understand the Token lifespan vs SSO session timeout and > which one rules, etc. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Iv?n From pkboucher801 at gmail.com Wed Aug 23 14:51:48 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Wed, 23 Aug 2017 14:51:48 -0400 Subject: [keycloak-user] Skip Broker First-Time Flow? Message-ID: <000001d31c40$e0271a20$a0754e60$@gmail.com> We have a need to pre-provision user accounts that are to be accessed with SAML from an outside IdP. These accounts are only ever to be used via SAML from this external IdP (i.e., we never want them to have to use a password to verify anything to Keycloak. Is there any way for the account-linking the first time the user comes in with SAML to happen automatically and silently? We understand that in some circumstances it would be a security hole to allow someone to connect via a brokered IdP to an existing account that has already been used, but these accounts are being created specifically to be accessed by this particular broker. Any help? Thanks! Regards, Peter K. Boucher From nhoult51 at gmail.com Wed Aug 23 17:08:25 2017 From: nhoult51 at gmail.com (Nathan Hoult) Date: Wed, 23 Aug 2017 21:08:25 +0000 Subject: [keycloak-user] 3.2.0 wont start if an LDAP is misconfigured Message-ID: I am trying to start KC but the LDAP account password changed so it won't start: 14:16:17,839 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (pool-6-thread-1) Could not query server using DN [not important] and filter [not important]: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.(InitialContext.java:89) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:547) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:636) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:629) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:226) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:198) at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164) at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175) at org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:725) at org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:429) at org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:153) at org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:245) at org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:301) at org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider.loadUserSessions(JpaUserSessionPersisterProvider.java:208) at org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:61) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) I tried making the host resolve to 127.0.0.1 so it would fail to connect but it still refused to start. So it seems if LDAP goes down or is misconfigured then KC won't start even if I could log in locally or through an identity provider? I tried: 1) disabling user and Realm cache 2) looking on the internet for some way to disable LDAP or a Realm temporarily 3) still looking in the code to see if there is a startup parameter I could pass it to take another path Any help to get my KC back up so I can update the password would be appreciated. Thanks, - Nathan From mevans at aconex.com Wed Aug 23 23:01:32 2017 From: mevans at aconex.com (Matt Evans) Date: Thu, 24 Aug 2017 03:01:32 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> References: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> Message-ID: Sorry, I'm probably not explaining it clearly enough! We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak: 1) User opens browser to app.example.com 2) app.example.com detects that they are unauthenticated and redirects them to idp.example.com with the appropriate oidc parameters 3) idp.example.com keycloak shows the login page, user bookmarks this page so they can return to it later 4) user logs in and is redirected back to app.example.com 5) later they re-open their browser and go to the bookmark, which takes them directly to keycloak login page with the previous oidc parameters This seems to be what a lot of our users are doing, and telling them to bookmark app.example.com, or the page at app.example.com that they return to after logging in via keycloak doesn't help Matt -----Original Message----- From: Stan Silvert [mailto:ssilvert at redhat.com] Sent: Wednesday, 23 August 2017 10:10 PM To: Matt Evans ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Bookmarking keycloak login pages I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated". The usual procedure is to log in and then set the bookmark to the main page of the application. If that main page URL has "auth crud" in it then something is wrong. They should not bookmark the login page. They bookmark the page presented after login. Then if you use the bookmark it will go straight to the application if you are already logged in. If you are not logged in it presents the login page. On 8/22/2017 9:03 PM, Matt Evans wrote: > Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. > > The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. > > I wonder if the best we can do in this situation is perhaps: > > 1) enable POST, so that the client app can POST the OIDC request and > include the OIDC auth parameters as post body parameters > 2) allow a default url to be set in the realm (or a default client?) > 3) allow keycloak to redirect to the default url/client if it receives > a GET request on the realm auth endpoint without the required > parameters > > Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan > Silvert > Sent: Tuesday, 22 August 2017 8:56 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Bookmarking keycloak login pages > > What do they want to happen after they log in? > > On 8/21/2017 10:47 PM, Matt Evans wrote: >> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. >> >> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. >> >> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... >> >> Matt >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Thu Aug 24 03:44:55 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 24 Aug 2017 09:44:55 +0200 Subject: [keycloak-user] Regarding Keycloak IDP Initiated Logout for SAML client In-Reply-To: References: Message-ID: According to [1], you should be able to configure SAML in HANA as "Front channel" (in HANA terms) with URL set to the same Keycloak SAML endpoint URL you use for SSO. --Hynek [1] https://uacp2.hana.ondemand.com/viewer/27aa32ff2f5f4e7ebf59a9560205eca2/2.15/en-US/9730bc4ca5f240d4ad2bb01348ceac65.html On Wed, Aug 23, 2017 at 6:21 PM, Jitendra Chouhan wrote: > We have referred samples and documentation but not able to locate settings > for "IDP-initiated SLO" in keycloak configuration. Does anybody has any > insight on below question? > > Thanks > Jitendra Chouhan > > On Tue, Aug 22, 2017 at 1:47 PM, Jitendra Chouhan < > jitendrachouhan03 at gmail.com> wrote: > >> Hi, >> >> >> >> I am using Keycloak 3.1.0.Final version and configured HANA 2.0 system as >> a SAML client. I want to test out Keycloak IDP initiated logout for the >> HANA client but I am not seeing any option in Keycloak settings for it. I >> could see only "IDP Initiated SSO URL Name" but same feature is not there >> for SLO. I referred sample SAML examples provided as part of keycloak >> distribution are not using SAML IDP initiated flow for login and logout. >> >> >> >> How can I achieve SLO for the SAML client in case of idp initiated SAML? >> Please let me know for any other information regarding this. >> >> >> Thanks, >> >> Jitendra Chouhan >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From pcfleischer at outlook.com Thu Aug 24 04:38:19 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Thu, 24 Aug 2017 08:38:19 +0000 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: <000001d31c40$e0271a20$a0754e60$@gmail.com> References: <000001d31c40$e0271a20$a0754e60$@gmail.com> Message-ID: Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Peter K. Boucher Sent: Wednesday, August 23, 2017 2:51:48 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Skip Broker First-Time Flow? We have a need to pre-provision user accounts that are to be accessed with SAML from an outside IdP. These accounts are only ever to be used via SAML from this external IdP (i.e., we never want them to have to use a password to verify anything to Keycloak. Is there any way for the account-linking the first time the user comes in with SAML to happen automatically and silently? We understand that in some circumstances it would be a security hole to allow someone to connect via a brokered IdP to an existing account that has already been used, but these accounts are being created specifically to be accessed by this particular broker. Any help? Thanks! Regards, Peter K. Boucher _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 24 05:30:26 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 24 Aug 2017 11:30:26 +0200 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: References: <000001d31c40$e0271a20$a0754e60$@gmail.com> Message-ID: +1 to what Phillip mentioned. We were thinking for adding the authenticator OOTB, which will link accounts automatically. But didn't added in the end because of security. However you're not the first asking for it, so maybe it makes sense - as long as this authenticator won't be in the flow by default and admin would need to edit the first-broker-login flow on his own risk. Feel free to create JIRA (maybe it already exists, so you can add comment like "I want it too" and add vote :) ) Marek On 24/08/17 10:38, Phillip Fleischer wrote: > Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. > > As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org on behalf of Peter K. Boucher > Sent: Wednesday, August 23, 2017 2:51:48 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Skip Broker First-Time Flow? > > We have a need to pre-provision user accounts that are to be accessed with > SAML from an outside IdP. These accounts are only ever to be used via SAML > from this external IdP (i.e., we never want them to have to use a password > to verify anything to Keycloak. > > > > Is there any way for the account-linking the first time the user comes in > with SAML to happen automatically and silently? > > > > We understand that in some circumstances it would be a security hole to > allow someone to connect via a brokered IdP to an existing account that has > already been used, but these accounts are being created specifically to be > accessed by this particular broker. > > > > Any help? > > > > Thanks! > > > > Regards, > > Peter K. Boucher > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 24 05:34:44 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 24 Aug 2017 11:34:44 +0200 Subject: [keycloak-user] Avoiding creating a new session when doing a prompt=login In-Reply-To: References: Message-ID: Which version are you using? I think that in Keycloak 3.2 it won't create new session, but connect to existing one. Feel free to create JIRA if it doesn't work in this version. Marek On 23/08/17 18:24, John D. Ament wrote: > Hi > > I have a use case where I need to prompt a user to enter credentials during > a sequence of events. In this case, we're using keycloak's login screen to > capture the information and triggering it via the javascript adapter. > Doing a prompt=login has an unfortunate side effect that the existing > session gets rewritten. This causes the adapter to begin failing, the > refresh token and access token are no longer valid. It seems that there's > no way to reinitialize the iframe after this occurs, and I'm not sure > that's the best way to do it. > > Is there any way to have keycloak not create a new session in this flow? > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Thu Aug 24 06:05:43 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 24 Aug 2017 10:05:43 +0000 Subject: [keycloak-user] Avoiding creating a new session when doing a prompt=login In-Reply-To: References: Message-ID: Hi Marek, I'm on 3.2.0. It could be that the actual session id is the same, but other aspects of the session are being invalidated in this flow which ma explain what I'm seeing. I am seeing a new keycloak session/identity cookie coming back, which seems to throw off the javascript adapter. John On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda wrote: > Which version are you using? I think that in Keycloak 3.2 it won't > create new session, but connect to existing one. Feel free to create > JIRA if it doesn't work in this version. > > Marek > > On 23/08/17 18:24, John D. Ament wrote: > > Hi > > > > I have a use case where I need to prompt a user to enter credentials > during > > a sequence of events. In this case, we're using keycloak's login screen > to > > capture the information and triggering it via the javascript adapter. > > Doing a prompt=login has an unfortunate side effect that the existing > > session gets rewritten. This causes the adapter to begin failing, the > > refresh token and access token are no longer valid. It seems that > there's > > no way to reinitialize the iframe after this occurs, and I'm not sure > > that's the best way to do it. > > > > Is there any way to have keycloak not create a new session in this flow? > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From mposolda at redhat.com Thu Aug 24 06:12:08 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 24 Aug 2017 12:12:08 +0200 Subject: [keycloak-user] 3.2.0 wont start if an LDAP is misconfigured In-Reply-To: References: Message-ID: Looks like a bug. Feel free to create JIRA. The issue happens during preloading of offline sessions from database at server startup. We should probably just WARN when user is unavailable or avoid lookup user at all if possible. As a workaround, you can delete the records in tables OFFLINE_USER_SESSION and OFFLINE_CLIENT_SESSION . But note that offline tokens of users will be lost. Alternatively you can backup the tables and restore them later once you fix your LDAP connection. But you will need to restart Keycloak server after LDAP connection is fixed and tables are restored, because Keycloak preloads offline sessions from DB just at startup at this moment. Another approach can be to fix LDAP connection directly in database. It should be somewhere in table COMPONENT_CONFIG . Marek On 23/08/17 23:08, Nathan Hoult wrote: > I am trying to start KC but the LDAP account password changed so it won't > start: > > 14:16:17,839 ERROR > [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] > (pool-6-thread-1) Could not query server using DN [not important] and > filter [not important]: javax.naming.AuthenticationException: [LDAP: error > code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext > error, data 52e, v1db1] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at > org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at > javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at > org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at > javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:547) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:636) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:629) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:226) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:198) > at > org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164) > at > org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175) > at > org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:725) > at > org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:429) > at > org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:153) > at > org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:245) > at > org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:301) > at > org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider.loadUserSessions(JpaUserSessionPersisterProvider.java:208) > at > org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:61) > at > org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > at > org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70) > at > org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > > I tried making the host resolve to 127.0.0.1 so it would fail to connect > but it still refused to start. So it seems if LDAP goes down or is > misconfigured then KC won't start even if I could log in locally or through > an identity provider? > > I tried: > 1) disabling user and Realm cache > 2) looking on the internet for some way to disable LDAP or a Realm > temporarily > 3) still looking in the code to see if there is a startup parameter I could > pass it to take another path > > Any help to get my KC back up so I can update the password would be > appreciated. > > Thanks, > - Nathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 24 06:14:26 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 24 Aug 2017 12:14:26 +0200 Subject: [keycloak-user] Avoiding creating a new session when doing a prompt=login In-Reply-To: References: Message-ID: <2465e9ba-7568-ba2b-a3b8-706c659520b8@redhat.com> Ok, that could be it. Could you please create JIRA for it? Or also send PR with test if possible? Some existing tests for prompt param are in OIDCAdvancedRequestParamsTest . It may be good to add new test here IMO. Marek On 24/08/17 12:05, John D. Ament wrote: > Hi Marek, > > I'm on 3.2.0. > > It could be that the actual session id is the same, but other aspects > of the session are being invalidated in this flow which ma explain > what I'm seeing. I am seeing a new keycloak session/identity cookie > coming back, which seems to throw off the javascript adapter. > > John > > On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda > wrote: > > Which version are you using? I think that in Keycloak 3.2 it won't > create new session, but connect to existing one. Feel free to create > JIRA if it doesn't work in this version. > > Marek > > On 23/08/17 18:24, John D. Ament wrote: > > Hi > > > > I have a use case where I need to prompt a user to enter > credentials during > > a sequence of events. In this case, we're using keycloak's > login screen to > > capture the information and triggering it via the javascript > adapter. > > Doing a prompt=login has an unfortunate side effect that the > existing > > session gets rewritten. This causes the adapter to begin > failing, the > > refresh token and access token are no longer valid. It seems > that there's > > no way to reinitialize the iframe after this occurs, and I'm not > sure > > that's the best way to do it. > > > > Is there any way to have keycloak not create a new session in > this flow? > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From john.d.ament at gmail.com Thu Aug 24 06:53:03 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 24 Aug 2017 10:53:03 +0000 Subject: [keycloak-user] Avoiding creating a new session when doing a prompt=login In-Reply-To: <2465e9ba-7568-ba2b-a3b8-706c659520b8@redhat.com> References: <2465e9ba-7568-ba2b-a3b8-706c659520b8@redhat.com> Message-ID: Done, with possibly some additional info. I'm going to debug into it a bit more today to see what's happening. https://issues.jboss.org/browse/KEYCLOAK-5326 John On Thu, Aug 24, 2017 at 6:14 AM Marek Posolda wrote: > Ok, that could be it. Could you please create JIRA for it? Or also send PR > with test if possible? Some existing tests for prompt param are in > OIDCAdvancedRequestParamsTest . It may be good to add new test here IMO. > > > Marek > > > On 24/08/17 12:05, John D. Ament wrote: > > Hi Marek, > > I'm on 3.2.0. > > It could be that the actual session id is the same, but other aspects of > the session are being invalidated in this flow which ma explain what I'm > seeing. I am seeing a new keycloak session/identity cookie coming back, > which seems to throw off the javascript adapter. > > John > > On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda wrote: > >> Which version are you using? I think that in Keycloak 3.2 it won't >> create new session, but connect to existing one. Feel free to create >> JIRA if it doesn't work in this version. >> >> Marek >> >> On 23/08/17 18:24, John D. Ament wrote: >> > Hi >> > >> > I have a use case where I need to prompt a user to enter credentials >> during >> > a sequence of events. In this case, we're using keycloak's login >> screen to >> > capture the information and triggering it via the javascript adapter. >> > Doing a prompt=login has an unfortunate side effect that the existing >> > session gets rewritten. This causes the adapter to begin failing, the >> > refresh token and access token are no longer valid. It seems that >> there's >> > no way to reinitialize the iframe after this occurs, and I'm not sure >> > that's the best way to do it. >> > >> > Is there any way to have keycloak not create a new session in this flow? >> > >> > John >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From ssilvert at redhat.com Thu Aug 24 08:00:23 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 24 Aug 2017 08:00:23 -0400 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: References: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> Message-ID: <49414669-59b2-5a99-9d38-5dafff00481b@redhat.com> Thanks. That's very useful information. I had no idea that a usability problem like that even existed. It does make sense though. Have you tried putting a message on the login page to say, "Don't bookmark this", or do you mean you've just tried to get the word out another way? It might be possible to put a button on the login page that lets the user bookmark the target application. We could even add this as a feature of Keycloak if this is a common usability problem. But from my initial research of the subject, doing so can be a little tricky for some browsers. On 8/23/2017 11:01 PM, Matt Evans wrote: > Sorry, I'm probably not explaining it clearly enough! > > We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak: > > 1) User opens browser to app.example.com > 2) app.example.com detects that they are unauthenticated and redirects them to idp.example.com with the appropriate oidc parameters > 3) idp.example.com keycloak shows the login page, user bookmarks this page so they can return to it later > 4) user logs in and is redirected back to app.example.com > 5) later they re-open their browser and go to the bookmark, which takes them directly to keycloak login page with the previous oidc parameters > > This seems to be what a lot of our users are doing, and telling them to bookmark app.example.com, or the page at app.example.com that they return to after logging in via keycloak doesn't help > > Matt > > > -----Original Message----- > From: Stan Silvert [mailto:ssilvert at redhat.com] > Sent: Wednesday, 23 August 2017 10:10 PM > To: Matt Evans ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Bookmarking keycloak login pages > > I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated". > > The usual procedure is to log in and then set the bookmark to the main page of the application. If that main page URL has "auth crud" in it then something is wrong. They should not bookmark the login page. They bookmark the page presented after login. > > Then if you use the bookmark it will go straight to the application if you are already logged in. If you are not logged in it presents the login page. > > > On 8/22/2017 9:03 PM, Matt Evans wrote: >> Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. >> >> The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. >> >> I wonder if the best we can do in this situation is perhaps: >> >> 1) enable POST, so that the client app can POST the OIDC request and >> include the OIDC auth parameters as post body parameters >> 2) allow a default url to be set in the realm (or a default client?) >> 3) allow keycloak to redirect to the default url/client if it receives >> a GET request on the realm auth endpoint without the required >> parameters >> >> Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan >> Silvert >> Sent: Tuesday, 22 August 2017 8:56 PM >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Bookmarking keycloak login pages >> >> What do they want to happen after they log in? >> >> On 8/21/2017 10:47 PM, Matt Evans wrote: >>> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. >>> >>> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. >>> >>> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... >>> >>> Matt >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From robert.parker at weareact.com Thu Aug 24 09:21:18 2017 From: robert.parker at weareact.com (Robert Parker) Date: Thu, 24 Aug 2017 13:21:18 +0000 Subject: [keycloak-user] CODE_TO_TOKEN_ERROR - Could not obtain grant code error Message-ID: Hi, I have just started using keycloak and am using the nodejs adapter which I have configured and have my client application being redirected to the keycloak login screen. When attempting to login I am seeing a 'Could not obtain grant code error' from my express server log and in our keycloak server log I see the following: 12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=13f4c40b-667c-4750-a19e-d21219736c12, client_auth_method=client-secret We are making use of the authorization code flow, and I think I am correct in believing the first step of authenticating the user is completing as I see cookies are being set for AUTH_SESSION_ID, KEYCLOAK_SESSION and KEYCLOAK_IDENTITY. The error I am seeing gets invoked when a GET request is made back to my client application with an auth_callback querystring: http://localhost:5001/?auth_callback=1&state=05eda0dd-2a51-4b68-b87e-8777ee2c63f8&code=uss.sldbbK4K_pOwWx1UiGq21AQm7dI8DGVZRQ-4lIs1fF4.13f4c40b-667c-4750-a19e-d21219736c12.6de278b6-985b-4beb-af72-54f27332eb49 I can see a code param is present here, part of which contains the code_id referenced in the keycloak log - 13f4c40b-667c-4750-a19e-d21219736c12 I haven't come across anything in the docs when I started setting up my realm\client\users that mentions anything about these codes, have I possibly missed a configuration step? Thanks ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ From pcfleischer at outlook.com Thu Aug 24 12:47:44 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Thu, 24 Aug 2017 16:47:44 +0000 Subject: [keycloak-user] CODE_TO_TOKEN_ERROR - Could not obtain grant code error In-Reply-To: References: Message-ID: Are you intending to use a confidential or public client? Typical setup of the JavaScript adapter is public. Reason I as is in your error I see... client_auth_method=client-secret ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Robert Parker Sent: Thursday, August 24, 2017 9:21:18 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] CODE_TO_TOKEN_ERROR - Could not obtain grant code error Hi, I have just started using keycloak and am using the nodejs adapter which I have configured and have my client application being redirected to the keycloak login screen. When attempting to login I am seeing a 'Could not obtain grant code error' from my express server log and in our keycloak server log I see the following: 12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=13f4c40b-667c-4750-a19e-d21219736c12, client_auth_method=client-secret We are making use of the authorization code flow, and I think I am correct in believing the first step of authenticating the user is completing as I see cookies are being set for AUTH_SESSION_ID, KEYCLOAK_SESSION and KEYCLOAK_IDENTITY. The error I am seeing gets invoked when a GET request is made back to my client application with an auth_callback querystring: http://localhost:5001/?auth_callback=1&state=05eda0dd-2a51-4b68-b87e-8777ee2c63f8&code=uss.sldbbK4K_pOwWx1UiGq21AQm7dI8DGVZRQ-4lIs1fF4.13f4c40b-667c-4750-a19e-d21219736c12.6de278b6-985b-4beb-af72-54f27332eb49 I can see a code param is present here, part of which contains the code_id referenced in the keycloak log - 13f4c40b-667c-4750-a19e-d21219736c12 I haven't come across anything in the docs when I started setting up my realm\client\users that mentions anything about these codes, have I possibly missed a configuration step? Thanks ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pcfleischer at outlook.com Thu Aug 24 19:38:42 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Thu, 24 Aug 2017 23:38:42 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: <49414669-59b2-5a99-9d38-5dafff00481b@redhat.com> References: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> <49414669-59b2-5a99-9d38-5dafff00481b@redhat.com> Message-ID: We?ve been working around a lot of usability issues lately with the javascript adapter and the state callback and nonce. It seems like the library is designed around the assumption that the client always initiates the authorization request which seems like a good idea but in practice there?s a decent number of use cases where external applications will initiate an authentication (including bookmarks). We?re looking at adding a handler before the keycloak initialization to extend the adapter to ignore state and none. I know, not super secure, but we tried using the ?check-sso? initialization method as a workaround as well but the iframe session check was too overly complicated than just handling the code and overriding the needless security. Holding back flasbacks of saml 1.0 with nonce and body hash... > On Aug 24, 2017, at 8:00 AM, Stan Silvert wrote: > > Thanks. That's very useful information. I had no idea that a usability > problem like that even existed. It does make sense though. > > Have you tried putting a message on the login page to say, "Don't > bookmark this", or do you mean you've just tried to get the word out > another way? > > It might be possible to put a button on the login page that lets the > user bookmark the target application. We could even add this as a > feature of Keycloak if this is a common usability problem. But from my > initial research of the subject, doing so can be a little tricky for > some browsers. > > On 8/23/2017 11:01 PM, Matt Evans wrote: >> Sorry, I'm probably not explaining it clearly enough! >> >> We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak: >> >> 1) User opens browser to app.example.com >> 2) app.example.com detects that they are unauthenticated and redirects them to idp.example.com with the appropriate oidc parameters >> 3) idp.example.com keycloak shows the login page, user bookmarks this page so they can return to it later >> 4) user logs in and is redirected back to app.example.com >> 5) later they re-open their browser and go to the bookmark, which takes them directly to keycloak login page with the previous oidc parameters >> >> This seems to be what a lot of our users are doing, and telling them to bookmark app.example.com, or the page at app.example.com that they return to after logging in via keycloak doesn't help >> >> Matt >> >> >> -----Original Message----- >> From: Stan Silvert [mailto:ssilvert at redhat.com] >> Sent: Wednesday, 23 August 2017 10:10 PM >> To: Matt Evans ; keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Bookmarking keycloak login pages >> >> I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated". >> >> The usual procedure is to log in and then set the bookmark to the main page of the application. If that main page URL has "auth crud" in it then something is wrong. They should not bookmark the login page. They bookmark the page presented after login. >> >> Then if you use the bookmark it will go straight to the application if you are already logged in. If you are not logged in it presents the login page. >> >> >> On 8/22/2017 9:03 PM, Matt Evans wrote: >>> Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. >>> >>> The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. >>> >>> I wonder if the best we can do in this situation is perhaps: >>> >>> 1) enable POST, so that the client app can POST the OIDC request and >>> include the OIDC auth parameters as post body parameters >>> 2) allow a default url to be set in the realm (or a default client?) >>> 3) allow keycloak to redirect to the default url/client if it receives >>> a GET request on the realm auth endpoint without the required >>> parameters >>> >>> Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. >>> >>> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org >>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan >>> Silvert >>> Sent: Tuesday, 22 August 2017 8:56 PM >>> To: keycloak-user at lists.jboss.org >>> Subject: Re: [keycloak-user] Bookmarking keycloak login pages >>> >>> What do they want to happen after they log in? >>> >>> On 8/21/2017 10:47 PM, Matt Evans wrote: >>>> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. >>>> >>>> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. >>>> >>>> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... >>>> >>>> Matt >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mevans at aconex.com Thu Aug 24 20:43:01 2017 From: mevans at aconex.com (Matt Evans) Date: Fri, 25 Aug 2017 00:43:01 +0000 Subject: [keycloak-user] Bookmarking keycloak login pages In-Reply-To: <49414669-59b2-5a99-9d38-5dafff00481b@redhat.com> References: <72cef456-4ae2-72c8-ef79-b2baef5d583c@redhat.com> <49414669-59b2-5a99-9d38-5dafff00481b@redhat.com> Message-ID: We hadn't thought of putting a message on the page. I think that the users have an inclination to bookmark the login page, as they see it as the first page into the application. It's what they're used to with our current application, the bookmark the login page, and then can get back to it and log straight in. I was thinking that the trick would be to effectively clean up the url for the login page, the parameters could be part of post body rather than query string params, or maybe the initial auth resource could just read the params and redirect the browser to the actual login page without them, store them in session or something. That would mean that when the user bookmarks the login page the bookmark doesn?t contain the extra parameters. Keycloak could detect requests to the login page when it doesn't have a session or the params stored for the auth request and redirect the browser to, maybe, a url that is configured for the realm, like a default client url. Which would in turn add the right params, and redirect back to keycloak... I was trying that originally, I can change our app to use POST not redirect and the url then is nice and clean, but keycloak doesn't accept the POST method on the auth resource, and I hadn't gotten into looking to see if that is just a wildfly config thing that I could enable. I thought I'd ask here to see if anyone had any ideas about solving it first. -----Original Message----- From: Stan Silvert [mailto:ssilvert at redhat.com] Sent: Thursday, 24 August 2017 10:00 PM To: Matt Evans ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Bookmarking keycloak login pages Thanks. That's very useful information. I had no idea that a usability problem like that even existed. It does make sense though. Have you tried putting a message on the login page to say, "Don't bookmark this", or do you mean you've just tried to get the word out another way? It might be possible to put a button on the login page that lets the user bookmark the target application. We could even add this as a feature of Keycloak if this is a common usability problem. But from my initial research of the subject, doing so can be a little tricky for some browsers. On 8/23/2017 11:01 PM, Matt Evans wrote: > Sorry, I'm probably not explaining it clearly enough! > > We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak: > > 1) User opens browser to app.example.com > 2) app.example.com detects that they are unauthenticated and redirects > them to idp.example.com with the appropriate oidc parameters > 3) idp.example.com keycloak shows the login page, user bookmarks this > page so they can return to it later > 4) user logs in and is redirected back to app.example.com > 5) later they re-open their browser and go to the bookmark, which > takes them directly to keycloak login page with the previous oidc > parameters > > This seems to be what a lot of our users are doing, and telling them > to bookmark app.example.com, or the page at app.example.com that they > return to after logging in via keycloak doesn't help > > Matt > > > -----Original Message----- > From: Stan Silvert [mailto:ssilvert at redhat.com] > Sent: Wednesday, 23 August 2017 10:10 PM > To: Matt Evans ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Bookmarking keycloak login pages > > I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated". > > The usual procedure is to log in and then set the bookmark to the main page of the application. If that main page URL has "auth crud" in it then something is wrong. They should not bookmark the login page. They bookmark the page presented after login. > > Then if you use the bookmark it will go straight to the application if you are already logged in. If you are not logged in it presents the login page. > > > On 8/22/2017 9:03 PM, Matt Evans wrote: >> Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported. >> >> The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites. >> >> I wonder if the best we can do in this situation is perhaps: >> >> 1) enable POST, so that the client app can POST the OIDC request and >> include the OIDC auth parameters as post body parameters >> 2) allow a default url to be set in the realm (or a default client?) >> 3) allow keycloak to redirect to the default url/client if it >> receives a GET request on the realm auth endpoint without the >> required parameters >> >> Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt. >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan >> Silvert >> Sent: Tuesday, 22 August 2017 8:56 PM >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Bookmarking keycloak login pages >> >> What do they want to happen after they log in? >> >> On 8/21/2017 10:47 PM, Matt Evans wrote: >>> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected. >>> >>> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails. >>> >>> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing... >>> >>> Matt >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From robert.parker at weareact.com Fri Aug 25 05:32:31 2017 From: robert.parker at weareact.com (Robert Parker) Date: Fri, 25 Aug 2017 09:32:31 +0000 Subject: [keycloak-user] Problems when trying to retrieve access token using nodejs oidc adapter Message-ID: Hi, I am facing an issue using the keycloak-nodejs-connect adapter in my project. The issue surfaces after the adapter authenticates my user account I have setup, so receives a code, and then attempts to exchange this code for an access token. The adapter sends back an 'access denied' response and in the keycloak logs I see an error as follows: 09:55:44,116 WARN [org.keycloak.events] (default task-28) type=CODE_TO_TOKEN_ERROR, realmId=Actora, clientId=actora-test, userId=null, ipAddress=192.168.132.45, error=invalid_code, grant_type=authorization_code, code_id=c454ec60-6f07-4229-8a48-f0fa126609e4, client_auth_method=client-secret Watching the browser calls that are made, after initial login to get the user's code value, I see the redirect back to my main web application along with callback query param: http://localhost:5001/?auth_callback=1&state=cd0dd57d-59b6-45e4-a51e-22f4488b9d63&code=uss.iOE-JzsGTPvF3vhzWTQauRC0J-dlNQaORsDZ_aEs0vc.c454ec60-6f07-4229-8a48-f0fa126609e4.6de278b6-985b-4beb-af72-54f27332eb49 So for the code I can see the code param in the callback contains the code_id value referenced in my keycloak error log mentioned further above - c454ec60-6f07-4229-8a48-f0fa126609e4 I am assuming the long code value prefixed with the 'uss.' part gets decoded by keycloak to extract the value it needs? I have debugged through the adapter library locally to see how it's performing the calls and oddly I have found in the keycloak-auth-utils\lib\grant-manager.js a fetch function is called but with options set for a POST request. The promise in this fetch function gets rejected as the status code returned from keycloak server is a 400 Bad Request. I don't know what else to do here, I have re-read the getting started section on the keycloak documentation and I can't see any obvious setup steps I have missed. Can someone offer any clues as to what may be going on here please? Thanks Rob ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ From jw at blue-yonder.com Fri Aug 25 05:53:07 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Fri, 25 Aug 2017 11:53:07 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Message-ID: Hi, any further information needed? I would like to get KC <-> Azure AD to be connected. Otherwise we are sadly being obliged to look after another IdP solution :( Cheers Jonas On 22.08.17 14:27, Jonas Weismueller wrote: > Hi, > > we configured AzureAD to use our keycloak instance, like this: > > ? > > $cer="$our_cert_string" > > $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" > > $dom="test.domain.cloud" > > Set-MsolDomainAuthentication -DomainName $dom? -Authentication Federated > -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri > -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP > > ? > > When I know try to login on the azure portal, I get successfully > redirected > to?https://keycloak.internal/auth/realms/azure/protocol/saml?, but then > I get the following error from keycloak: > > 2017-08-22 11:49:47,735 DEBUG > [org.hibernate.internal.util.EntityPrinter] (default task-3) > org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, > ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, > sessionId=null, time=1503402587482, error=invalid_authn_request, > type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} > > ? > > The SAML AuthnRequest sent by M$ looks as follows: > > 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] > (default task-3) ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" > IssueInstant="2017-08-22T11:47:46.793Z" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> > > ? > > What we can see, is that the destination (optional?) attribute is > missing. See?http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html > > ? > > Why is keycloak doing some strict checking about the optional > destination parameter? > > ? > > Cheers Jonas > > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From antoine.delaunay at BE.Zetes.com Fri Aug 25 06:01:38 2017 From: antoine.delaunay at BE.Zetes.com (Antoine Delaunay) Date: Fri, 25 Aug 2017 12:01:38 +0200 Subject: [keycloak-user] move the authenticator setup from the user profile to the administration Message-ID: Hello, How to prevent an intruder, once knowing the user password, resetting the user's authenticator secret and capture the new value? It seems allowing this negates the added value of the 2FA system. Is my understanding of the system incorrect? If not I could go for a solution where once the authenticator is setup it cannot be deleted without an admin action. I could also envision the 2FA setup to be a face-to-face operation involving the user going over to the admin desk with his phone. I thought I would ask here before hacking away at the source code. Sincerely, -- Antoine Delaunay From jose.carlos.moral.cuevas at everis.com Fri Aug 25 06:09:43 2017 From: jose.carlos.moral.cuevas at everis.com (Jose Carlos Moral Cuevas) Date: Fri, 25 Aug 2017 10:09:43 +0000 Subject: [keycloak-user] RV: Keycloak security cuestion. Message-ID: <03B28C1B079FB34788BE144950586F1DC03C9F8A@MBXEUR01.usersad.everis.int> Hi!! I'm a new Keycloak user. I have a question about security configuration in keycloak. My keycloak server is on the Internet, it must authenticate to the users to access to my applications, which are on the Internet too. My problem is that keycloak server public by default the URL https://[domainserver]:8443/auth/version/ on the Internet without authentication, this fact could be an information loss for me and could be used for hackers to exploit vulnerabilities. The same problem is with the URLs: ? https://[domainserver]:8443/auth/realms/master/ ? https://[domainserver]:8443/auth/js/3.2.0.cr1 ? https://[domainserver]:8443/auth/js/3.2.0.cr1/keycloak.js The question is: Could I configure keycloak to avoid this pages are publics by default? I need block the access to this pages. On the other hand, I need to change the main page redirection: "/" or "/auth" --> Welcome-page. I need to change this main page, because I would like only access to "/auth/admin" interface, and block the others. I hope you can help me. Regards, Jos? Carlos Moral. ________________________________ AVISO DE CONFIDENCIALIDAD. Este correo y la informaci?n contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene informaci?n confidencial cuyo uso, copia, reproducci?n o distribuci?n est? expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminaci?n sin copiarlo, imprimirlo o utilizarlo de ning?n modo. CONFIDENTIALITY WARNING. This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail. From hmlnarik at redhat.com Fri Aug 25 06:20:47 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 25 Aug 2017 12:20:47 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Message-ID: That is indeed a bug, could you please create JIRA for that? Thanks --Hynek On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller wrote: > Hi, > any further information needed? I would like to get KC <-> Azure AD to > be connected. Otherwise we are sadly being obliged to look after another > IdP solution :( > > Cheers Jonas > > On 22.08.17 14:27, Jonas Weismueller wrote: >> Hi, >> >> we configured AzureAD to use our keycloak instance, like this: >> >> >> >> $cer="$our_cert_string" >> >> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" >> >> $dom="test.domain.cloud" >> >> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated >> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri >> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP >> >> >> >> When I know try to login on the azure portal, I get successfully >> redirected >> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then >> I get the following error from keycloak: >> >> 2017-08-22 11:49:47,735 DEBUG >> [org.hibernate.internal.util.EntityPrinter] (default task-3) >> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, >> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, >> sessionId=null, time=1503402587482, error=invalid_authn_request, >> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} >> >> >> >> The SAML AuthnRequest sent by M$ looks as follows: >> >> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] >> (default task-3) > ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" >> IssueInstant="2017-08-22T11:47:46.793Z" >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> >> >> >> >> What we can see, is that the destination (optional?) attribute is >> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html >> >> >> >> Why is keycloak doing some strict checking about the optional >> destination parameter? >> >> >> >> Cheers Jonas >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From jw at blue-yonder.com Fri Aug 25 06:39:27 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Fri, 25 Aug 2017 12:39:27 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Message-ID: <4488d0a2-7af2-f68d-05dd-ca1dfc86e862@blue-yonder.com> Sure, thanks a lot for your reply! On 25.08.17 12:20, Hynek Mlnarik wrote: > That is indeed a bug, could you please create JIRA for that? > > Thanks > > --Hynek > > On Fri, Aug 25, 2017 at 11:53 AM, Jonas Weismueller wrote: >> Hi, >> any further information needed? I would like to get KC <-> Azure AD to >> be connected. Otherwise we are sadly being obliged to look after another >> IdP solution :( >> >> Cheers Jonas >> >> On 22.08.17 14:27, Jonas Weismueller wrote: >>> Hi, >>> >>> we configured AzureAD to use our keycloak instance, like this: >>> >>> >>> >>> $cer="$our_cert_string" >>> >>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" >>> >>> $dom="test.domain.cloud" >>> >>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated >>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri >>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP >>> >>> >>> >>> When I know try to login on the azure portal, I get successfully >>> redirected >>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then >>> I get the following error from keycloak: >>> >>> 2017-08-22 11:49:47,735 DEBUG >>> [org.hibernate.internal.util.EntityPrinter] (default task-3) >>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, >>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, >>> sessionId=null, time=1503402587482, error=invalid_authn_request, >>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} >>> >>> >>> >>> The SAML AuthnRequest sent by M$ looks as follows: >>> >>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] >>> (default task-3) >> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" >>> IssueInstant="2017-08-22T11:47:46.793Z" >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> >>> >>> >>> >>> What we can see, is that the destination (optional?) attribute is >>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html >>> >>> >>> >>> Why is keycloak doing some strict checking about the optional >>> destination parameter? >>> >>> >>> >>> Cheers Jonas >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From pkboucher801 at gmail.com Fri Aug 25 09:08:43 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Fri, 25 Aug 2017 09:08:43 -0400 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: References: <000001d31c40$e0271a20$a0754e60$@gmail.com> Message-ID: <000801d31da3$476c21e0$d64465a0$@gmail.com> Not asking you to review/endorse this code, but does the approach seem reasonable? https://github.com/ohioit/keycloak-link-idp-with-user -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Thursday, August 24, 2017 5:30 AM To: Phillip Fleischer ; Peter K. Boucher ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Skip Broker First-Time Flow? +1 to what Phillip mentioned. We were thinking for adding the authenticator OOTB, which will link accounts automatically. But didn't added in the end because of security. However you're not the first asking for it, so maybe it makes sense - as long as this authenticator won't be in the flow by default and admin would need to edit the first-broker-login flow on his own risk. Feel free to create JIRA (maybe it already exists, so you can add comment like "I want it too" and add vote :) ) Marek On 24/08/17 10:38, Phillip Fleischer wrote: > Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. > > As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org on behalf of Peter K. Boucher > Sent: Wednesday, August 23, 2017 2:51:48 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Skip Broker First-Time Flow? > > We have a need to pre-provision user accounts that are to be accessed with > SAML from an outside IdP. These accounts are only ever to be used via SAML > from this external IdP (i.e., we never want them to have to use a password > to verify anything to Keycloak. > > > > Is there any way for the account-linking the first time the user comes in > with SAML to happen automatically and silently? > > > > We understand that in some circumstances it would be a security hole to > allow someone to connect via a brokered IdP to an existing account that has > already been used, but these accounts are being created specifically to be > accessed by this particular broker. > > > > Any help? > > > > Thanks! > > > > Regards, > > Peter K. Boucher > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From daniel.storey at weareact.com Fri Aug 25 09:11:53 2017 From: daniel.storey at weareact.com (Daniel Storey) Date: Fri, 25 Aug 2017 13:11:53 +0000 Subject: [keycloak-user] Service account user attributes Message-ID: Hello I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. Kind regards Dan From mposolda at redhat.com Fri Aug 25 09:29:29 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 25 Aug 2017 15:29:29 +0200 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: <000801d31da3$476c21e0$d64465a0$@gmail.com> References: <000001d31c40$e0271a20$a0754e60$@gmail.com> <000801d31da3$476c21e0$d64465a0$@gmail.com> Message-ID: <3c7e369e-74c2-e9ce-af49-5ce2b30ea6af@redhat.com> Yes. Marek On 25/08/17 15:08, Peter K. Boucher wrote: > Not asking you to review/endorse this code, but does the approach seem reasonable? https://github.com/ohioit/keycloak-link-idp-with-user > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Thursday, August 24, 2017 5:30 AM > To: Phillip Fleischer ; Peter K. Boucher ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Skip Broker First-Time Flow? > > +1 to what Phillip mentioned. > > We were thinking for adding the authenticator OOTB, which will link > accounts automatically. But didn't added in the end because of security. > However you're not the first asking for it, so maybe it makes sense - as > long as this authenticator won't be in the flow by default and admin > would need to edit the first-broker-login flow on his own risk. Feel > free to create JIRA (maybe it already exists, so you can add comment > like "I want it too" and add vote :) ) > > Marek > > On 24/08/17 10:38, Phillip Fleischer wrote: >> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. >> >> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. >> >> ________________________________ >> From: keycloak-user-bounces at lists.jboss.org on behalf of Peter K. Boucher >> Sent: Wednesday, August 23, 2017 2:51:48 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Skip Broker First-Time Flow? >> >> We have a need to pre-provision user accounts that are to be accessed with >> SAML from an outside IdP. These accounts are only ever to be used via SAML >> from this external IdP (i.e., we never want them to have to use a password >> to verify anything to Keycloak. >> >> >> >> Is there any way for the account-linking the first time the user comes in >> with SAML to happen automatically and silently? >> >> >> >> We understand that in some circumstances it would be a security hole to >> allow someone to connect via a brokered IdP to an existing account that has >> already been used, but these accounts are being created specifically to be >> accessed by this particular broker. >> >> >> >> Any help? >> >> >> >> Thanks! >> >> >> >> Regards, >> >> Peter K. Boucher >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Fri Aug 25 09:30:56 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 25 Aug 2017 09:30:56 -0400 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Message-ID: <6ba3569c-49c7-e69f-984c-4c2f8b10b16e@redhat.com> destination is validated to be the same URL the SAML request was posted to.? This is a security check to protect against replay attacks. On 8/25/17 5:53 AM, Jonas Weismueller wrote: > Hi, > any further information needed? I would like to get KC <-> Azure AD to > be connected. Otherwise we are sadly being obliged to look after another > IdP solution :( > > Cheers Jonas > > On 22.08.17 14:27, Jonas Weismueller wrote: >> Hi, >> >> we configured AzureAD to use our keycloak instance, like this: >> >> >> >> $cer="$our_cert_string" >> >> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" >> >> $dom="test.domain.cloud" >> >> Set-MsolDomainAuthentication -DomainName $dom? -Authentication Federated >> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri >> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP >> >> >> >> When I know try to login on the azure portal, I get successfully >> redirected >> to?https://keycloak.internal/auth/realms/azure/protocol/saml?, but then >> I get the following error from keycloak: >> >> 2017-08-22 11:49:47,735 DEBUG >> [org.hibernate.internal.util.EntityPrinter] (default task-3) >> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, >> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, >> sessionId=null, time=1503402587482, error=invalid_authn_request, >> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} >> >> >> >> The SAML AuthnRequest sent by M$ looks as follows: >> >> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] >> (default task-3) > ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" >> IssueInstant="2017-08-22T11:47:46.793Z" >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> >> >> >> >> What we can see, is that the destination (optional?) attribute is >> missing. See?http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html >> >> >> >> Why is keycloak doing some strict checking about the optional >> destination parameter? >> >> >> >> Cheers Jonas >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jimtyrrell at yahoo.com Fri Aug 25 09:31:38 2017 From: jimtyrrell at yahoo.com (Jim Tyrrell) Date: Fri, 25 Aug 2017 13:31:38 +0000 (UTC) Subject: [keycloak-user] Tomcat 8 mod_proxy authentication error References: <1671965284.900434.1503667898525.ref@mail.yahoo.com> Message-ID: <1671965284.900434.1503667898525@mail.yahoo.com> Team, Javascript via a bearer token in a react app works fine to hit a URL that is configured in Tomcat to be protected.? tomcat.server/somepath/somepath/test.jsp The issue comes in when I try to login to the same URL that a bearer token works for, and I get in the tomcat log an error message of:25-Aug-2017 13:12:03.253 ERROR [ajp-nio-8009-exec-10] org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode status from server: 404 If I am logged into the react app and try to hit the protected URL, I get a browser error of too many redirects when hitting the protected Tomcat URL. Googling around seems like I am practically the first one to see this issue. Nothing in the server server.log of the keycloak server. Configs are in tomcat:keycloak.json{ ? "realm": "myapp",? "realm-public-key":"${truncated}"? "auth-server-url": "https://someurl/auth", ? "ssl-required": "external", ? "resource": "customer-portal","enable-basic-auth": "true",? "credentials": { ? ? "secret": "some secret" ? }, ? "use-resource-role-mappings": "false" } In the server.xml of key cloak I have from the docs made the following changes.. In my ajp.conf for mod_proxy I have this setup:RequestHeader set X-Forwarded-Proto "https" env=HTTPSProxyPass ? ? ? /auth ajp://auth.someurl.com:8009/authProxyPassReverse? ? /auth ajp://auth.someurl.com:8009/auth I assume something isn't right in this setup, but who knows. Thank YouJim From christianlutz at inovel.de Fri Aug 25 09:56:34 2017 From: christianlutz at inovel.de (christian lutz) Date: Fri, 25 Aug 2017 13:56:34 +0000 Subject: [keycloak-user] User registration within own application Message-ID: <00060380.59A0489D@mail.ino.local> Hello keycloak-team, we are facing a problem with the user registration we don't know how to solve proper. Situation: We do have a Web-Client and our own cxf REST endpoints. We secured it with keycloak. After we created a keycloak cxf admin client (see: [1]) it works realy nice. Currently we add the user manually, because we have to create serveral authorization resources. Something you described within the photoz example. [2] Question: How would you create your own user registration? We tried to adapt the existing user registration, we added additional input form for the new user. Then we created an event provider listining to the registration event. If a registration happens this provider calls our private REST endpoint, to create all groups and authorization resources for newly created user. This approach isn't very elegant. All of this is necessary because to create the corresponding authorization resources for a new user we need some id only our REST service is able to provide. E.g. /cxf/api/v1/dealers/{id} Any idea how to solve this in a more elegant way? [1]: https://github.com/ChristianLutz/keycloak-cxf-admin-client [2]: https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz Mit freundlichen Gr??en / with best regards Christian From jw at blue-yonder.com Fri Aug 25 10:24:40 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Fri, 25 Aug 2017 16:24:40 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: <6ba3569c-49c7-e69f-984c-4c2f8b10b16e@redhat.com> References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> <6ba3569c-49c7-e69f-984c-4c2f8b10b16e@redhat.com> Message-ID: Hi, I already read about a similar statement. But as far as I understand it is optional by specification and thus it would be nice if it is at least configurable to turn it on/off. I also can try to convince Microsoft to change their behavior, but I don't know if it will be possible ;) Cheers Jonas On 25.08.17 15:30, Bill Burke wrote: > destination is validated to be the same URL the SAML request was posted > to.? This is a security check to protect against replay attacks. > > > On 8/25/17 5:53 AM, Jonas Weismueller wrote: >> Hi, >> any further information needed? I would like to get KC <-> Azure AD to >> be connected. Otherwise we are sadly being obliged to look after another >> IdP solution :( >> >> Cheers Jonas >> >> On 22.08.17 14:27, Jonas Weismueller wrote: >>> Hi, >>> >>> we configured AzureAD to use our keycloak instance, like this: >>> >>> >>> >>> $cer="$our_cert_string" >>> >>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" >>> >>> $dom="test.domain.cloud" >>> >>> Set-MsolDomainAuthentication -DomainName $dom? -Authentication Federated >>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri >>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP >>> >>> >>> >>> When I know try to login on the azure portal, I get successfully >>> redirected >>> to?https://keycloak.internal/auth/realms/azure/protocol/saml?, but then >>> I get the following error from keycloak: >>> >>> 2017-08-22 11:49:47,735 DEBUG >>> [org.hibernate.internal.util.EntityPrinter] (default task-3) >>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, >>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, >>> sessionId=null, time=1503402587482, error=invalid_authn_request, >>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} >>> >>> >>> >>> The SAML AuthnRequest sent by M$ looks as follows: >>> >>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] >>> (default task-3) >> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" >>> IssueInstant="2017-08-22T11:47:46.793Z" >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> >>> >>> >>> >>> What we can see, is that the destination (optional?) attribute is >>> missing. See?http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html >>> >>> >>> >>> Why is keycloak doing some strict checking about the optional >>> destination parameter? >>> >>> >>> >>> Cheers Jonas >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sjefhoeks at hotmail.com Fri Aug 25 11:27:44 2017 From: sjefhoeks at hotmail.com (Sjef) Date: Fri, 25 Aug 2017 15:27:44 +0000 Subject: [keycloak-user] Add / customize IDP Message-ID: What is the preferred way to add an idp? Or customize the existing SAML idp? Why is the interface IdentityProvider in an artifact called keycloak-server-spi-private? Does this mean that it shouldn?t be used? Kind regards, Sjef From tonnis at autonomic.ai Fri Aug 25 13:27:39 2017 From: tonnis at autonomic.ai (Tonnis Wildeboer) Date: Fri, 25 Aug 2017 10:27:39 -0700 Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? Message-ID: I am attempting to run Keycloak in a kubernetes cluster with a shared postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are deployed using Helm. I have read the clustering documentation and from that it seems that the appropriate clustering mode in this scenario would be "Standalone Clustered Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image. Since I am using the nginx Ingress controller I have the prescribed PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the Docker image, however, I noticed that the $JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image does not have the proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in the element. I also noticed that the jboss-dockerfiles/keycloak-server base image has a sed command to add this to the standalone.xml file but not to the standalone-ha.xml file. Also, of the exmaples I have found via Google searches, I have not found examples of deploying Keycloak this way, which is surprising. I have seen examples with a single instance using the standalone postres image, but not "Standalone Clustered". So here are my questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: ( https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25 )? 4. Is there any other documentation, etc that I should be looking at? Thank you, Tonnis From mposolda at redhat.com Fri Aug 25 16:14:44 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 25 Aug 2017 22:14:44 +0200 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: Message-ID: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> On 25/08/17 15:11, Daniel Storey wrote: > Hello > > I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. > > I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. > > I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. Marek > > Kind regards > Dan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From herbert.muehlburger at bearingpoint.com Fri Aug 25 17:45:18 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Fri, 25 Aug 2017 21:45:18 +0000 Subject: [keycloak-user] Custom Authorization in Keycloak Message-ID: Dear Keycloak Community, we are evaluating Keycloak and have the use that that we cannot migrate authorization information (roles, permissions, ...) to Keycloak. We have this information stored in a legacy database. Is it possible to write an extension to Keycloak which handles with authorization decisions there? It would load our roles and permissions, etc. and decide if it grants access to the user or client being present. I know about the extension mechanism on writing custom User Store providers but I'm not sure if this is the right place to do that for authorization information as well? Thank you for any help, Best regard, Herbert? Herbert M?hlburger Senior System Engineer [http://signature.bearingpoint.com/BrP_Logo.png] T +43 316 8003 F +43 316 8003 1080 BearingPoint Seering 6, Block B 8141 Premst?tten Austria herbert.muehlburger at bearingpoint.com www.bearingpoint.com ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From Nicolas.Geadah at vec.virginia.gov Sun Aug 27 15:45:39 2017 From: Nicolas.Geadah at vec.virginia.gov (Geadah, Nicolas (VEC)) Date: Sun, 27 Aug 2017 19:45:39 +0000 Subject: [keycloak-user] Spring-boot adapter - securityConstraints when deploying to EAP7 Message-ID: I am using the spring-boot adapter, everything works fine when running in an embedded Tomcat with the following security constraints taking effect perfectly from my application.properties: keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* keycloak.securityConstraints[0].authRoles[0]=user As soon as I deploy to a WAR file in EAP7, the security constraint no longer takes effect and users are able to navigate to all pages in an unauthenticated fashion. Are any adjustments needed to the security constraints, or the WAR file itself, when deploying a spring-boot application with keycloak to JBoss/EAP7? From maxbruchmann at gmail.com Sun Aug 27 17:40:35 2017 From: maxbruchmann at gmail.com (Max Bruchmann) Date: Sun, 27 Aug 2017 21:40:35 +0000 Subject: [keycloak-user] Multi Tenancy in one realm / roles with group context Message-ID: Hi, I'm currently evaluating Keycloak for my usecase. We have a hierarchical multi-tenant application (sport clubs and teams ). As we have users that work in multiple clubs the multiple realm scenario is not feasible for our application. There are users that may have roles like "club-admin" for certain club or "team-admin" for a certain team To evaluate permission if a user can do something on a certain team like "modifying a team" or "create a training session" I would need to set the role of a club/team-admin into context of the club or team. When I understand it correctly the roles that are assigned by a group a user belongs are global, meaning if try to figure out if a user can modify a certain team, the resolved roles will not reflect in which team an user maybe a trainer-admin. Therefore to achieve some rules like this I could encode the club/team context in the roles name like "club-admin at 123" or team "team-admin at 987". Is this a scalable approach or is there better solution for this? From hmlnarik at redhat.com Mon Aug 28 02:22:43 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 28 Aug 2017 08:22:43 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: <6ba3569c-49c7-e69f-984c-4c2f8b10b16e@redhat.com> References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> <6ba3569c-49c7-e69f-984c-4c2f8b10b16e@redhat.com> Message-ID: Destination is mandatory for signed SAML messages in Redirect and POST bindings [1] and optional for unsigned ones [2]. It is prevention for replay attacks for messages whose integrity can be checked. Hence to comply with SAML spec, we have to allow the destination to be unset when signature is not checked. [1] https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, lines 661, 843 [2] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 1477 On Fri, Aug 25, 2017 at 3:30 PM, Bill Burke wrote: > destination is validated to be the same URL the SAML request was posted > to. This is a security check to protect against replay attacks. > > > On 8/25/17 5:53 AM, Jonas Weismueller wrote: >> Hi, >> any further information needed? I would like to get KC <-> Azure AD to >> be connected. Otherwise we are sadly being obliged to look after another >> IdP solution :( >> >> Cheers Jonas >> >> On 22.08.17 14:27, Jonas Weismueller wrote: >>> Hi, >>> >>> we configured AzureAD to use our keycloak instance, like this: >>> >>> >>> >>> $cer="$our_cert_string" >>> >>> $uri="https://keycloak.internal/auth/realms/azure/protocol/saml" >>> >>> $dom="test.domain.cloud" >>> >>> Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated >>> -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri >>> -IssuerUri $uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP >>> >>> >>> >>> When I know try to login on the azure portal, I get successfully >>> redirected >>> to https://keycloak.internal/auth/realms/azure/protocol/saml , but then >>> I get the following error from keycloak: >>> >>> 2017-08-22 11:49:47,735 DEBUG >>> [org.hibernate.internal.util.EntityPrinter] (default task-3) >>> org.keycloak.events.jpa.EventEntity{clientId=null, realmId=azure, >>> ipAddress=192.168.2.3, id=ab93af94-dcc5-4b8f-bd3a-8f8f3305439c, >>> sessionId=null, time=1503402587482, error=invalid_authn_request, >>> type=LOGIN_ERROR, userId=null, detailsJson={"reason":"invalid_destination"}} >>> >>> >>> >>> The SAML AuthnRequest sent by M$ looks as follows: >>> >>> 2017-08-22 11:49:47,371 DEBUG [org.keycloak.saml.SAMLRequestParser] >>> (default task-3) >> ID="_2a11cf45-197e-4410-807b-c407548c250b" Version="2.0" >>> IssueInstant="2017-08-22T11:47:46.793Z" >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> >>> >>> >>> >>> What we can see, is that the destination (optional?) attribute is >>> missing. See http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html >>> >>> >>> >>> Why is keycloak doing some strict checking about the optional >>> destination parameter? >>> >>> >>> >>> Cheers Jonas >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From psilva at redhat.com Mon Aug 28 08:24:29 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 28 Aug 2017 09:24:29 -0300 Subject: [keycloak-user] Custom Authorization in Keycloak In-Reply-To: References: Message-ID: The only SPI we have in AuthZ Services is for writing custom policy providers. But this SPI is not yet public and should change in next releases. What do you think about this RFE [1] ? How your permissions look like in your legacy database ? E.g.: A string like resource:role|group|user:action ? [1] https://issues.jboss.org/browse/KEYCLOAK-5346 On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert < herbert.muehlburger at bearingpoint.com> wrote: > Dear Keycloak Community, > > > we are evaluating Keycloak and have the use that that we cannot migrate > authorization information (roles, permissions, ...) to Keycloak. We have > this information stored in a legacy database. Is it possible to write an > extension to Keycloak which handles with authorization decisions there? It > would load our roles and permissions, etc. and decide if it grants access > to the user or client being present. I know about the extension mechanism > on writing custom User Store providers but I'm not sure if this is the > right place to do that for authorization information as well? > > > Thank you for any help, > > Best regard, > > Herbert? > > > > Herbert M?hlburger > Senior System Engineer > > [http://signature.bearingpoint.com/BrP_Logo.png] > > T +43 316 8003 > F +43 316 8003 1080 > > BearingPoint > Seering 6, Block B > 8141 Premst?tten > Austria > > herbert.muehlburger at bearingpoint.com bearingpoint.com> > www.bearingpoint.com > ________________________________ > BearingPoint Technology GmbH > Sitz: Premst?tten bei Graz > Firmenbuchgericht: Landesgericht f?r ZRS Graz > Firmenbuchnummer: FN 44354b > > The information in this email is confidential and may be legally > privileged. If you are not the intended recipient of this message, any > review, disclosure, copying, distribution, retention, or any action taken > or omitted to be taken in reliance on it is prohibited and may be unlawful. > If you are not the intended recipient, please reply to or forward a copy of > this message to the sender and delete the message, any attachments, and any > copies thereof from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From herbert.muehlburger at bearingpoint.com Mon Aug 28 11:25:58 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Mon, 28 Aug 2017 15:25:58 +0000 Subject: [keycloak-user] Custom Authorization in Keycloak In-Reply-To: References: , Message-ID: <1503933958299.76094@bearingpoint.com> Hi, thank's for the response. So the only solution that I could think of is to wait for RFE to be implemented? It would indeed solve our use case. Our authorization model is based on a role based access model (RBAC). But we have some customaziations which give you additional permissions or restrict your permissions to access certain entities. (Kind of a mix between RBAC with row level security. We need to write our custom logic to grant or deny access to the given resource. We don't want to use internal SPIs that will be changed in future releases and we are not able to migrate our authorization model to Keycloak because of our customizations. Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be addressed in near future? Best, Herbert ________________________________ Von: Pedro Igor Silva Gesendet: Montag, 28. August 2017 14:24 An: Muehlburger, Herbert Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Custom Authorization in Keycloak The only SPI we have in AuthZ Services is for writing custom policy providers. But this SPI is not yet public and should change in next releases. What do you think about this RFE [1] ? How your permissions look like in your legacy database ? E.g.: A string like resource:role|group|user:action ? [1] https://issues.jboss.org/browse/KEYCLOAK-5346 On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert > wrote: Dear Keycloak Community, we are evaluating Keycloak and have the use that that we cannot migrate authorization information (roles, permissions, ...) to Keycloak. We have this information stored in a legacy database. Is it possible to write an extension to Keycloak which handles with authorization decisions there? It would load our roles and permissions, etc. and decide if it grants access to the user or client being present. I know about the extension mechanism on writing custom User Store providers but I'm not sure if this is the right place to do that for authorization information as well? Thank you for any help, Best regard, Herbert? Herbert M?hlburger Senior System Engineer [http://signature.bearingpoint.com/BrP_Logo.png] T +43 316 8003 F +43 316 8003 1080 BearingPoint Seering 6, Block B 8141 Premst?tten Austria herbert.muehlburger at bearingpoint.com > www.bearingpoint.com ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From mittal.prapti06 at gmail.com Mon Aug 28 12:08:12 2017 From: mittal.prapti06 at gmail.com (Prapti Mittal) Date: Mon, 28 Aug 2017 21:38:12 +0530 Subject: [keycloak-user] CSRF vulnerability in Keycloak account service In-Reply-To: References: Message-ID: Dear Keycloak Community, Though there is a CSRF token used in the Keycloak Account service, there is *CSRF token fixation vulnerability*. To prevent CSRF, a cookie named KEYCLOAK_STATE_CHECKER is used (CSRF defense method: "Double submit cookie"). The CSRF token is required to be unique for each session. But, as this cookie accepts user-agent provided value at login and doesn't clear the cookie at logout, the value of the CSRF token is same across sessions, for the users using the same user-agent. This vulnerability can be exploited by an attacker to steal this cookie from the victim's browser, even when there is no active victim session. And then, the value can be used by the attacker to perform the CSRF attack. The impact of this attack can be as bad as an attacker taking over as the admin of the IDP and exploiting any application hosted using this IDP service. A fix for the issue was requested at the below link, but it is deleted now, for no known reason : https://developer.jboss.org/thread/275577 My questions are: 1. Why was my fix request deleted? 2. If I fix the vulnerability (by initializing cookie KEYCLOAK_STATE_CHECKER at every login), it would be difficult to carry forward the code changes, for every new update from the JBoss community. How to manage such local fixes? 3. If there can be a work-around to the problem? https://stackoverflow.com/questions/45481833/csrf-vulnerability-in-keycloak-account-service From sthorger at redhat.com Mon Aug 28 12:41:27 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 28 Aug 2017 18:41:27 +0200 Subject: [keycloak-user] Keycloak 3.3.0.CR1 Released Message-ID: We've just released Keycloak 3.3.0.CR1. To download the release go to the Keycloak homepage . HighlightsUpgraded to WildFly 11 CR1 We've upgraded the underlying container to WildFly 11 CR1. Cross DC Support We've done loads of work to support multiple data centers. It's not 100% completed yet, but we'd love it if folks could give it a go and let us know what works well and what doesn't. There will be a blog post soon on how to try this out. More Social We've added support for social login with BitBucket and Gitlab.com. Loads more.. - Dutch translation - thanks to gedejong and Jacob van Lingen - Pass login_hint to identity brokers - thanks to dmnboutin The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . Release candidates are not recommended in production and we do not support upgrading from release candidates. From john.d.ament at gmail.com Mon Aug 28 13:58:33 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 28 Aug 2017 17:58:33 +0000 Subject: [keycloak-user] Enabling Brute Force detection on account management changes Message-ID: Hi, Very obscure pattern here. We want to be able trigger brute force tracking when someone incorrectly enters their current password on the change password screen. It looks like we can do this in events, but wondering if this is a common use case that makes sense to do in core of keycloak? John From psilva at redhat.com Mon Aug 28 16:54:52 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 28 Aug 2017 17:54:52 -0300 Subject: [keycloak-user] Custom Authorization in Keycloak In-Reply-To: <1503933958299.76094@bearingpoint.com> References: <1503933958299.76094@bearingpoint.com> Message-ID: On Mon, Aug 28, 2017 at 12:25 PM, Muehlburger, Herbert < herbert.muehlburger at bearingpoint.com> wrote: > Hi, > > > thank's for the response. > > > So the only solution that I could think of is to wait for RFE to be > implemented? It would indeed solve our use case. > > Our authorization model is based on a role based access model (RBAC). But > we have some customaziations which give you additional permissions or > restrict your permissions to access certain entities. (Kind of a mix > between RBAC with row level security. We need to write our custom logic to > grant or deny access to the given resource. > It has been a while I'm thinking about this functionality. Your use case seems to have some of the requirements behind it. But now that you mentioned "certain entities" and "row level security", I assume you already have a bunch of these entities in your database, so you would need to create them in Keycloak in order to be able to associate them with policies. They would need to be resources in Keycloak. The idea behind that RFE is to allow people to delegate authorization decisions to an external service (KC acting as an authorization broker) when evaluating permissions for specific resources. I think it would not address all your requirements though, but maybe complicate things as you would need to re-create your entities as resources in Keycloak. > > > We don't want to use internal SPIs that will be changed in future releases > and we are not able to migrate our authorization model to Keycloak because > of our customizations. > > > Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be > addressed in near future? > > Best, > > Herbert > > > ________________________________ > Von: Pedro Igor Silva > Gesendet: Montag, 28. August 2017 14:24 > An: Muehlburger, Herbert > Cc: keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Custom Authorization in Keycloak > > The only SPI we have in AuthZ Services is for writing custom policy > providers. But this SPI is not yet public and should change in next > releases. > > What do you think about this RFE [1] ? > > How your permissions look like in your legacy database ? E.g.: A string > like resource:role|group|user:action ? > > [1] https://issues.jboss.org/browse/KEYCLOAK-5346 > > > On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert < > herbert.muehlburger at bearingpoint.com t.muehlburger at bearingpoint.com>> wrote: > Dear Keycloak Community, > > > we are evaluating Keycloak and have the use that that we cannot migrate > authorization information (roles, permissions, ...) to Keycloak. We have > this information stored in a legacy database. Is it possible to write an > extension to Keycloak which handles with authorization decisions there? It > would load our roles and permissions, etc. and decide if it grants access > to the user or client being present. I know about the extension mechanism > on writing custom User Store providers but I'm not sure if this is the > right place to do that for authorization information as well? > > > Thank you for any help, > > Best regard, > > Herbert? > > > > Herbert M?hlburger > Senior System Engineer > > [http://signature.bearingpoint.com/BrP_Logo.png] > > T +43 316 8003 > F +43 316 8003 1080 > > BearingPoint > Seering 6, Block B > 8141 Premst?tten > Austria > > herbert.muehlburger at bearingpoint.com t.muehlburger at bearingpoint.com> bearingpoint.com> > www.bearingpoint.com www.bearingpoint.com/> > ________________________________ > BearingPoint Technology GmbH > Sitz: Premst?tten bei Graz > Firmenbuchgericht: Landesgericht f?r ZRS Graz > Firmenbuchnummer: FN 44354b > > The information in this email is confidential and may be legally > privileged. If you are not the intended recipient of this message, any > review, disclosure, copying, distribution, retention, or any action taken > or omitted to be taken in reliance on it is prohibited and may be unlawful. > If you are not the intended recipient, please reply to or forward a copy of > this message to the sender and delete the message, any attachments, and any > copies thereof from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > BearingPoint Technology GmbH > Sitz: Premst?tten bei Graz > Firmenbuchgericht: Landesgericht f?r ZRS Graz > Firmenbuchnummer: FN 44354b > > The information in this email is confidential and may be legally > privileged. If you are not the intended recipient of this message, any > review, disclosure, copying, distribution, retention, or any action taken > or omitted to be taken in reliance on it is prohibited and may be unlawful. > If you are not the intended recipient, please reply to or forward a copy of > this message to the sender and delete the message, any attachments, and any > copies thereof from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ylevine20 at gmail.com Mon Aug 28 19:43:15 2017 From: ylevine20 at gmail.com (Y Levine) Date: Mon, 28 Aug 2017 16:43:15 -0700 Subject: [keycloak-user] Keycloak Standalone SSL Message-ID: I have the latest version of Keycloak running on a Red Hat Linux7 (all server specs followed). Added SSL via following steps here: http://www.keycloak.org/docs/1.9/server_installation_guide/topics/network/https.html All seems good to this stage (standalone startup logs below). However the following are not accessible remotely (firewalld, and all other firewalls checked out) http://server-name:8080/auth https://server-name:8080/auth Have I missed other setting? ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/keycloak-3.2.1.Final JAVA: /opt/jdk1.8.0_144/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 15:45:44,940 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 15:45:45,138 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 15:45:45,230 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) starting 15:45:46,633 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 15:45:46,681 INFO [org.xnio] (MSC service thread 1-4) XNIO version 3.3.4.Final 15:45:46,692 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO Implementation Version 3.3.4.Final 15:45:46,760 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 27) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 15:45:46,842 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 32) WFLYCLINF0001: Activating Infinispan subsystem. 15:45:46,861 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 31) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with 32 task threads based on your 2 available processors 15:45:46,903 INFO [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) 15:45:46,909 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 15:45:46,978 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 45) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique. 15:45:46,995 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 40) WFLYNAM0001: Activating Naming Subsystem 15:45:47,011 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 38) WFLYJSF0007: Activated the following JSF Implementations: [main] 15:45:47,054 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 46) WFLYUT0003: Undertow 1.3.15.Final starting 15:45:47,070 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 1.3.15.Final starting 15:45:47,074 INFO [org.jboss.as.naming] (MSC service thread 1-1) WFLYNAM0003: Starting Naming Service 15:45:47,074 INFO [org.jboss.as.mail.extension] (MSC service thread 1-1) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 15:45:47,107 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 4.0.18.Final 15:45:47,370 INFO [org.jboss.as.security] (ServerService Thread Pool -- 44) WFLYSEC0002: Activating Security Subsystem 15:45:47,376 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final 15:45:47,395 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 46) WFLYUT0014: Creating file handler for path '/opt/keycloak-3.2.1.Final/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]'] 15:45:47,416 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0012: Started server default-server. 15:45:47,417 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0018: Host default-host starting 15:45:47,485 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-4) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 32 (per class), which is derived from thread worker pool sizing. 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-3) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 8 (per class), which is derived from the number of CPUs on this host. 15:45:48,065 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 15:45:48,110 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 15:45:48,111 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 15:45:48,112 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 15:45:48,162 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/keycloak-3.2.1.Final/standalone/deployments 15:45:48,726 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443 15:45:48,788 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started loginFailures cache from keycloak container 15:45:48,803 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started sessions cache from keycloak container 15:45:48,806 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started realms cache from keycloak container 15:45:48,792 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started work cache from keycloak container 15:45:48,813 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0002: Started actionTokens cache from keycloak container 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0002: Started authorization cache from keycloak container 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started authenticationSessions cache from keycloak container 15:45:48,816 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started users cache from keycloak container 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started keys cache from keycloak container 15:45:49,729 INFO [org.keycloak.services] (ServerService Thread Pool -- 51) KC-SERVICES0001: Loading config from standalone.xml or domain.xml 15:45:50,238 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from keycloak container 15:45:50,245 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started userRevisions cache from keycloak container 15:45:50,256 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container 15:45:53,247 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 51) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 15:45:53,299 INFO [org.hibernate.Version] (ServerService Thread Pool -- 51) HHH000412: Hibernate Core {5.0.7.Final} 15:45:53,300 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 51) HHH000206: hibernate.properties not found 15:45:53,302 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 51) HHH000021: Bytecode provider name : javassist 15:45:53,331 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 15:45:53,458 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 51) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect 15:45:53,464 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread Pool -- 51) HHH000431: Unable to determine H2 database version, certain features may not work 15:45:53,503 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 51) Envers integration enabled? : true 15:45:54,069 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 51) HV000001: Hibernate Validator 5.2.3.Final 15:45:54,780 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 51) HHH000397: Using ASTQueryTranslatorFactory 15:45:56,143 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002225: Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication 15:45:56,144 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002205: Adding provider class org.keycloak.services.filters.KeycloakTransactionCommitter from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002200: Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002200: Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002210: Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RobotsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.ServerVersionResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,225 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 51) WFLYUT0021: Registered web context: /auth 15:45:56,274 INFO [org.jboss.as.server] (ServerService Thread Pool -- 47) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started in 11793ms - Started 448 of 823 services (561 services are lazy, passive or on-demand) From christianlutz at inovel.de Tue Aug 29 01:57:53 2017 From: christianlutz at inovel.de (christian lutz) Date: Tue, 29 Aug 2017 05:57:53 +0000 Subject: [keycloak-user] Keycloak Standalone SSL In-Reply-To: References: Message-ID: <00060402.59A51E6D@mail.ino.local> Hello Levine, I guess your are just using the wrong port. Please try 8443 (inofficial) or 443 official https ports. Christian -------- Original Message -------- Subject: [keycloak-user] Keycloak Standalone SSL (29. August 2017, 01:43) From: Y Levine To: christianlutz at inovel.de > I have the latest version of Keycloak running on a Red Hat Linux7 (all > server specs followed). > > Added SSL via following steps here: > http://www.keycloak.org/docs/1.9/server_installation_guide/topics/network/ > https.html > > All seems good to this stage (standalone startup logs below). > > However the following are not accessible remotely (firewalld, and all other > firewalls checked out) > > http://server-name:8080/auth > https://server-name:8080/auth > > Have I missed other setting? > > > > > > ========================================================================= > > JBoss Bootstrap Environment > > JBOSS_HOME: /opt/keycloak-3.2.1.Final > > JAVA: /opt/jdk1.8.0_144/bin/java > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > ========================================================================= > > 15:45:44,940 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > 15:45:45,138 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > 15:45:45,230 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: > Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) starting > 15:45:46,633 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0039: Creating http management service using socket-binding > (management-http) > 15:45:46,681 INFO [org.xnio] (MSC service thread 1-4) XNIO version > 3.3.4.Final > 15:45:46,692 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO > Implementation Version 3.3.4.Final > 15:45:46,760 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 27) WFLYJCA0004: Deploying JDBC-compliant > driver class org.h2.Driver (version 1.3) > 15:45:46,842 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 32) WFLYCLINF0001: Activating Infinispan subsystem. > 15:45:46,861 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- > 31) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with > 32 task threads based on your 2 available processors > 15:45:46,903 INFO [org.jboss.as.connector] (MSC service thread 1-1) > WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) > 15:45:46,909 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 > 15:45:46,978 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 45) > WFLYTX0013: Node identifier property is set to the default value. Please > make sure it is unique. > 15:45:46,995 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 40) > WFLYNAM0001: Activating Naming Subsystem > 15:45:47,011 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 38) > WFLYJSF0007: Activated the following JSF Implementations: [main] > 15:45:47,054 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 46) WFLYUT0003: Undertow 1.3.15.Final starting > 15:45:47,070 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0003: Undertow 1.3.15.Final starting > 15:45:47,074 INFO [org.jboss.as.naming] (MSC service thread 1-1) > WFLYNAM0003: Starting Naming Service > 15:45:47,074 INFO [org.jboss.as.mail.extension] (MSC service thread 1-1) > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] > 15:45:47,107 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss > Remoting version 4.0.18.Final > 15:45:47,370 INFO [org.jboss.as.security] (ServerService Thread Pool -- > 44) WFLYSEC0002: Activating Security Subsystem > 15:45:47,376 INFO [org.jboss.as.security] (MSC service thread 1-3) > WFLYSEC0001: Current PicketBox version=4.9.4.Final > 15:45:47,395 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 46) WFLYUT0014: Creating file handler for path > '/opt/keycloak-3.2.1.Final/welcome-content' with options > [directory-listing: 'false', follow-symlink: 'false', case-sensitive: > 'true', safe-symlink-paths: '[]'] > 15:45:47,416 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0012: Started server default-server. > 15:45:47,417 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0018: Host default-host starting > 15:45:47,485 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080 > 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-4) > WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size > of 32 (per class), which is derived from thread worker pool sizing. > 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-3) > WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size > of 8 (per class), which is derived from the number of CPUs on this host. > 15:45:48,065 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC > service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' > 8.1.0.Final > 15:45:48,110 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war" > (runtime-name: "keycloak-server.war") > 15:45:48,111 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0001: Bound data source > [java:jboss/datasources/KeycloakDS] > 15:45:48,112 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0001: Bound data source > [java:jboss/datasources/ExampleDS] > 15:45:48,162 INFO [org.jboss.as.server.deployment.scanner] (MSC service > thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for directory > /opt/keycloak-3.2.1.Final/standalone/deployments > 15:45:48,726 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443 > 15:45:48,788 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started loginFailures cache from keycloak > container > 15:45:48,803 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started sessions cache from keycloak > container > 15:45:48,806 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0002: Started realms cache from keycloak > container > 15:45:48,792 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started work cache from keycloak > container > 15:45:48,813 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 48) WFLYCLINF0002: Started actionTokens cache from keycloak > container > 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 49) WFLYCLINF0002: Started authorization cache from keycloak > container > 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0002: Started authenticationSessions cache from > keycloak container > 15:45:48,816 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0002: Started users cache from keycloak > container > 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0002: Started keys cache from keycloak > container > 15:45:49,729 INFO [org.keycloak.services] (ServerService Thread Pool -- > 51) KC-SERVICES0001: Loading config from standalone.xml or domain.xml > 15:45:50,238 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from > keycloak container > 15:45:50,245 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started userRevisions cache from keycloak > container > 15:45:50,256 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started authorizationRevisions cache from > keycloak container > 15:45:53,247 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 51) HHH000204: Processing PersistenceUnitInfo > [ > name: keycloak-default > ...] > 15:45:53,299 INFO [org.hibernate.Version] (ServerService Thread Pool -- > 51) HHH000412: Hibernate Core {5.0.7.Final} > 15:45:53,300 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 51) HHH000206: hibernate.properties not found > 15:45:53,302 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 51) HHH000021: Bytecode provider name : javassist > 15:45:53,331 INFO [org.hibernate.annotations.common.Version] > (ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons > Annotations {5.0.1.Final} > 15:45:53,458 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 51) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect > 15:45:53,464 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread > Pool -- 51) HHH000431: Unable to determine H2 database version, certain > features may not work > 15:45:53,503 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 51) Envers integration enabled? : true > 15:45:54,069 INFO [org.hibernate.validator.internal.util.Version] > (ServerService Thread Pool -- 51) HV000001: Hibernate Validator 5.2.3.Final > 15:45:54,780 INFO > [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService > Thread Pool -- 51) HHH000397: Using ASTQueryTranslatorFactory > 15:45:56,143 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002225: Deploying javax.ws.rs.core.Application: > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,144 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002205: Adding provider class > org.keycloak.services.filters.KeycloakTransactionCommitter from Application > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002200: Adding class resource > org.keycloak.services.resources.ThemeResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002200: Adding class resource > org.keycloak.services.resources.JsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.RealmsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.admin.AdminRoot from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002210: Adding provider singleton > org.keycloak.services.util.ObjectMapperResolver from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.WelcomeResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.RobotsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.ServerVersionResource from Application > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,225 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 51) WFLYUT0021: Registered web context: /auth > 15:45:56,274 INFO [org.jboss.as.server] (ServerService Thread Pool -- 47) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: > Http management interface listening on http://127.0.0.1:9990/management > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: > Admin console listening on http://127.0.0.1:9990 > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: > Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started in 11793ms - > Started 448 of 823 services (561 services are lazy, passive or on-demand) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From shohou at gmail.com Tue Aug 29 03:07:18 2017 From: shohou at gmail.com (=?UTF-8?B?0JTQvNC40YLRgNC40Lkg0KjQvtGF0L7Qsg==?=) Date: Tue, 29 Aug 2017 10:07:18 +0300 Subject: [keycloak-user] security context cleared in KeycloakAuthenticationProcessingFilter Message-ID: Hi! I have a question regarding spring security adapter. I have an angularjs app which opens websocket using sockjs and a backend using java and spring. I added authentication to the client and wanted to check authorization token when client sends websocket handshake to the server. Unfortunately sockjs doesn't allow to send additional headers because of some security concern. So I decided that I will do REST request before opening websocket with Authorization header and then websocket would be authorized because it would be the same http session. This works fine. Now the interesting part. When I do open the app first time websocket opens fine, but if I refresh the page websocket handshake returns the 401 code. I spent some time to find the reason for this and this is what I found: After the reload 1. I send the REST request and spring starts its filter chain 2. SecurityContextPersistenceFilter loads stored in http session security context and sets it to thread local SecurityContextHolder.setContext(contextBeforeChainExecution) 3. Down the filter chain KeycloakAuthenticationProcessingFilter starts and does the authorization, which is successfull and in successfulAuthentication method it continues the chain with chain.doFilter(request, response) 4. KeycloakAuthenticationProcessingFilter continues chain in try-finally block and after chain finishes it does clear the context with SecurityContextHolder.clearContext(); 5. SecurityContextPersistenceFilter in its finally block saves the security context back to http session repository which is HttpSessionSecurityContextRepository. Repository sees that there was authenticated security context before the chain started and now its is unauthenticated because keycloak filter cleared it and it clears it from http session. 6. Websocket handshake fails because there is no more authenticated security context in http session. After another reload or during the first load it works, because security context is eagerly saved from SessionManagementFilter, but SecurityContextPersistenceFilter sees that there was no context before chain started and no context after chain finished, so it does nothing and eagerly saved context survives in http session. It looks to me like KeycloakAuthenticationProcessingFilter should not clear context and if I remove that line in locally built version everything starts to work as I expect. But maybe I don't understand something, I'm pretty new to spring security. Waiting for your clarifications. keycloak-spring-security-adapter version 3.2.1.Final spring-security-web version 4.2.2.RELEASE Thanks, Dmitry From pcfleischer at outlook.com Tue Aug 29 04:31:27 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Tue, 29 Aug 2017 08:31:27 +0000 Subject: [keycloak-user] Keycloak Standalone SSL In-Reply-To: <00060402.59A51E6D@mail.ino.local> References: , <00060402.59A51E6D@mail.ino.local> Message-ID: Another possibility is your only bound to the local ip. You could try starting with -b 0.0.0.0 or the external ip explicitly. I think you can also change the xml configuration if you don't want to add -b. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of christian lutz Sent: Tuesday, August 29, 2017 1:57:53 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak Standalone SSL Hello Levine, I guess your are just using the wrong port. Please try 8443 (inofficial) or 443 official https ports. Christian -------- Original Message -------- Subject: [keycloak-user] Keycloak Standalone SSL (29. August 2017, 01:43) From: Y Levine To: christianlutz at inovel.de > I have the latest version of Keycloak running on a Red Hat Linux7 (all > server specs followed). > > Added SSL via following steps here: > http://www.keycloak.org/docs/1.9/server_installation_guide/topics/network/ > https.html > > All seems good to this stage (standalone startup logs below). > > However the following are not accessible remotely (firewalld, and all other > firewalls checked out) > > http://server-name:8080/auth > https://server-name:8080/auth > > Have I missed other setting? > > > > > > ========================================================================= > > JBoss Bootstrap Environment > > JBOSS_HOME: /opt/keycloak-3.2.1.Final > > JAVA: /opt/jdk1.8.0_144/bin/java > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > ========================================================================= > > 15:45:44,940 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > 15:45:45,138 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > 15:45:45,230 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: > Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) starting > 15:45:46,633 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0039: Creating http management service using socket-binding > (management-http) > 15:45:46,681 INFO [org.xnio] (MSC service thread 1-4) XNIO version > 3.3.4.Final > 15:45:46,692 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO > Implementation Version 3.3.4.Final > 15:45:46,760 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 27) WFLYJCA0004: Deploying JDBC-compliant > driver class org.h2.Driver (version 1.3) > 15:45:46,842 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 32) WFLYCLINF0001: Activating Infinispan subsystem. > 15:45:46,861 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- > 31) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with > 32 task threads based on your 2 available processors > 15:45:46,903 INFO [org.jboss.as.connector] (MSC service thread 1-1) > WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) > 15:45:46,909 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 > 15:45:46,978 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 45) > WFLYTX0013: Node identifier property is set to the default value. Please > make sure it is unique. > 15:45:46,995 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 40) > WFLYNAM0001: Activating Naming Subsystem > 15:45:47,011 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 38) > WFLYJSF0007: Activated the following JSF Implementations: [main] > 15:45:47,054 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 46) WFLYUT0003: Undertow 1.3.15.Final starting > 15:45:47,070 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0003: Undertow 1.3.15.Final starting > 15:45:47,074 INFO [org.jboss.as.naming] (MSC service thread 1-1) > WFLYNAM0003: Starting Naming Service > 15:45:47,074 INFO [org.jboss.as.mail.extension] (MSC service thread 1-1) > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] > 15:45:47,107 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss > Remoting version 4.0.18.Final > 15:45:47,370 INFO [org.jboss.as.security] (ServerService Thread Pool -- > 44) WFLYSEC0002: Activating Security Subsystem > 15:45:47,376 INFO [org.jboss.as.security] (MSC service thread 1-3) > WFLYSEC0001: Current PicketBox version=4.9.4.Final > 15:45:47,395 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 46) WFLYUT0014: Creating file handler for path > '/opt/keycloak-3.2.1.Final/welcome-content' with options > [directory-listing: 'false', follow-symlink: 'false', case-sensitive: > 'true', safe-symlink-paths: '[]'] > 15:45:47,416 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0012: Started server default-server. > 15:45:47,417 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0018: Host default-host starting > 15:45:47,485 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080 > 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-4) > WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size > of 32 (per class), which is derived from thread worker pool sizing. > 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-3) > WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size > of 8 (per class), which is derived from the number of CPUs on this host. > 15:45:48,065 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC > service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' > 8.1.0.Final > 15:45:48,110 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war" > (runtime-name: "keycloak-server.war") > 15:45:48,111 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0001: Bound data source > [java:jboss/datasources/KeycloakDS] > 15:45:48,112 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0001: Bound data source > [java:jboss/datasources/ExampleDS] > 15:45:48,162 INFO [org.jboss.as.server.deployment.scanner] (MSC service > thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for directory > /opt/keycloak-3.2.1.Final/standalone/deployments > 15:45:48,726 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443 > 15:45:48,788 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started loginFailures cache from keycloak > container > 15:45:48,803 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started sessions cache from keycloak > container > 15:45:48,806 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0002: Started realms cache from keycloak > container > 15:45:48,792 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started work cache from keycloak > container > 15:45:48,813 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 48) WFLYCLINF0002: Started actionTokens cache from keycloak > container > 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 49) WFLYCLINF0002: Started authorization cache from keycloak > container > 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0002: Started authenticationSessions cache from > keycloak container > 15:45:48,816 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0002: Started users cache from keycloak > container > 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0002: Started keys cache from keycloak > container > 15:45:49,729 INFO [org.keycloak.services] (ServerService Thread Pool -- > 51) KC-SERVICES0001: Loading config from standalone.xml or domain.xml > 15:45:50,238 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from > keycloak container > 15:45:50,245 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started userRevisions cache from keycloak > container > 15:45:50,256 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started authorizationRevisions cache from > keycloak container > 15:45:53,247 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 51) HHH000204: Processing PersistenceUnitInfo > [ > name: keycloak-default > ...] > 15:45:53,299 INFO [org.hibernate.Version] (ServerService Thread Pool -- > 51) HHH000412: Hibernate Core {5.0.7.Final} > 15:45:53,300 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 51) HHH000206: hibernate.properties not found > 15:45:53,302 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 51) HHH000021: Bytecode provider name : javassist > 15:45:53,331 INFO [org.hibernate.annotations.common.Version] > (ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons > Annotations {5.0.1.Final} > 15:45:53,458 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 51) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect > 15:45:53,464 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread > Pool -- 51) HHH000431: Unable to determine H2 database version, certain > features may not work > 15:45:53,503 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 51) Envers integration enabled? : true > 15:45:54,069 INFO [org.hibernate.validator.internal.util.Version] > (ServerService Thread Pool -- 51) HV000001: Hibernate Validator 5.2.3.Final > 15:45:54,780 INFO > [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService > Thread Pool -- 51) HHH000397: Using ASTQueryTranslatorFactory > 15:45:56,143 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002225: Deploying javax.ws.rs.core.Application: > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,144 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002205: Adding provider class > org.keycloak.services.filters.KeycloakTransactionCommitter from Application > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002200: Adding class resource > org.keycloak.services.resources.ThemeResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002200: Adding class resource > org.keycloak.services.resources.JsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.RealmsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.admin.AdminRoot from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002210: Adding provider singleton > org.keycloak.services.util.ObjectMapperResolver from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.WelcomeResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.RobotsResource from Application class > org.keycloak.services.resources.KeycloakApplication > 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService > Thread Pool -- 51) RESTEASY002220: Adding singleton resource > org.keycloak.services.resources.ServerVersionResource from Application > class org.keycloak.services.resources.KeycloakApplication > 15:45:56,225 INFO [org.wildfly.extension.undertow] (ServerService Thread > Pool -- 51) WFLYUT0021: Registered web context: /auth > 15:45:56,274 INFO [org.jboss.as.server] (ServerService Thread Pool -- 47) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: > Http management interface listening on http://127.0.0.1:9990/management > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: > Admin console listening on http://127.0.0.1:9990 > 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: > Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started in 11793ms - > Started 448 of 823 services (561 services are lazy, passive or on-demand) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pcfleischer at outlook.com Tue Aug 29 05:51:20 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Tue, 29 Aug 2017 09:51:20 +0000 Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? In-Reply-To: References: Message-ID: My guess around configuration is expected default infrastructure is truly standalone on virtual infrastructure or openshift where ssl is terminated on jboss and infrastructure supports multicast dns for ha. We use our own standalone.xml similar to below. You'll probably want to look at jgroups jdbc ping since multicast might not work. Someone recently asked if you can just disable cache if you can avoid jgroups but I haven't tried that myself or heard back that is a viable solution. https://goldmann.pl/blog/2014/07/23/customizing-the-configuration-of-the-wildfly-docker-image/ http://www.fafonso.com/jgroups/unicast/postgresql/jdbc/ping/cluster/2016/08/07/jgroups-with-postgresql.html _____________________________ From: Tonnis Wildeboer > Sent: Friday, August 25, 2017 1:33 PM Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? To: > I am attempting to run Keycloak in a kubernetes cluster with a shared postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are deployed using Helm. I have read the clustering documentation and from that it seems that the appropriate clustering mode in this scenario would be "Standalone Clustered Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image. Since I am using the nginx Ingress controller I have the prescribed PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the Docker image, however, I noticed that the $JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image does not have the proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in the element. I also noticed that the jboss-dockerfiles/keycloak-server base image has a sed command to add this to the standalone.xml file but not to the standalone-ha.xml file. Also, of the exmaples I have found via Google searches, I have not found examples of deploying Keycloak this way, which is surprising. I have seen examples with a single instance using the standalone postres image, but not "Standalone Clustered". So here are my questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: ( https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25 )? 4. Is there any other documentation, etc that I should be looking at? Thank you, Tonnis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dev at sgordon.totalise.co.uk Tue Aug 29 06:51:08 2017 From: dev at sgordon.totalise.co.uk (Simon Gordon) Date: Tue, 29 Aug 2017 11:51:08 +0100 Subject: [keycloak-user] Non-standard SAML profiles Message-ID: <11f3ac0481bf321f61b5e3787d133a5f@totalise.co.uk> Hello all I am looking at how to support SAML profiles beyond the usual Web SSO profiles that are typically supported within Identity Broker products such as KeyCloak. The biggest two in my mind are eIDAS which is an EU regulation and technical standards for cross-border Identity, plus the UK Government's GOV.UK Verify service The SAML specifications and profiles are available at: https://joinup.ec.europa.eu/sites/default/files/eidas_message_format_v1.0.pdf https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458610/Identity_Assurance_Hub_Service_Profile_v1.2a.pdf (short SAML snippet at: https://alphagov.github.io/rp-onboarding-tech-docs/pages/saml/samlIntegration.html#send-a-saml-authentication-request-to-the-gov-uk-verify-hub) I guess the short version is that I suspect I need to work on extending the SAML Profiles that KeyCloak supports, but there is not yet an 'adapter' to start with? Any pointers, or work that is already looking at how to plugin further SAML Profiles into the product gratefully received! Regards, Simon From herbert.muehlburger at bearingpoint.com Tue Aug 29 11:12:54 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Tue, 29 Aug 2017 15:12:54 +0000 Subject: [keycloak-user] IllegalStateException when trying to run app-profile-jee-vanilla from keycloak-quickstarters Message-ID: <1504019574252.6988@bearingpoint.com> Hi, I'm following the steps described under http://www.keycloak.org/docs/3.3/getting_started/topics/secure-jboss-app/download-quickstarts.html? and get the following Exception: [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 7.375 s [INFO] Finished at: 2017-08-29T17:02:57+02:00 [INFO] Final Memory: 44M/911M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. [ERROR] Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. [ERROR] Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}} [ERROR] -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}} at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288) at org.apache.maven.cli.MavenCli.main(MavenCli.java:199) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory. Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}} at org.wildfly.plugin.deployment.AbstractDeployment.execute(AbstractDeployment.java:148) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207) ... 20 more [ERROR] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException mvn clean wildfly:deploy -e -DskipTests 18,76s user 0,40s system 228% cpu 8,390 total Steps to reproduce: * ??$ git clone https://github.com/keycloak/keycloak-quickstarts * $ cd keycloak-quickstarts/app-profile-jee-vanilla * $ mvn clean wildfly:deploy I'm running the newly released Keycloak 3.3.0.CR1 standalone downloaded from the official download (https://downloads.jboss.org/keycloak/3.3.0.CR1/keycloak-3.3.0.CR1.tar.gz?) The spring-boot apps also produce build errors when following the official guide at https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-springboot Thank you for any help! Best, Herbert ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From byarger at redhat.com Tue Aug 29 11:52:54 2017 From: byarger at redhat.com (Brent Yarger) Date: Tue, 29 Aug 2017 08:52:54 -0700 Subject: [keycloak-user] RHT SSO 7.1 + OAuth2 Identity Provider Message-ID: Hello, Keycloak / RHT SSO supports social login and custom / user-defined IDPs. The options for custom IDP are SAML v2.0, OIDC v1.0, and Keycloak OIDC. Does keycloak support a user-defined IDP that uses OAuth2? If not, is this possible to implement / what is the process to add an OAuth2 IDP? Thanks, Brent From adam.keily at adelaide.edu.au Tue Aug 29 21:17:09 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 30 Aug 2017 01:17:09 +0000 Subject: [keycloak-user] Detect existing IdP session Message-ID: Hi, Forgive me if this is a dumb question. I'm just wondering if it's possible for keycloak to detect that a user has already authenticated to a configured IDP before being presented the the login page. E.g. We have multiple IDP's configured in Keycloak. Facebook, Google, corporate ADFS. If they have an existing session, can that be detected e.g. 1. User is already authenticated to ADFS 2. They attempt to access a KC protected application. 3. Instead of having to click the IDP link on the KC login screen to be redirected to ADFS and back again, they are instead just authenticated using their existing ADFS session. I know about kc_idp_hint and default IdP but this is more a case where a user might be already authenticated to one of multiple IDP's. Something like "Detected ADFS session. Continue as ADFS userA?". I guess if you've authed to more than one IDP it could be a problem. Thanks Adam From rudreshsj at gmail.com Wed Aug 30 00:22:16 2017 From: rudreshsj at gmail.com (Rudresh Shashikant) Date: Wed, 30 Aug 2017 11:22:16 +0700 Subject: [keycloak-user] Keycloak can't access identity provider behind corporate proxy Message-ID: Hi, Have been having trouble with keycloak and Facebook connectivity behind corporate proxy as well. Reference: http://lists.jboss.org/pipermail/keycloak-user/2016-July/006925.html realised after *a lot* of trial and error that `-Dhttp.proxyHost` and `-Dhttp.proxyPort` are not even used when JVM starts. my colleague wrote a custom provider in an attempt to use system proxy but unable to load it into the keycloak runtime. https://github.com/xiaoyvr/custom-http-client-provider is there any example we can follow or alternative (maybe obvious and hidden in plain sight) solution we missed? Thanks. Regards, Rudy. From adam.keily at adelaide.edu.au Wed Aug 30 00:26:40 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 30 Aug 2017 04:26:40 +0000 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: <3c7e369e-74c2-e9ce-af49-5ce2b30ea6af@redhat.com> References: <000001d31c40$e0271a20$a0754e60$@gmail.com> <000801d31da3$476c21e0$d64465a0$@gmail.com> <3c7e369e-74c2-e9ce-af49-5ce2b30ea6af@redhat.com> Message-ID: Check out. https://github.com/ohioit/keycloak-link-idp-with-user We use it to silently link users coming from another corporate IDP with our federated LDAP accounts. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Friday, 25 August 2017 10:59 PM To: Peter K. Boucher ; 'Phillip Fleischer' ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Skip Broker First-Time Flow? Yes. Marek On 25/08/17 15:08, Peter K. Boucher wrote: > Not asking you to review/endorse this code, but does the approach seem > reasonable? https://github.com/ohioit/keycloak-link-idp-with-user > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Thursday, August 24, 2017 5:30 AM > To: Phillip Fleischer ; Peter K. Boucher > ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Skip Broker First-Time Flow? > > +1 to what Phillip mentioned. > > We were thinking for adding the authenticator OOTB, which will link > accounts automatically. But didn't added in the end because of security. > However you're not the first asking for it, so maybe it makes sense - > as long as this authenticator won't be in the flow by default and > admin would need to edit the first-broker-login flow on his own risk. > Feel free to create JIRA (maybe it already exists, so you can add > comment like "I want it too" and add vote :) ) > > Marek > > On 24/08/17 10:38, Phillip Fleischer wrote: >> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. >> >> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. >> >> ________________________________ >> From: keycloak-user-bounces at lists.jboss.org >> on behalf of Peter K. Boucher >> >> Sent: Wednesday, August 23, 2017 2:51:48 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Skip Broker First-Time Flow? >> >> We have a need to pre-provision user accounts that are to be accessed >> with SAML from an outside IdP. These accounts are only ever to be >> used via SAML from this external IdP (i.e., we never want them to >> have to use a password to verify anything to Keycloak. >> >> >> >> Is there any way for the account-linking the first time the user >> comes in with SAML to happen automatically and silently? >> >> >> >> We understand that in some circumstances it would be a security hole >> to allow someone to connect via a brokered IdP to an existing account >> that has already been used, but these accounts are being created >> specifically to be accessed by this particular broker. >> >> >> >> Any help? >> >> >> >> Thanks! >> >> >> >> Regards, >> >> Peter K. Boucher >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From adam.keily at adelaide.edu.au Wed Aug 30 00:39:16 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 30 Aug 2017 04:39:16 +0000 Subject: [keycloak-user] Assign role to user using keycloak settings In-Reply-To: References: Message-ID: Check out the script based authenticator. You can check the mail verified state and set a role accordingly. You can also use it to check the federation link state. e.g. //Save email verified and federation link values to variables for evaluating var mailver = user ? user.isEmailVerified() : "nover"; var fedlink = user ? user.getFederationLink() : "nofed"; ... //Grant a role user.grantRole(realm.getRole("ExampleRole")); Adam -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Krishna Kuntala Sent: Friday, 18 August 2017 8:58 PM To: keycloak-user Subject: [keycloak-user] Assign role to user using keycloak settings Hi All, I have enabled the email verfication flow for user registration. However, I am wondering whether there is any way to assign a role to the user once Email has been verified. I understand that this could be achieved by calling REST APIs but can we do this through some keycloak configuration? Also, is there any way to assign a role after user successfully links his profile with one of the IdP (e.g. Google, Facebook)? Thanks and Regards, ?KK _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From christianlutz at inovel.de Wed Aug 30 02:02:27 2017 From: christianlutz at inovel.de (christian lutz) Date: Wed, 30 Aug 2017 06:02:27 +0000 Subject: [keycloak-user] photoz example set owner via Admin REST API Message-ID: <00060469.59A670FE@mail.ino.local> Hello, in the photoz example you use a policy to check against the resource owner. $permission.resource != null && $permission.resource.owner.equals($identity.id) Is there a way to set the owner via the Admin REST API? I tried (see below) but this doesn't work ResourceOwnerRepresentation owner = new ResourceOwnerRepresentation(); resourceOwnerRepresentation.setName("Me")); ResourceRepresentation resource = new ResourceRepresentation(); resource.setName("Resource Me"); resource.setOwner(resourceOwnerRepresentation); resource.setUri("/cxf/api/v1/customers/Me/*); client.authorization().resources().create(resource); I didn't even find a way to set the owner via WebUI. But this isn't important for me. Mit freundlichen Gr??en / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz at inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. From akshatjiwan at gmail.com Wed Aug 30 02:08:33 2017 From: akshatjiwan at gmail.com (Akshat Jiwan Sharma) Date: Wed, 30 Aug 2017 11:38:33 +0530 Subject: [keycloak-user] Adding user attributes at the time of self registration Message-ID: Hi All, Thank you for creating keycloak! As I understand keycloak has a facility to allow for self registration of users. In addition using the admin panel you can also add additional attributes for a user. I wanted to know if it's possible to add custom user attributes at the time of registration? Maybe by supplying additional fields during registration process or by making api calls at the time of successful registration redirect? If not is it possible for the user to log into key cloak server and specify additional fields themselves? I'm looking for a way in which I can add custom data to a user without any manual intervention as an admin. What would be the best way to do that? Thanks, Akshat From sthorger at redhat.com Wed Aug 30 02:32:08 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Aug 2017 08:32:08 +0200 Subject: [keycloak-user] Adding user attributes at the time of self registration In-Reply-To: References: Message-ID: Yes, see https://github.com/keycloak/keycloak/tree/master/examples/themes/src/main/resources/theme/address and the docs. On 30 August 2017 at 08:08, Akshat Jiwan Sharma wrote: > Hi All, > > Thank you for creating keycloak! As I understand keycloak has a facility to > allow for self registration of users. In addition using the admin panel you > can also add additional attributes for a user. I wanted to know if it's > possible to add custom user attributes at the time of registration? Maybe > by supplying additional fields during registration process or by making api > calls at the time of successful registration redirect? If not is it > possible for the user to log into key cloak server and specify additional > fields themselves? > > I'm looking for a way in which I can add custom data to a user without any > manual intervention as an admin. What would be the best way to do that? > > Thanks, > Akshat > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Aug 30 02:33:11 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Aug 2017 08:33:11 +0200 Subject: [keycloak-user] Keycloak can't access identity provider behind corporate proxy In-Reply-To: References: Message-ID: We don't support having KC behind a web proxy at the moment, see https://issues.jboss.org/browse/KEYCLOAK-4743 On 30 August 2017 at 06:22, Rudresh Shashikant wrote: > Hi, > > Have been having trouble with keycloak and Facebook connectivity behind > corporate proxy as well. > Reference: > http://lists.jboss.org/pipermail/keycloak-user/2016-July/006925.html > > realised after *a lot* of trial and error that `-Dhttp.proxyHost` and > `-Dhttp.proxyPort` are not even used when JVM starts. > > my colleague wrote a custom provider in an attempt to use system proxy but > unable to load it into the keycloak runtime. > https://github.com/xiaoyvr/custom-http-client-provider > > is there any example we can follow or alternative (maybe obvious and hidden > in plain sight) solution we missed? > Thanks. > > Regards, > Rudy. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Aug 30 02:34:55 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Aug 2017 08:34:55 +0200 Subject: [keycloak-user] Detect existing IdP session In-Reply-To: References: Message-ID: We don't support this at the moment, but could possibly be added at least for OIDC. OIDC has prompt=none which allows checking if a user is authenticated without displaying login form if they are not. Would need to be a community contribution though if you expect it to be added anytime soon. On 30 August 2017 at 03:17, Adam Keily wrote: > Hi, > > Forgive me if this is a dumb question. I'm just wondering if it's possible > for keycloak to detect that a user has already authenticated to a > configured IDP before being presented the the login page. E.g. > > We have multiple IDP's configured in Keycloak. Facebook, Google, corporate > ADFS. If they have an existing session, can that be detected e.g. > > > 1. User is already authenticated to ADFS > 2. They attempt to access a KC protected application. > 3. Instead of having to click the IDP link on the KC login screen to be > redirected to ADFS and back again, they are instead just authenticated > using their existing ADFS session. > > I know about kc_idp_hint and default IdP but this is more a case where a > user might be already authenticated to one of multiple IDP's. Something > like "Detected ADFS session. Continue as ADFS userA?". I guess if you've > authed to more than one IDP it could be a problem. > > Thanks > Adam > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Aug 30 02:36:39 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Aug 2017 08:36:39 +0200 Subject: [keycloak-user] RHT SSO 7.1 + OAuth2 Identity Provider In-Reply-To: References: Message-ID: Without OIDC there's no standard fields for the user details so would have to be implemented specifically for your provider. You'd need to create a custom social provider. Take a look at the Keycloak source code and checkout for instance https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java On 29 August 2017 at 17:52, Brent Yarger wrote: > Hello, > Keycloak / RHT SSO supports social login and custom / user-defined IDPs. > The options for custom IDP are SAML v2.0, OIDC v1.0, and Keycloak OIDC. > Does keycloak support a user-defined IDP that uses OAuth2? If not, is this > possible to implement / what is the process to add an OAuth2 IDP? > > Thanks, > Brent > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Aug 30 02:41:15 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 30 Aug 2017 08:41:15 +0200 Subject: [keycloak-user] Enabling Brute Force detection on account management changes In-Reply-To: References: Message-ID: Makes sense. Should probably just be an option in brute force protection. It would also have to logout the current session I guess, which brute force doesn't do. On 28 August 2017 at 19:58, John D. Ament wrote: > Hi, > > Very obscure pattern here. We want to be able trigger brute force tracking > when someone incorrectly enters their current password on the change > password screen. It looks like we can do this in events, but wondering if > this is a common use case that makes sense to do in core of keycloak? > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From christianlutz at inovel.de Wed Aug 30 02:46:57 2017 From: christianlutz at inovel.de (christian lutz) Date: Wed, 30 Aug 2017 06:46:57 +0000 Subject: [keycloak-user] Group Policy - Claim? Message-ID: <0006046D.59A67B6D@mail.ino.local> Hello, yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168 But I didn't understand how it should work, the documentation for it is missing. Assume I do have a user X part of the group A/B/C All I expected to be required in the group policy is that I had to select a group like A/B/C. During the policy check the corresponding identity groups will be loaded and checked against the group policy groups. So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded. Please could somebody explain to me how this is expected to work? Mit freundlichen Gr??en / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz at inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. From daniel.storey at weareact.com Wed Aug 30 02:54:38 2017 From: daniel.storey at weareact.com (Daniel Storey) Date: Wed, 30 Aug 2017 06:54:38 +0000 Subject: [keycloak-user] Service account user attributes In-Reply-To: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> Message-ID: Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes? Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release? Many thanks Dan -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: 25 August 2017 21:15 To: Daniel Storey ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Service account user attributes On 25/08/17 15:11, Daniel Storey wrote: > Hello > > I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. > > I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. > > I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. Marek > > Kind regards > Dan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pcfleischer at outlook.com Wed Aug 30 08:11:23 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Wed, 30 Aug 2017 12:11:23 +0000 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> Message-ID: Is there a reason you?re not using service account roles? This is what we use for this. Ideally you?d create realm and client roles that determine the access level for whatever actions you want the service account to be authorized to do, or you could just make a role ?service_account? which will show in the realm role access in the token or some combination of roles that do both. If you then want this to be a ?claim? instead of a ?role? in the token then you could use the ?User Realm Role? protocol mapper (assuming OIDC protocol) It?d probably be cool too to be able to actually mess with the user entity in the admin too to do some attributes that are a claim? but there?s probably a bunch of good reasons not to allow that either (e.g. there?s a bunch of stuff you can?t do like impersonate or delete that would need to be blocked from the UI). It might be possible to edit the user via the rest api too if you really really need it to be an attribute, but that?s likely a hack. > On Aug 30, 2017, at 2:54 AM, Daniel Storey wrote: > > Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes? > > Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release? > > Many thanks > Dan > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 25 August 2017 21:15 > To: Daniel Storey ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Service account user attributes > > On 25/08/17 15:11, Daniel Storey wrote: >> Hello >> >> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. >> >> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. >> >> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. > That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. > > Marek >> >> Kind regards >> Dan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Aug 30 08:28:11 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 30 Aug 2017 09:28:11 -0300 Subject: [keycloak-user] Group Policy - Claim? In-Reply-To: <0006046D.59A67B6D@mail.ino.local> References: <0006046D.59A67B6D@mail.ino.local> Message-ID: Hi Christian, Sorry about docs. I did not manage to finish everything before latest release. Will push this and so other things soon. In regard your questions about Group Policy. Yes, you are basically defining a condition where User X must be a member of Group /A/B/C. The point here is that Authorization Services basically relies on the information within the bearer token you sent when asking for permissions. That is why you need to specify a "Groups Claim". This tells to the policy from where groups should be obtained in the token. Note that when using Group Policy, you also need to add a "Mapper" to your resource server in order to push group membership information into tokens. There you also specify the name of claim where groups will be located. Regards. Pedro Igor On Wed, Aug 30, 2017 at 3:46 AM, christian lutz wrote: > Hello, > > yesterday I played a bit with the Group Policy. https://issues.jboss.org/ > browse/KEYCLOAK-3168 > But I didn't understand how it should work, the documentation for it is > missing. > > Assume I do have a user X part of the group A/B/C > All I expected to be required in the group policy is that I had to select > a group like A/B/C. > During the policy check the corresponding identity groups will be loaded > and checked against the group policy groups. > > So with this mental model I am complete wrong, because of the group claim. > Within the policy I have to provide a group claim > and within the GroupPolicyProvider based an the group claim a identity > (user) attribute will be loaded. > > Please could somebody explain to me how this is expected to work? > > > > > Mit freundlichen Gr??en / with best regards > > > christian lutz / B. Sc. > software engineering > > inovel elektronik gmbh > inovel systeme AG > gebhardstr. 7 > 88046 friedrichshafen > > phone +49 (0) 7541 39900-35 > fax +49 (0) 7541 39900-99 > mail christianlutz at inovel.de > web www.inovel.de > > > > > inovel elektronik gmbh > general manager: axel dittus, robert steinhauser > hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 > > inovel systeme AG > board of management: markus spinnenhirn (chairman), axel dittus, robert > steinhauser > chairman of the supervisory board: joachim zodel > registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. > No.: DE814611877 > > > > This email (including any attachments) may contain confidential and/or > privileged information or information otherwise > protected from disclosure. If you are not the intended recipient, please > notify the sender immediately, do not copy this > message or any attachments and do not use it for any purpose or disclose > its content to any person, but delete this > message and any attachments from your system. inovel disclaims any and all > liability if this email transmission was virus > corrupted, altered or falsified. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rudreshsj at gmail.com Wed Aug 30 08:52:19 2017 From: rudreshsj at gmail.com (Rudresh Shashikant) Date: Wed, 30 Aug 2017 19:52:19 +0700 Subject: [keycloak-user] Keycloak can't access identity provider behind corporate proxy In-Reply-To: References: Message-ID: Thanks for the response. Probably a good idea to document this fact? Regards, Rudy. On Wed, Aug 30, 2017 at 1:33 PM, Stian Thorgersen wrote: > We don't support having KC behind a web proxy at the moment, see > https://issues.jboss.org/browse/KEYCLOAK-4743 > > On 30 August 2017 at 06:22, Rudresh Shashikant > wrote: > >> Hi, >> >> Have been having trouble with keycloak and Facebook connectivity behind >> corporate proxy as well. >> Reference: >> http://lists.jboss.org/pipermail/keycloak-user/2016-July/006925.html >> >> realised after *a lot* of trial and error that `-Dhttp.proxyHost` and >> `-Dhttp.proxyPort` are not even used when JVM starts. >> >> my colleague wrote a custom provider in an attempt to use system proxy but >> unable to load it into the keycloak runtime. >> https://github.com/xiaoyvr/custom-http-client-provider >> >> is there any example we can follow or alternative (maybe obvious and >> hidden >> in plain sight) solution we missed? >> Thanks. >> >> Regards, >> Rudy. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From christianlutz at inovel.de Wed Aug 30 09:16:02 2017 From: christianlutz at inovel.de (christian lutz) Date: Wed, 30 Aug 2017 13:16:02 +0000 Subject: [keycloak-user] Re-2: Group Policy - Claim? In-Reply-To: References: Message-ID: <000604A2.59A6D69E@mail.ino.local> Hello Pedro, thank you for your feedback. Please don't be sorry about the documentation. I really appreciate all the work. And I think keycloak is really great. :) This was the missing piece of how to create a claim and how it works. May I ask why it is necessary to add this information into the token? If you have the user identity it would be possible to query the corresponding roles within keycloak. best regards Christian Original Message processed by David? Re: [keycloak-user] Group Policy - Claim? 30. August 2017, 14:28 From Pedro Igor Silva To christian lutz Cc keycloak-user Hi Christian, Sorry about docs. I did not manage to finish everything before latest release. Will push this and so other things soon. In regard your questions about Group Policy. Yes, you are basically defining a condition where User X must be a member of Group /A/B/C. The point here is that Authorization Services basically relies on the information within the bearer token you sent when asking for permissions. That is why you need to specify a "Groups Claim". This tells to the policy from where groups should be obtained in the token. Note that when using Group Policy, you also need to add a "Mapper" to your resource server in order to push group membership information into tokens. There you also specify the name of claim where groups will be located. Regards. Pedro Igor On Wed, Aug 30, 2017 at 3:46 AM, christian lutz wrote: Hello, yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168 But I didn't understand how it should work, the documentation for it is missing. Assume I do have a user X part of the group A/B/C All I expected to be required in the group policy is that I had to select a group like A/B/C. During the policy check the corresponding identity groups will be loaded and checked against the group policy groups. So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded. Please could somebody explain to me how this is expected to work? Mit freundlichen Gr??en / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz at inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user To: psilva at redhat.com Cc: keycloak-user at lists.jboss.org From pkboucher801 at gmail.com Wed Aug 30 09:43:23 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Wed, 30 Aug 2017 09:43:23 -0400 Subject: [keycloak-user] Skip Broker First-Time Flow? In-Reply-To: References: <000001d31c40$e0271a20$a0754e60$@gmail.com> <000801d31da3$476c21e0$d64465a0$@gmail.com> <3c7e369e-74c2-e9ce-af49-5ce2b30ea6af@redhat.com> Message-ID: <000201d32195$f39135a0$dab3a0e0$@gmail.com> I also voted for https://issues.jboss.org/browse/KEYCLOAK-4240?_sscc=t -----Original Message----- From: Adam Keily [mailto:adam.keily at adelaide.edu.au] Sent: Wednesday, August 30, 2017 12:27 AM To: Marek Posolda ; Peter K. Boucher ; 'Phillip Fleischer' ; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Skip Broker First-Time Flow? Check out. https://github.com/ohioit/keycloak-link-idp-with-user We use it to silently link users coming from another corporate IDP with our federated LDAP accounts. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Friday, 25 August 2017 10:59 PM To: Peter K. Boucher ; 'Phillip Fleischer' ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Skip Broker First-Time Flow? Yes. Marek On 25/08/17 15:08, Peter K. Boucher wrote: > Not asking you to review/endorse this code, but does the approach seem > reasonable? https://github.com/ohioit/keycloak-link-idp-with-user > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Thursday, August 24, 2017 5:30 AM > To: Phillip Fleischer ; Peter K. Boucher > ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Skip Broker First-Time Flow? > > +1 to what Phillip mentioned. > > We were thinking for adding the authenticator OOTB, which will link > accounts automatically. But didn't added in the end because of security. > However you're not the first asking for it, so maybe it makes sense - > as long as this authenticator won't be in the flow by default and > admin would need to edit the first-broker-login flow on his own risk. > Feel free to create JIRA (maybe it already exists, so you can add > comment like "I want it too" and add vote :) ) > > Marek > > On 24/08/17 10:38, Phillip Fleischer wrote: >> Not sure of your appetite for customization but you can create a copy of the first login flow and remove or replace the execution steps you don't want. >> >> As far as how you'll create or link the account if none of the existing executions work, worst case you'd have to write your own. >> >> ________________________________ >> From: keycloak-user-bounces at lists.jboss.org >> on behalf of Peter K. Boucher >> >> Sent: Wednesday, August 23, 2017 2:51:48 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Skip Broker First-Time Flow? >> >> We have a need to pre-provision user accounts that are to be accessed >> with SAML from an outside IdP. These accounts are only ever to be >> used via SAML from this external IdP (i.e., we never want them to >> have to use a password to verify anything to Keycloak. >> >> >> >> Is there any way for the account-linking the first time the user >> comes in with SAML to happen automatically and silently? >> >> >> >> We understand that in some circumstances it would be a security hole >> to allow someone to connect via a brokered IdP to an existing account >> that has already been used, but these accounts are being created >> specifically to be accessed by this particular broker. >> >> >> >> Any help? >> >> >> >> Thanks! >> >> >> >> Regards, >> >> Peter K. Boucher >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From yevgeni at kovelman.net Wed Aug 30 10:17:24 2017 From: yevgeni at kovelman.net (Yevgeni Kovelman) Date: Wed, 30 Aug 2017 07:17:24 -0700 Subject: [keycloak-user] Re-2: Group Policy - Claim? In-Reply-To: <000604A2.59A6D69E@mail.ino.local> References: <000604A2.59A6D69E@mail.ino.local> Message-ID: <5D11C43A-7882-4872-B244-8EF4E8A7F6B9@kovelman.net> Christian, Also, if you download Keycloak source, there are a number of unit tests around group policy that show usage. Best Yev Sent from my iPhone > On Aug 30, 2017, at 06:16, christian lutz wrote: > > Hello Pedro, > > > thank you for your feedback. Please don't be sorry about the documentation. I really appreciate all the work. And I think keycloak is really great. :) > > > This was the missing piece of how to create a claim and how it works. > > > May I ask why it is necessary to add this information into the token? If you have the user identity it would be possible to query the corresponding roles within keycloak. > > > > > best regards > Christian > > > > > > > Original Message processed by David? > Re: [keycloak-user] Group Policy - Claim? 30. August 2017, 14:28 > From Pedro Igor Silva > To christian lutz > Cc keycloak-user > > Hi Christian, > > > > Sorry about docs. I did not manage to finish everything before latest release. Will push this and so other things soon. > > > > In regard your questions about Group Policy. > > > > Yes, you are basically defining a condition where User X must be a member of Group /A/B/C. > > > > The point here is that Authorization Services basically relies on the information within the bearer token you sent when asking for permissions. That is why you need to specify a "Groups Claim". This tells to the policy from where groups should be obtained in the token. > > > > Note that when using Group Policy, you also need to add a "Mapper" to your resource server in order to push group membership information into tokens. There you also specify the name of claim where groups will be located. > > > > Regards. > Pedro Igor > > > > > > On Wed, Aug 30, 2017 at 3:46 AM, christian lutz wrote: > > > Hello, > > yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168 > But I didn't understand how it should work, the documentation for it is missing. > > Assume I do have a user X part of the group A/B/C > All I expected to be required in the group policy is that I had to select a group like A/B/C. > During the policy check the corresponding identity groups will be loaded and checked against the group policy groups. > > So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim > and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded. > > Please could somebody explain to me how this is expected to work? > > > > > Mit freundlichen Gr??en / with best regards > > > christian lutz / B. Sc. > software engineering > > inovel elektronik gmbh > inovel systeme AG > gebhardstr. 7 > 88046 friedrichshafen > > phone +49 (0) 7541 39900-35 > fax +49 (0) 7541 39900-99 > mail christianlutz at inovel.de > web www.inovel.de > > > > > inovel elektronik gmbh > general manager: axel dittus, robert steinhauser > hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 > > inovel systeme AG > board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser > chairman of the supervisory board: joachim zodel > registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 > > > > This email (including any attachments) may contain confidential and/or privileged information or information otherwise > protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this > message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this > message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus > corrupted, altered or falsified. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > To: psilva at redhat.com > Cc: keycloak-user at lists.jboss.org > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From daniel.storey at weareact.com Wed Aug 30 10:54:45 2017 From: daniel.storey at weareact.com (Daniel Storey) Date: Wed, 30 Aug 2017 14:54:45 +0000 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> Message-ID: Hi Phillip Thanks very much for your suggestion. To give a bit more context, I have a requirement to convert a custom attribute associated with the resource owner (user or service account) into a complex type OIDC claim for all token requests. I have achieved this for requests associated with a user account by implementing an OIDC protocol mapper similar to the "User Attribute" mapper. I have attempted to do the same for service account requests by adding functionality similar to the "Hardcoded Claim" mapper. My mapper checks the UserModel associated with the request, then executes either User Attribute mapper-esque logic, where the value to convert to a claim comes from a user attribute, or Hardcoded Claim mapper-esque logic, where the value to convert comes from the ProtocolMapperModel. The hardcoded claim part essentially allows me to define service account-specific claims via the admin UI. It seems UserModel.serviceAccountClientLink is only set on service account token requests (null on user requests), so I'm driving my mapper logic off the presence of this property. If this is not advisable, I will define a service account role and check this instead, as you suggest. Given my requirement, does this sound like a reasonable solution? -----Original Message----- From: Phillip Fleischer [mailto:pcfleischer at outlook.com] Sent: 30 August 2017 13:11 To: Daniel Storey Cc: Marek Posolda ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Service account user attributes Is there a reason you?re not using service account roles? This is what we use for this. Ideally you?d create realm and client roles that determine the access level for whatever actions you want the service account to be authorized to do, or you could just make a role ?service_account? which will show in the realm role access in the token or some combination of roles that do both. If you then want this to be a ?claim? instead of a ?role? in the token then you could use the ?User Realm Role? protocol mapper (assuming OIDC protocol) It?d probably be cool too to be able to actually mess with the user entity in the admin too to do some attributes that are a claim? but there?s probably a bunch of good reasons not to allow that either (e.g. there?s a bunch of stuff you can?t do like impersonate or delete that would need to be blocked from the UI). It might be possible to edit the user via the rest api too if you really really need it to be an attribute, but that?s likely a hack. > On Aug 30, 2017, at 2:54 AM, Daniel Storey wrote: > > Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes? > > Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release? > > Many thanks > Dan > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 25 August 2017 21:15 > To: Daniel Storey ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Service account user attributes > > On 25/08/17 15:11, Daniel Storey wrote: >> Hello >> >> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. >> >> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. >> >> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. > That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. > > Marek >> >> Kind regards >> Dan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Kristiaan.Jansen at planonsoftware.com Wed Aug 30 11:11:24 2017 From: Kristiaan.Jansen at planonsoftware.com (Kristiaan Jansen) Date: Wed, 30 Aug 2017 15:11:24 +0000 Subject: [keycloak-user] test Message-ID: From robert.parker at weareact.com Wed Aug 30 11:55:16 2017 From: robert.parker at weareact.com (Robert Parker) Date: Wed, 30 Aug 2017 15:55:16 +0000 Subject: [keycloak-user] Nodejs adapter - session object not persisting redirect_uri Message-ID: Hi, I am trying to use the nodejs adapter with my express application and I am encountering issues when the adapter tries to exchange my user's authorization code for an access token. I have been debugging the calls made from the adapter library, and can see after the user has been authorised, an obtainFromCode function is invoked in the grant-manager module (keycloak-auth-utils\lib\grant-manager.js) and in particular there is the following line of code present: redirect_uri: request.session ? request.session.auth_redirect_uri : {} Adding a breakpoint to this, I can see a session object is present on the request object, but there is no auth_redirect_uri property present. This ends up sending an empty redirect_uri param in the POST request being made to my keycloak server, and I get back an invalid_code error. I can replicate the same behaviour if I make the requests using Postman, and can fix and get an access token back if I set to the correct redirect_uri as configured against my client in the keycloak admin portal. I can see in the initial request sent out when first authorising the user that this contains a redirect_uri query string param also. I have my node express application using a mongoDB session store (using express-session), so am using the same store when configuring keycloak with my express app instance. I followed the example in the keycloak-nodejs-connect library here Can anyone suggest what may be going on for me here, why this redirect_uri is not being set on the session object so it can be read in my the nodejs adapter library? Thanks * Rob ________________________________ Robert Parker - Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 Robert.Parker at weareACT.com www.weareACT.com Registered in England : 04476799 ________________________________ The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales). The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary. [http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email. ________________________________ From byarger at redhat.com Wed Aug 30 12:03:45 2017 From: byarger at redhat.com (Brent Yarger) Date: Wed, 30 Aug 2017 09:03:45 -0700 Subject: [keycloak-user] RHT SSO 7.1 + OAuth2 Identity Provider In-Reply-To: References: Message-ID: Thanks Stian, this is exactly what I did. It was simple enough to implement, and basically was a copy-paste from the Github one. Regards, Brent Yarger On Tue, Aug 29, 2017 at 11:36 PM, Stian Thorgersen wrote: > Without OIDC there's no standard fields for the user details so would have > to be implemented specifically for your provider. You'd need to create a > custom social provider. Take a look at the Keycloak source code and > checkout for instance https://github.com/keycloak/ > keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/ > FacebookIdentityProvider.java > > On 29 August 2017 at 17:52, Brent Yarger wrote: > >> Hello, >> Keycloak / RHT SSO supports social login and custom / user-defined IDPs. >> The options for custom IDP are SAML v2.0, OIDC v1.0, and Keycloak OIDC. >> Does keycloak support a user-defined IDP that uses OAuth2? If not, is this >> possible to implement / what is the process to add an OAuth2 IDP? >> >> Thanks, >> Brent >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From christianlutz at inovel.de Wed Aug 30 13:34:26 2017 From: christianlutz at inovel.de (christian lutz) Date: Wed, 30 Aug 2017 17:34:26 +0000 Subject: [keycloak-user] Keycloak restart necessary to access new resources? Message-ID: <000604B2.59A7132E@mail.ino.local> Hello, I just stumbled over a behavior I am not sure if intended or not. I add via the Admin REST API new resources to an existing client via realm.clients().get(xy).authorization.resources().create(newResource); Then I have a simple javascript policy checking if a user is allowed to access this specific resource. It always fails for recently added resources. But after I restart the keycloak it works. I tried to login with different browser the same behavior. Do I have to call a refresh or similar so the javascript policy is able to see the added resources? Or is this a bug? Sincerely Christian From tonnis at autonomic.ai Wed Aug 30 14:47:02 2017 From: tonnis at autonomic.ai (Tonnis Wildeboer) Date: Wed, 30 Aug 2017 11:47:02 -0700 Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? In-Reply-To: References: Message-ID: Thank you Phillip, for your reply. I would still like to find answers to my four questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: (https://github.com/jboss-dockerfiles/keycloak/blob/ 0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25)? 4. Is there any other documentation, etc that I should be looking at? Thanks, --Tonnis --Tonnis ____________________ Tonnis Wildeboer Autonomic.ai Engineering 650-204-0246 On Tue, Aug 29, 2017 at 2:51 AM, Phillip Fleischer wrote: > My guess around configuration is expected default infrastructure is truly > standalone on virtual infrastructure or openshift where ssl is terminated > on jboss and infrastructure supports multicast dns for ha. > > We use our own standalone.xml similar to below. You'll probably want to > look at jgroups jdbc ping since multicast might not work. Someone recently > asked if you can just disable cache if you can avoid jgroups but I haven't > tried that myself or heard back that is a viable solution. > > https://goldmann.pl/blog/2014/07/23/customizing-the- > configuration-of-the-wildfly-docker-image/ > > http://www.fafonso.com/jgroups/unicast/postgresql/ > jdbc/ping/cluster/2016/08/07/jgroups-with-postgresql.html > > > _____________________________ > From: Tonnis Wildeboer > Sent: Friday, August 25, 2017 1:33 PM > Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS > postgress: standalone-ha? > To: > > > > I am attempting to run Keycloak in a kubernetes cluster with a shared > postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are > deployed using Helm. > > I have read the clustering documentation and from that it seems that the > appropriate clustering mode in this scenario would be "Standalone Clustered > Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image. > Since I am using the nginx Ingress controller I have the prescribed > PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the > Docker image, however, I noticed that the > $JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image > does not have the > proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in > the > element. I also noticed that the > jboss-dockerfiles/keycloak-server base image has a sed command to add this > to the standalone.xml file but not to the standalone-ha.xml file. > > Also, of the exmaples I have found via Google searches, I have not found > examples of deploying Keycloak this way, which is surprising. I have seen > examples with a single instance using the standalone postres image, but not > "Standalone Clustered". > > So here are my questions: > > 1. What are the specific differences between using --server-config > standalone-ha.xml vs standalone.xml? > 2. Is there communication between the pods that needs to happen when > running in "Standalone Clustered Mode"? (I ask this because I would need to > make sure that this is possible, possibly across VPCs.) If so, what is it? > I am hoping they just share a database. > 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also > modify > the standalone-ha.xml file too, in the same way it modifies the > standalone.xml file: ( > https://github.com/jboss-dockerfiles/keycloak/blob/ > 0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25 > )? > 4. Is there any other documentation, etc that I should be looking at? > > Thank you, > > Tonnis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Wed Aug 30 16:21:18 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 30 Aug 2017 17:21:18 -0300 Subject: [keycloak-user] Keycloak restart necessary to access new resources? In-Reply-To: <000604B2.59A7132E@mail.ino.local> References: <000604B2.59A7132E@mail.ino.local> Message-ID: Which version are you using ? I remember fixing a similar issue targeted to latest released version. Regards. Pedro Igor On Wed, Aug 30, 2017 at 2:34 PM, christian lutz wrote: > Hello, > > I just stumbled over a behavior I am not sure if intended or not. > > I add via the Admin REST API new resources to an existing client via > realm.clients().get(xy).authorization.resources().create(newResource); > > Then I have a simple javascript policy checking if a user is allowed to > access this specific resource. > It always fails for recently added resources. But after I restart the > keycloak it works. > I tried to login with different browser the same behavior. > > Do I have to call a refresh or similar so the javascript policy is able to > see the added resources? Or is this a bug? > > Sincerely > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pcfleischer at outlook.com Wed Aug 30 16:49:27 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Wed, 30 Aug 2017 20:49:27 +0000 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> , Message-ID: I'm not a contributor just an avid user. So "best" is relative. Seems like your solution will work just also seems like a service account role mapping would also work without any code. Both should be capable of controlling through the admin UI, so I guess not much difference. ________________________________ From: Daniel Storey Sent: Wednesday, August 30, 2017 10:54:45 AM To: Phillip Fleischer Cc: Marek Posolda; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Service account user attributes Hi Phillip Thanks very much for your suggestion. To give a bit more context, I have a requirement to convert a custom attribute associated with the resource owner (user or service account) into a complex type OIDC claim for all token requests. I have achieved this for requests associated with a user account by implementing an OIDC protocol mapper similar to the "User Attribute" mapper. I have attempted to do the same for service account requests by adding functionality similar to the "Hardcoded Claim" mapper. My mapper checks the UserModel associated with the request, then executes either User Attribute mapper-esque logic, where the value to convert to a claim comes from a user attribute, or Hardcoded Claim mapper-esque logic, where the value to convert comes from the ProtocolMapperModel. The hardcoded claim part essentially allows me to define service account-specific claims via the admin UI. It seems UserModel.serviceAccountClientLink is only set on service account token requests (null on user requests), so I'm driving my mapper logic off the presence of this property. If this is not advisable, I will define a service account role and check this instead, as you suggest. Given my requirement, does this sound like a reasonable solution? -----Original Message----- From: Phillip Fleischer [mailto:pcfleischer at outlook.com] Sent: 30 August 2017 13:11 To: Daniel Storey Cc: Marek Posolda ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Service account user attributes Is there a reason you?re not using service account roles? This is what we use for this. Ideally you?d create realm and client roles that determine the access level for whatever actions you want the service account to be authorized to do, or you could just make a role ?service_account? which will show in the realm role access in the token or some combination of roles that do both. If you then want this to be a ?claim? instead of a ?role? in the token then you could use the ?User Realm Role? protocol mapper (assuming OIDC protocol) It?d probably be cool too to be able to actually mess with the user entity in the admin too to do some attributes that are a claim? but there?s probably a bunch of good reasons not to allow that either (e.g. there?s a bunch of stuff you can?t do like impersonate or delete that would need to be blocked from the UI). It might be possible to edit the user via the rest api too if you really really need it to be an attribute, but that?s likely a hack. > On Aug 30, 2017, at 2:54 AM, Daniel Storey wrote: > > Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes? > > Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release? > > Many thanks > Dan > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 25 August 2017 21:15 > To: Daniel Storey ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Service account user attributes > > On 25/08/17 15:11, Daniel Storey wrote: >> Hello >> >> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. >> >> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. >> >> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. > That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. > > Marek >> >> Kind regards >> Dan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juan.amat at nokia.com Wed Aug 30 16:50:30 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Wed, 30 Aug 2017 20:50:30 +0000 Subject: [keycloak-user] Admin URL configuration In-Reply-To: References: Message-ID: So I guess that this is not a common scenario (too bad for me). Another comment. I have tried this ${application.session.host} property and I got an error when I hit the 'Logout all' button from the keyclaok admin console. This is with version 2.5.5.Final. Caused by: java.lang.IllegalArgumentException: RESTEASY003670: You did not supply enough values to fill path parameters at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:728) at org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:721) at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:250) at org.keycloak.services.managers.ResourceAdminManager.logoutClient(ResourceAdminManager.java:237) at org.keycloak.services.managers.ResourceAdminManager.logoutAll(ResourceAdminManager.java:213) at org.keycloak.services.resources.admin.RealmAdminResource.logoutAll(RealmAdminResource.java:417) Hello, I have a question about the Admin URL configuration for an OIDC client. I have an application deployed on Wildfly 10.1. This application is not distributable, stateful and relies on sticky session (using the JSESSIONID cookie). Now on the same machine I have 2 wildfly instances. Question is what value should I provide in the for the Admin URL? I see that we have this ${application.session.host} but AFAIU this will not help as the host will be the same for both. Ciao. From pcfleischer at outlook.com Wed Aug 30 21:00:38 2017 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Thu, 31 Aug 2017 01:00:38 +0000 Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? In-Reply-To: References: , Message-ID: I don't know I have the exact answers to your questions but... 1) if you diff the files my recollection was configuration settings for shared cache. 2) same as above. Not a stateless database connection. Cache uses infinispan and nodes communicate by multicast or jgroups. 3) docker could have been done either way, I could apply xsl to either file and change my entry point. It's up to the developer of the docker file. 4) the only resources I have found were not "keycloak" but more jboss. Personally haven't found a definitive source on the topic Probably not what you're looking for, but maybe this helps. ________________________________ From: Tonnis Wildeboer Sent: Wednesday, August 30, 2017 2:47:02 PM To: Phillip Fleischer Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? Thank you Phillip, for your reply. I would still like to find answers to my four questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: (https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25)? 4. Is there any other documentation, etc that I should be looking at? Thanks, --Tonnis --Tonnis ____________________ Tonnis Wildeboer Autonomic.ai Engineering 650-204-0246 On Tue, Aug 29, 2017 at 2:51 AM, Phillip Fleischer > wrote: My guess around configuration is expected default infrastructure is truly standalone on virtual infrastructure or openshift where ssl is terminated on jboss and infrastructure supports multicast dns for ha. We use our own standalone.xml similar to below. You'll probably want to look at jgroups jdbc ping since multicast might not work. Someone recently asked if you can just disable cache if you can avoid jgroups but I haven't tried that myself or heard back that is a viable solution. https://goldmann.pl/blog/2014/07/23/customizing-the-configuration-of-the-wildfly-docker-image/ http://www.fafonso.com/jgroups/unicast/postgresql/jdbc/ping/cluster/2016/08/07/jgroups-with-postgresql.html _____________________________ From: Tonnis Wildeboer > Sent: Friday, August 25, 2017 1:33 PM Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? To: > I am attempting to run Keycloak in a kubernetes cluster with a shared postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are deployed using Helm. I have read the clustering documentation and from that it seems that the appropriate clustering mode in this scenario would be "Standalone Clustered Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image. Since I am using the nginx Ingress controller I have the prescribed PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the Docker image, however, I noticed that the $JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image does not have the proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in the element. I also noticed that the jboss-dockerfiles/keycloak-server base image has a sed command to add this to the standalone.xml file but not to the standalone-ha.xml file. Also, of the exmaples I have found via Google searches, I have not found examples of deploying Keycloak this way, which is surprising. I have seen examples with a single instance using the standalone postres image, but not "Standalone Clustered". So here are my questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: ( https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25 )? 4. Is there any other documentation, etc that I should be looking at? Thank you, Tonnis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From christianlutz at inovel.de Thu Aug 31 02:17:01 2017 From: christianlutz at inovel.de (christian lutz) Date: Thu, 31 Aug 2017 06:17:01 +0000 Subject: [keycloak-user] Re-2: Keycloak restart necessary to access new resources? In-Reply-To: References: Message-ID: <000604C3.59A7C5E9@mail.ino.local> Good Morning, I am running on 3.2.1.Final, sorry that I forgot to add this. kind regards. Christian Original Message processed by David? Re: [keycloak-user] Keycloak restart necessary to access new resources? 30. August 2017, 22:21 From Pedro Igor Silva To christian lutz Cc keycloak-user Which version are you using ? I remember fixing a similar issue targeted to latest released version. Regards. Pedro Igor On Wed, Aug 30, 2017 at 2:34 PM, christian lutz wrote: Hello, I just stumbled over a behavior I am not sure if intended or not. I add via the Admin REST API new resources to an existing client via realm.clients().get(xy).authorization.resources().create(newResource); Then I have a simple javascript policy checking if a user is allowed to access this specific resource. It always fails for recently added resources. But after I restart the keycloak it works. I tried to login with different browser the same behavior. Do I have to call a refresh or similar so the javascript policy is able to see the added resources? Or is this a bug? Sincerely Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user To: psilva at redhat.com Cc: keycloak-user at lists.jboss.org From daniel.storey at weareact.com Thu Aug 31 04:38:11 2017 From: daniel.storey at weareact.com (Daniel Storey) Date: Thu, 31 Aug 2017 08:38:11 +0000 Subject: [keycloak-user] Service account user attributes In-Reply-To: References: <51351f43-4cd3-a591-5aa7-38dddf866d1d@redhat.com> , Message-ID: Thanks Phillip. I need a custom mapper to transform my user/service account attribute into a complex object claim value (not a primitive claim value). So, unfortunately, it's not simply a case of mapping a role name to a claim, which is what I think you are suggesting? Assuming a custom mapper is necessary, it seems to make sense to fold the user/service account conditional logic into the mapper. From: Phillip Fleischer [mailto:pcfleischer at outlook.com] Sent: 30 August 2017 21:49 To: Daniel Storey Cc: Marek Posolda ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Service account user attributes I'm not a contributor just an avid user. So "best" is relative. Seems like your solution will work just also seems like a service account role mapping would also work without any code. Both should be capable of controlling through the admin UI, so I guess not much difference. ________________________________ From: Daniel Storey > Sent: Wednesday, August 30, 2017 10:54:45 AM To: Phillip Fleischer Cc: Marek Posolda; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Service account user attributes Hi Phillip Thanks very much for your suggestion. To give a bit more context, I have a requirement to convert a custom attribute associated with the resource owner (user or service account) into a complex type OIDC claim for all token requests. I have achieved this for requests associated with a user account by implementing an OIDC protocol mapper similar to the "User Attribute" mapper. I have attempted to do the same for service account requests by adding functionality similar to the "Hardcoded Claim" mapper. My mapper checks the UserModel associated with the request, then executes either User Attribute mapper-esque logic, where the value to convert to a claim comes from a user attribute, or Hardcoded Claim mapper-esque logic, where the value to convert comes from the ProtocolMapperModel. The hardcoded claim part essentially allows me to define service account-specific claims via the admin UI. It seems UserModel.serviceAccountClientLink is only set on service account token requests (null on user requests), so I'm driving my mapper logic off the presence of this property. If this is not advisable, I will define a service account role and check this instead, as you suggest. Given my requirement, does this sound like a reasonable solution? -----Original Message----- From: Phillip Fleischer [mailto:pcfleischer at outlook.com] Sent: 30 August 2017 13:11 To: Daniel Storey > Cc: Marek Posolda >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Service account user attributes Is there a reason you're not using service account roles? This is what we use for this. Ideally you'd create realm and client roles that determine the access level for whatever actions you want the service account to be authorized to do, or you could just make a role "service_account" which will show in the realm role access in the token or some combination of roles that do both. If you then want this to be a "claim" instead of a "role" in the token then you could use the "User Realm Role" protocol mapper (assuming OIDC protocol) It'd probably be cool too to be able to actually mess with the user entity in the admin too to do some attributes that are a claim... but there's probably a bunch of good reasons not to allow that either (e.g. there's a bunch of stuff you can't do like impersonate or delete that would need to be blocked from the UI). It might be possible to edit the user via the rest api too if you really really need it to be an attribute, but that's likely a hack. > On Aug 30, 2017, at 2:54 AM, Daniel Storey > wrote: > > Thanks Marek. What would you suggest is the most reliable way to detect a service account login from a protocol mapper? Is there a service account flag in UserModel, or would I need to check for the existence of known service account field(s), such as client notes? > > Are there any plans to make service account users viewable/editable in the same way as 'normal' users (via the Keycloak admin UI) in a future release? > > Many thanks > Dan > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 25 August 2017 21:15 > To: Daniel Storey >; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Service account user attributes > > On 25/08/17 15:11, Daniel Storey wrote: >> Hello >> >> I would like to use service accounts to allow my OIDC clients to obtain access tokens using the client credentials grant. Furthermore, I'm trying to find a way to define additional attributes for each service account client so that I can map them to custom claims via a protocol mapper. >> >> I notice that Keycloak creates an internal user for each service account in its database, but the user is not visible/editable through the admin UI. Therefore, I am unable to create attributes for the service account user as I can for 'normal' users. >> >> I think I can define custom claims for a service account using a protocol mapper (something like the "hardcoded claim" mapper), assuming I can distinguish service account requests from user requests in the mapper. If this approach is not recommended, I would be very grateful if you could suggest an alternative. > That's possible if you plan to implement your own protocol mapper. You can detect if login is service-account for example by checking if UserModel corresponds to service-account user. There are also some client notes, which are available just for service-account logins. > > Marek >> >> Kind regards >> Dan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From joerg.js.schmidt at daimler.com Thu Aug 31 05:16:19 2017 From: joerg.js.schmidt at daimler.com (joerg.js.schmidt at daimler.com) Date: Thu, 31 Aug 2017 09:16:19 +0000 Subject: [keycloak-user] Logout from external IDP, IDP doesn't support parameter forwarding Message-ID: <596e0f4677ec47cf90f77c326f8f5221@DE36S004EXC0B.wp.corpintra.net> I added an external OIDC provider as IDP in my Keycloak config. I've configured all Endpoints including the Logout URL. Loogin works perfectly. However when I try to logout from the external IDP, I see this URL: ?state=9ef361c6-e94b-469d-8f72-cef2f374bff8&id_token_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ewogInN1YiI6ICJGY0otNm1pYnNEZ3ZmWnFFN2hpSVVQNnBWTGhfWWpSQ1dROFFoMXVUeE53IiwKICJhdWQiOiAiNzE3NTdhZTgtODE1MC00MTcyLTk3NmMtZGUxZDdmZTEyOGJjIiwKICJjX2hhc2giOiAicGZMTHh5YzgxRW1rOTVpYVd0WkFCZyIsCiAiYWNyIjogImh0dHBzOi8vbG9naW4uc2VjdXJlLm1lcmNlZGVzLWJlbnouY29tL3dsL2xldmVsLTE1IiwKICJhenAiOiAiNzE3NTdhZTgtODE1MC00MTcyLTk3NmMtZGUxZDdmZTEyOGJjIiwKICJhdXRoX3RpbWUiOiAxNTA0MTY0NTY1LAogImlzcyI6ICJodHRwczovL2FwaS1jZXJ0LXRlc3QuaS5kYWltbGVyLmNvbS8iLAogImV4cCI6IDE1MDQxNzE3NjUsCiAiaWF0IjogMTUwNDE2NDU2NQp9.cRCPjvjJxpnkDsDVcSF4jne5_5EwTgF2Hd1kglPLTsw&post_logout_redirect_uri=<...>%2Fauth%2Frealms%2Fmy_realm%2Fbroker%2Fkeycloak-oidc%2Fendpoint%2Flogout_response And then the redirect from the IDP /auth/realms/my_realm/broker/keycloak-oidc/endpoint/logout_response The URL parameter "state" is not appended to the logout_response, but it seems to be necessary for keycloak to do the logout. Is there any workaround? Joerg If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From jw at blue-yonder.com Thu Aug 31 07:12:28 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Thu, 31 Aug 2017 13:12:28 +0200 Subject: [keycloak-user] Keycloak / Azure AD Federation In-Reply-To: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> References: <5a32bb2e-b02b-7532-0fd9-01b0d2d33d7c@blue-yonder.com> Message-ID: Hi, thanks a lot to every one involved to get the fix into 3.3.0.CR1. The issue is fixed now. Cheers Jonas From madaras_adrian at yahoo.com Thu Aug 31 08:15:00 2017 From: madaras_adrian at yahoo.com (songokudbz) Date: Thu, 31 Aug 2017 05:15:00 -0700 (MST) Subject: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory In-Reply-To: <680D2F13-0BBC-48D0-A65D-E480EA2584C1@carbonite.com> References: <680D2F13-0BBC-48D0-A65D-E480EA2584C1@carbonite.com> Message-ID: <1504181700928-0.post@n6.nabble.com> Hi, Can you please help other poor people like me and tell us how did you configure the mapper? Thanks -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From rafterjiang at hotmail.com Thu Aug 31 08:59:35 2017 From: rafterjiang at hotmail.com (rafterjiang) Date: Thu, 31 Aug 2017 05:59:35 -0700 (MST) Subject: [keycloak-user] Single keycloak server using two (or more) URLs. Message-ID: <1504184375060-0.post@n6.nabble.com> Is it possible to have one keycloak server but accessed by different URLs? How do we configure "keycloak.auth-server-url" for client adapter? For example Single keycloak server: keycloak01 For public access: https://public-url.keycloak01.test.com For internal access: https://internal-url.keycloak01.test.com How is this possible? thanks, R -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From psilva at redhat.com Thu Aug 31 09:13:16 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 31 Aug 2017 10:13:16 -0300 Subject: [keycloak-user] Re-2: Keycloak restart necessary to access new resources? In-Reply-To: <000604C3.59A7C5E9@mail.ino.local> References: <000604C3.59A7C5E9@mail.ino.local> Message-ID: Can you please fill this JIRA [1] with more information about your setup ? I will try to reproduce this behavior, please provide the following information there: * Which adapter are you using ? E.g.: Wildfly, Spring Boot, Tomcat. * Can you provide the keycloak.json file you are using in your application ? [1] https://issues.jboss.org/browse/KEYCLOAK-5386 On Thu, Aug 31, 2017 at 3:17 AM, christian lutz wrote: > Good Morning, > > > I am running on 3.2.1.Final, sorry that I forgot to add this. > > > kind regards. > Christian > > > > > > Original Message processed by David? > Re: [keycloak-user] Keycloak restart necessary to access new resources? > 30. August 2017, 22:21 > From Pedro Igor Silva > To christian lutz > Cc keycloak-user > > Which version are you using ? I remember fixing a similar issue targeted > to latest released version. > > > > Regards. > Pedro Igor > > > > On Wed, Aug 30, 2017 at 2:34 PM, christian lutz > wrote: > > > Hello, > > I just stumbled over a behavior I am not sure if intended or not. > > I add via the Admin REST API new resources to an existing client via > realm.clients().get(xy).authorization.resources().create(newResource); > > Then I have a simple javascript policy checking if a user is allowed to > access this specific resource. > It always fails for recently added resources. But after I restart the > keycloak it works. > I tried to login with different browser the same behavior. > > Do I have to call a refresh or similar so the javascript policy is able to > see the added resources? Or is this a bug? > > Sincerely > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > To: psilva at redhat.com > Cc: keycloak-user at lists.jboss.org > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wim.vandenhaute at gmail.com Thu Aug 31 10:34:45 2017 From: wim.vandenhaute at gmail.com (Wim Vandenhaute) Date: Thu, 31 Aug 2017 14:34:45 +0000 Subject: [keycloak-user] 1 realm multiple ldap providers with username collisions Message-ID: Hello list, What would be the advisable way of handling following use case: 1 application authn using keycloak with a realm with > 1 ldap configurations But in 2 or more of those ldap's there are equal usernames. How can we for user1 make sure ldap1 is used and for user2 ldap2? I.e. for example where we could provide a login form with the username/password but with an additional dropdown that has the configured ldap providers in it. What would be the advisable way of handling such a situation? Is there any support for this that I am missing? Would having 2 realms be the only way to handle this right now? p.s. We are developing against keycloak 2.5.5 at the moment Kind regards, Wim. From gaetancollaud at gmail.com Thu Aug 31 10:51:36 2017 From: gaetancollaud at gmail.com (=?UTF-8?Q?Ga=C3=A9tan_Collaud?=) Date: Thu, 31 Aug 2017 14:51:36 +0000 Subject: [keycloak-user] Single keycloak server using two (or more) URLs. In-Reply-To: <1504184375060-0.post@n6.nabble.com> References: <1504184375060-0.post@n6.nabble.com> Message-ID: Hi, We use different hosts as well but always with the "/auth" path for keycloak. So we set the relative path in the config: auth-server-url="/auth" Best regards, Gaetan Le jeu. 31 ao?t 2017 ? 15:14, rafterjiang a ?crit : > Is it possible to have one keycloak server but accessed by different URLs? > How do we configure "keycloak.auth-server-url" for client adapter? > > For example > Single keycloak server: keycloak01 > For public access: https://public-url.keycloak01.test.com > For internal access: https://internal-url.keycloak01.test.com > > How is this possible? > > thanks, > R > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jw at blue-yonder.com Thu Aug 31 11:09:03 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Thu, 31 Aug 2017 17:09:03 +0200 Subject: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory In-Reply-To: <1504181700928-0.post@n6.nabble.com> References: <680D2F13-0BBC-48D0-A65D-E480EA2584C1@carbonite.com> <1504181700928-0.post@n6.nabble.com> Message-ID: Hi, I try to summarize, what we did: 1.??? Download https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml and import as client in your realm. 2.??? Edit Client ? a.??? Settings: Disable Client Signature Required and set Signature Algorithm to ?RSA_SHA1? ? b.??? Mapper: Name: IDPEmail, Mapper Type: User Property, Property: email, SAML Attribute Name: IDPEmail 3.??? Currently we use local user database ? a.??? Add user ? b.??? Attributes: add/change key ?saml.persistent.name.id.for.urn:federation:MicrosoftOnline? to ?$foo? <- $foo must be the value of the ImmutableId attribute of the user synchronized to Azure AD. On Azure site we followed the instruction on the website: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp With Powershell we changed the authentication domain to be federated: $cer=" " <- get the public key certificate from keycloak https://keycloak-host.tld /auth/realms/Azure/protocol/saml/descriptor, see X509Certificate $uri="https://keycloak-host.tld/auth/realms/Azure/protocol/saml" $issuer_uri="https://keycloak-host.tld /auth/realms/Azure" $dom="" Set-MsolDomainAuthentication -DomainName $dom? -Authentication Federated -ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri -IssuerUri $issuer_uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP You can verify the settings via: Get-MsolDomainFederationSettings -DomainName "" If you want to change the settings, you have to set the domain back to managed first: Set-MsolDomainAuthentication -DomainName "" -Authentication Managed The federation change of the domain might take up to 72 hours until properly applied. Hope this helps Cheers Jonas On 31.08.17 14:15, songokudbz wrote: > Hi, > > Can you please help other poor people like me and tell us how did you > configure the mapper? > > Thanks > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From christianlutz at inovel.de Thu Aug 31 12:04:16 2017 From: christianlutz at inovel.de (christian lutz) Date: Thu, 31 Aug 2017 16:04:16 +0000 Subject: [keycloak-user] Re-2: Single keycloak server using two (or more) URLs. In-Reply-To: References: Message-ID: <000604FB.59A84F8B@mail.ino.local> Hello, we are using a reverse proxy, so different urls can be applied to the same service. kind regards. Christian -------- Original Message -------- Subject: Re: [keycloak-user] Single keycloak server using two (or more) URLs. (31. August 2017, 16:51) From: Ga?tan Collaud To: christianlutz at inovel.de > Hi, We use different hosts as well but always with the "/auth" path for > keycloak. So we set the relative path in the config: auth-server-url="/ > auth" Best regards, Gaetan Le jeu. 31 ao?t 2017 ? 15:14, rafterjiang < > rafterjiang at hotmail.com> a ?crit : > Is it possible to have one keycloak > server but accessed by different URLs? > How do we configure "keycloak.auth- > server-url" for client adapter? > > For example > Single keycloak server: > keycloak01 > For public access: https://public-url.keycloak01.test.com > > For internal access: https://internal-url.keycloak01.test.com > > How is > this possible? > > thanks, > R > > > > -- > Sent from: http://keycloak-user. > 88327.x6.nabble.com/ > _______________________________________________ > > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists. > jboss.org/mailman/listinfo/keycloak-user > _________________________________ > ______________ keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak- > user To: gaetancollaud at gmail.com rafterjiang at hotmail.com keycloak-user at lists.jboss.org From kurrent93 at gmail.com Thu Aug 31 20:12:54 2017 From: kurrent93 at gmail.com (Anton) Date: Fri, 1 Sep 2017 07:12:54 +0700 Subject: [keycloak-user] Authenticator SPI - OpenShift s2i image? Message-ID: Hello We are looking at extending keycloak in various ways, such as implementing a custom Authenticator. Im wondering if there exists any s2i builds for openshift, that can take (custom authentication) source code from a git repo, build, and deploy into a keycloak image in the correct keycloak directory? Thanks Anton