From mposolda at redhat.com  Thu Mar  1 02:05:17 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 1 Mar 2018 08:05:17 +0100
Subject: [keycloak-user] Poor response time for User REST API
In-Reply-To: <8633603B-8574-4B06-9979-494DD4CD01EB@edlogics.com>
References: <CAHzNUnvxZdHDKH552ZUomdkYpdWoXFGQU89e+5Ji9_+X-oV6gQ@mail.gmail.com>
	<1cc656ba-d11c-b4a5-6db3-dc311fa55bfa@redhat.com>
	<8633603B-8574-4B06-9979-494DD4CD01EB@edlogics.com>
Message-ID: <18742195-4c67-cca9-969b-0fa808142928@redhat.com>

No, that's why I mentioned that you would need to build latest master. 
That will allow you to check early. Other option is to wait for first 
alpha 4.0 release, but not sure when it will be released.

Marek

On 28/02/18 23:13, Chris Savory wrote:
> Has that performance fix been released yet? If so, do you know which version it is in?
>
> --
> Christopher Savory
>
> On 2/28/18, 2:01 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Marek Posolda" <keycloak-user-bounces at lists.jboss.org on behalf of mposolda at redhat.com> wrote:
>
>      I think there is some fix in latest Keycloak master related to that.
>      Could you try to build latest master and check if you see better
>      perofmrnace?
>      
>      Marek
>      
>      On 28/02/18 18:22, Cedric Vidaillac wrote:
>      > Hi all,
>      >
>      >
>      >
>      > I have ~4k users imported in my (postgres) database, when I go for
>      >
>      >
>      >
>      > GET /{realm}/users/
>      >
>      >
>      >
>      > For max=100 (default) it takes about 20-22s to respond (60kb document).
>      >
>      > For max=20, I still get 4s response time, which is kinda... not ideal.
>      >
>      >
>      >
>      > I?m not sure if those response time are normal, and if not why is this so
>      > slow ?
>      >
>      >
>      >
>      > I?m guessing this overhead is caused by the JSON response, I tried on the
>      > database (>20ms). -> is there a way to reduce the JSON data response
>      > produced by Keycloak ? I only need usernames.
>      >
>      >
>      >
>      > I didnt find anything on the docs, I tried ?fields=username in query param,
>      > sadly it doesn?t work.
>      >
>      >
>      >
>      >
>      >
>      >   In case you?re wondering why I do that, I want to use an auto-complete on
>      > my app, with usernames.)
>      >
>      >
>      > Thanks for reading.
>      >
>      >
>      >
>      > C?dric.
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      
>      
>      _______________________________________________
>      keycloak-user mailing list
>      keycloak-user at lists.jboss.org
>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From pinguwien at gmail.com  Thu Mar  1 04:48:20 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Thu, 1 Mar 2018 10:48:20 +0100
Subject: [keycloak-user] Kerberos & login,
 multiple environments with multiple users
In-Reply-To: <189223019.1102224.1519851958233.JavaMail.zimbra@jlab.org>
References: <f730c34c-2ddc-8f21-d3b9-2128ee52bf2a@gmail.com>
	<f3b8d724-419f-e325-799b-3018d59ebcc0@redhat.com>
	<189223019.1102224.1519851958233.JavaMail.zimbra@jlab.org>
Message-ID: <3160304a-9394-4b3a-c39b-3a214819dd97@gmail.com>

i'll try out the multi-realm-approach and give feedback later. Thanks 
for your answers!

Dominik

Am 28.02.18 um 22:05 schrieb Ryan Slominski:
> I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared.  You can create separate Firefox "profiles" to get around it:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=117222
> 
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Dominik Guhr" <pinguwien at gmail.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, February 28, 2018 3:21:06 PM
> Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
> 
> I am not sure I understand correctly, but generally, Keycloak is browser
> SSO and being logged in 2 browser tabs in 2 clients as different user is
> something generally unsupported and can cause various kind of issues. If
> you want something like this just for development, you can maybe use
> different realms?
> 
> Marek
> 
> On 28/02/18 14:30, Dominik Guhr wrote:
>> Hi everyone,
>>
>> so I've built a custom kerberos authenticator which should, depending on
>> a querystring, not automatically login. So, when I add &login=manual to
>> the url, kerberos authenticator starts, checks, and stops.
>> Now everything is fine when I use this authenticator under normal
>> conditions, in one tab, but:
>>
>> - As a dev, I sometimes have different tabs with different environments
>> open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=KsLgzw-uL3z8DjfqL3pUJmhZEt6c8Epy2NtsRa0v3Jk&e= , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=LRaVXH7vIKAzcH2_9g3X42VYXB4A4GRwQE9TwEzMXgI&e=  - these apps are
>> different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev
>>
>> Now I get logged in via kerberos in myapp-local, logout in myapp-test
>> and try to login with different credentials manually in myapp-test.
>> Then, the AuthenticationProcessor raises the following exception when
>> doing this with kerberos login-enabled browsers (chrome, ie):
>>
>> =====================
>> 2018-02-28 09:57:12,236 WARN  [org.keycloak.events] (default task-2)
>> type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null,
>> ipAddress=10.242.50.137, error=different_user_authenticated,
>> auth_method=openid-connect, auth_type=code, response_type=code,
>> redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_my-2Dwebapp-2Ddev_&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=bSQjZ3_zcDMsNK4ei84x5ttorM0vonfokR_P9kF0H8s&e= , consent=no_consent_required,
>> previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997,
>> code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query
>> 2018-02-28 09:57:12,236 WARN  [org.keycloak.services] (default task-2)
>> KC-SERVICES0013: Failed authentication:
>> org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898)
>>        at
>> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796)
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951)
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724)
>>        at
>> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
>>        at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
>>        at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
>>        at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source)
>>        at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>        at java.lang.reflect.Method.invoke(Method.java:498)
>>        at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>        at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>        at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>        at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
>>        at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>        at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>        at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>        at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>        at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>        at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>        at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>        at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>        at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>        at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>        at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>        at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>        at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>        at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>        at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>        at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>        at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>        at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>        at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>        at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>        at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>>        at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>        at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>        at java.lang.Thread.run(Thread.java:745)
>>
>>
>> =================
>> and in the browser I get an "unexpected error when handling request to
>> identity provider" errormsg.
>>
>> When doing the same thing in firefox (no kerberos, manual login, open 2
>> tabs in 2 different environments and login with different users), I get
>> at least the errormsg "You are already authenticated as different user
>> [name] in this session. Please logout first."
>>
>> So, my questions are:
>> - Why is this not possible?
>> - Is there anything I can do (having a custom authenticator for
>> kerberos/AD and a custom userstorageprovider for applicationdb) to make
>> it possible to have different users logged in in different tabs for
>> different kc-clients in the same realm?
>> - More specifically: Is there a possibility to use the
>> AuthenticationProcessor in an SPI without having to make a custom
>> keycloakbuild and remove the check in line 246/setAuthenticatedUser, or
>> does this mess up the whole authentication session?
>>
>> Would be great to get a hint here.
>>
>> Thanks!
>>
>> Best regards,
>> Dominik
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e=
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e=
> 

From cedric.vidaillac at gmail.com  Thu Mar  1 05:53:05 2018
From: cedric.vidaillac at gmail.com (Cedric Vidaillac)
Date: Thu, 1 Mar 2018 11:53:05 +0100
Subject: [keycloak-user] Poor response time for User REST API
In-Reply-To: <18742195-4c67-cca9-969b-0fa808142928@redhat.com>
References: <CAHzNUnvxZdHDKH552ZUomdkYpdWoXFGQU89e+5Ji9_+X-oV6gQ@mail.gmail.com>
	<1cc656ba-d11c-b4a5-6db3-dc311fa55bfa@redhat.com>
	<8633603B-8574-4B06-9979-494DD4CD01EB@edlogics.com>
	<18742195-4c67-cca9-969b-0fa808142928@redhat.com>
Message-ID: <CAHzNUnvh0b4bjdoauy2yWgEeDtkFJ3Me12ZzACjcBfON0H-=Ng@mail.gmail.com>

After minor investigations,

I found out that the query is eating all up, I've added some logs in
UsersResources.getUsers (keycloak-services), restarted server.

I added a rudimentary stopwatch at method start, and here is the result:

   - Require query: 1ms
   - Executing query: 6837ms
   - Mapping to List<UserRepresentation>: 7350ms

Total response time (postman) 7436ms, yesterday it was around 20s, I don't
know why it went down, but it's still quite poor.

So the query seems to be the problem here. The implementation used is
org.keycloak.models.cache.infinispan.UserCacheSession.

I forgot to say that I'm using 3.4.3.Final.

I'm not going to try to compile master, I will wait for next version.

Thanks.


On Thu, Mar 1, 2018 at 8:05 AM, Marek Posolda <mposolda at redhat.com> wrote:

> No, that's why I mentioned that you would need to build latest master.
> That will allow you to check early. Other option is to wait for first alpha
> 4.0 release, but not sure when it will be released.
>
> Marek
>
>
> On 28/02/18 23:13, Chris Savory wrote:
>
>> Has that performance fix been released yet? If so, do you know which
>> version it is in?
>>
>> --
>> Christopher Savory
>>
>> On 2/28/18, 2:01 PM, "keycloak-user-bounces at lists.jboss.org on behalf of
>> Marek Posolda" <keycloak-user-bounces at lists.jboss.org on behalf of
>> mposolda at redhat.com> wrote:
>>
>>      I think there is some fix in latest Keycloak master related to that.
>>      Could you try to build latest master and check if you see better
>>      perofmrnace?
>>           Marek
>>           On 28/02/18 18:22, Cedric Vidaillac wrote:
>>      > Hi all,
>>      >
>>      >
>>      >
>>      > I have ~4k users imported in my (postgres) database, when I go for
>>      >
>>      >
>>      >
>>      > GET /{realm}/users/
>>      >
>>      >
>>      >
>>      > For max=100 (default) it takes about 20-22s to respond (60kb
>> document).
>>      >
>>      > For max=20, I still get 4s response time, which is kinda... not
>> ideal.
>>      >
>>      >
>>      >
>>      > I?m not sure if those response time are normal, and if not why is
>> this so
>>      > slow ?
>>      >
>>      >
>>      >
>>      > I?m guessing this overhead is caused by the JSON response, I tried
>> on the
>>      > database (>20ms). -> is there a way to reduce the JSON data
>> response
>>      > produced by Keycloak ? I only need usernames.
>>      >
>>      >
>>      >
>>      > I didnt find anything on the docs, I tried ?fields=username in
>> query param,
>>      > sadly it doesn?t work.
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >   In case you?re wondering why I do that, I want to use an
>> auto-complete on
>>      > my app, with usernames.)
>>      >
>>      >
>>      > Thanks for reading.
>>      >
>>      >
>>      >
>>      > C?dric.
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                _______________________________________________
>>      keycloak-user mailing list
>>      keycloak-user at lists.jboss.org
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>

From sr.misc at gmail.com  Thu Mar  1 07:18:07 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Thu, 1 Mar 2018 14:18:07 +0200
Subject: [keycloak-user] Keycloak Client doesn't have secret available with
	Access Type Public
Message-ID: <CABiaesQtqSuOvuz7bh5yxz42UQ0EC753=2ri-8zmE9E3DWAirQ@mail.gmail.com>

Hi all,

I am using Keycloak 3.4.3 and protecting Spring based Rest service.

Below is Keycloak client configuration:

Client Protocol: openid-connect
Access Type: public
Standard Flow Enabled: ON
Implicit Flow
Direct Access Grants Enabled: ON
Authorization Enabled: OFF

Is it important to provide secret with Access Type as public. If yes, how
can I provide sceret as I couldn't find any option in the Keycloak client
configuration. Please help.

2018-02-28 15:19:10.216 WARN 7813 --- [nio-8080-exec-2] a.a.
ClientIdAndSecretCredentialsProvider : Client 'democlientid' doesn't have
secret available 2018-02-28 15:19:10.375 ERROR 7813 --- [nio-8080-exec-2]
o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token

java.net.ConnectException: Connection refused (Connection refused) at
java.base/java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:na] at
java.base/java.net.AbstractPlainSocketImpl.doConnect(
AbstractPlainSocketImpl.java:400) ~[na:na] at java.base/java.net.
AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243)
~[na:na] at java.base/java.net.AbstractPlainSocketImpl.connect(
AbstractPlainSocketImpl.java:225) ~[na:na] at java.base/java.net.
SocksSocketImpl.connect(SocksSocketImpl.java:402) ~[na:na] at
java.base/java.net.Socket.connect(Socket.java:591) ~[na:na] at
org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
DefaultClientConnectionOperator.openConnection(
DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.5.jar!/:4.5.5]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:83)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:108)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:56)
~[httpclient-4.5.5.jar!/:4.5.5] at org.keycloak.adapters.ServerRequest.
invokeAccessCodeToToken(ServerRequest.java:111)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
OAuthRequestAuthenticator.java:336)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(
OAuthRequestAuthenticator.java:281)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV
alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)
~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(
KeycloakAuthenticatorValve.java:50)
[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(
KeycloakAuthenticatorValve.java:57)
[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:586)
[tomcat-embed-core-8.5.27.jar!/:8.5.27] at org.keycloak.adapters.tomcat.
AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
[tomcat-embed-core-8.5.27.jar!/:8.5.27]
Regards,

From sr.misc at gmail.com  Thu Mar  1 07:18:40 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Thu, 1 Mar 2018 14:18:40 +0200
Subject: [keycloak-user] Unable to load Spring Framework Libraries in
 Wildfly accessible to deployed JAR
Message-ID: <CABiaesTQ9yb8gKnHsxVoGfniXZ+xbN--YmGN3U3FP6-aLEqC7A@mail.gmail.com>

Hi all,

I am writing a custom Keycloak User Storage SPI, which is JAR file. I would
like to use Spring DI in the JAR. I have added Spring JARs as Modules in
Keycloak's Wildfly server.

Also, not able to load Spring context as Keycloak User Storage SPI initiate
from META-INF.services "org.keycloak.storage.UserStorageProviderFactory"
and invokes UserStorageProviderFactory.init method.

It also doesn't read the properties file inside resources directory.

Please advise how can I make this work.

Regards,

From pinguwien at gmail.com  Thu Mar  1 07:27:12 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Thu, 1 Mar 2018 13:27:12 +0100
Subject: [keycloak-user] Unable to load Spring Framework Libraries in
 Wildfly accessible to deployed JAR
In-Reply-To: <CABiaesTQ9yb8gKnHsxVoGfniXZ+xbN--YmGN3U3FP6-aLEqC7A@mail.gmail.com>
References: <CABiaesTQ9yb8gKnHsxVoGfniXZ+xbN--YmGN3U3FP6-aLEqC7A@mail.gmail.com>
Message-ID: <fb0ab24e-e5dd-13e8-6fca-a4f0a9be0cd7@gmail.com>

Hi Sachy,

to load your module in wildfly (when the module lies in the wildfly 
modules-directory), add <scope>provided</scope> to your artifact.

Also, to access them with wildfly classloader, add the following to your 
build in pom.xml:

			<plugin>
				<artifactId>maven-jar-plugin</artifactId>
				<version>3.0.2</version>
				<configuration>
					<archive>
						<manifestEntries>
						 
<Dependencies>org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-ldap-federation 
,org.keycloak.keycloak-kerberos-federation</Dependencies>
						</manifestEntries>
					</archive>
				</configuration>
			</plugin>

where the Dependencies-value consists of a comma-separated list of the 
modules used in your SPI, in your case e.g. org.springframework.core or 
something.

Hope this helps!

Best regards,
Dominik

Am 01.03.18 um 13:18 schrieb Sachin Rastogi:
> Hi all,
> 
> I am writing a custom Keycloak User Storage SPI, which is JAR file. I would
> like to use Spring DI in the JAR. I have added Spring JARs as Modules in
> Keycloak's Wildfly server.
> 
> Also, not able to load Spring context as Keycloak User Storage SPI initiate
> from META-INF.services "org.keycloak.storage.UserStorageProviderFactory"
> and invokes UserStorageProviderFactory.init method.
> 
> It also doesn't read the properties file inside resources directory.
> 
> Please advise how can I make this work.
> 
> Regards,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From subodhcjoshi82 at gmail.com  Thu Mar  1 07:36:29 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 1 Mar 2018 18:06:29 +0530
Subject: [keycloak-user] Keycloak Client doesn't have secret available
 with Access Type Public
In-Reply-To: <CABiaesQtqSuOvuz7bh5yxz42UQ0EC753=2ri-8zmE9E3DWAirQ@mail.gmail.com>
References: <CABiaesQtqSuOvuz7bh5yxz42UQ0EC753=2ri-8zmE9E3DWAirQ@mail.gmail.com>
Message-ID: <CAFss9rqKWgD--uBzia=GmnTdZFmBCHhCwuNZX_8qQsjdbcfR3g@mail.gmail.com>

As i understood your problem you mean ,you have to change Access Type:
public to Access Type: confidential then only Credential tab will start
visible.

On Thu, Mar 1, 2018 at 5:48 PM, Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi all,
>
> I am using Keycloak 3.4.3 and protecting Spring based Rest service.
>
> Below is Keycloak client configuration:
>
> Client Protocol: openid-connect
> Access Type: public
> Standard Flow Enabled: ON
> Implicit Flow
> Direct Access Grants Enabled: ON
> Authorization Enabled: OFF
>
> Is it important to provide secret with Access Type as public. If yes, how
> can I provide sceret as I couldn't find any option in the Keycloak client
> configuration. Please help.
>
> 2018-02-28 15:19:10.216 WARN 7813 --- [nio-8080-exec-2] a.a.
> ClientIdAndSecretCredentialsProvider : Client 'democlientid' doesn't have
> secret available 2018-02-28 15:19:10.375 ERROR 7813 --- [nio-8080-exec-2]
> o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token
>
> java.net.ConnectException: Connection refused (Connection refused) at
> java.base/java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:na]
> at
> java.base/java.net.AbstractPlainSocketImpl.doConnect(
> AbstractPlainSocketImpl.java:400) ~[na:na] at java.base/java.net.
> AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243)
> ~[na:na] at java.base/java.net.AbstractPlainSocketImpl.connect(
> AbstractPlainSocketImpl.java:225) ~[na:na] at java.base/java.net.
> SocksSocketImpl.connect(SocksSocketImpl.java:402) ~[na:na] at
> java.base/java.net.Socket.connect(Socket.java:591) ~[na:na] at
> org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(
> PlainSocketFactory.java:121)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
> DefaultClientConnectionOperator.openConnection(
> DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.5.jar!/:4.5.5]
> at org.apache.http.impl.conn.AbstractPoolEntry.open(
> AbstractPoolEntry.java:144)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
> AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> CloseableHttpClient.execute(CloseableHttpClient.java:83)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> CloseableHttpClient.execute(CloseableHttpClient.java:108)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
> CloseableHttpClient.execute(CloseableHttpClient.java:56)
> ~[httpclient-4.5.5.jar!/:4.5.5] at org.keycloak.adapters.ServerRequest.
> invokeAccessCodeToToken(ServerRequest.java:111)
> ~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
> OAuthRequestAuthenticator.java:336)
> ~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
> at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(
> OAuthRequestAuthenticator.java:281)
> ~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
> at org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:139)
> ~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV
> alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)
> ~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(
> KeycloakAuthenticatorValve.java:50)
> [spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
> at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(
> KeycloakAuthenticatorValve.java:57)
> [spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> AuthenticatorBase.java:586)
> [tomcat-embed-core-8.5.27.jar!/:8.5.27] at org.keycloak.adapters.tomcat.
> AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorV
> alve.java:181)
> ~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
> org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:140)
> [tomcat-embed-core-8.5.27.jar!/:8.5.27]
> Regards,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From jerry.saravia at virginpulse.com  Thu Mar  1 14:59:15 2018
From: jerry.saravia at virginpulse.com (Jerry Saravia)
Date: Thu, 1 Mar 2018 19:59:15 +0000
Subject: [keycloak-user] Reset credentials flow loses context if browser
	cookie not present
Message-ID: <D281A937-0118-4739-8ADC-6044B6BC1665@virginpulse.com>

NOTE: This is a potential double posting since I posted on Feb 28th and thought this might be lost since we?re in March now. Apologies in advance.

Hey all,

I ran into an issue.

Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`.

The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account.

I know why this happens. In LoginActionsService there is this

@Path(RESET_CREDENTIALS_PATH)
@GET
public Response resetCredentialsGET(@QueryParam("code") String code,
                                    @QueryParam("execution") String execution,
                                    @QueryParam("client_id") String clientId) {
    AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);

    // we allow applications to link to reset credentials without going through OAuth or SAML handshakes
    if (authSession == null && code == null) {
        if (!realm.isResetPasswordAllowed()) {
            event.event(EventType.RESET_PASSWORD);
            event.error(Errors.NOT_ALLOWED);
            return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);

        }
        authSession = createAuthenticationSessionForClient();
        return processResetCredentials(false, null, authSession, null);
    }

    event.event(EventType.RESET_PASSWORD);
    return resetCredentials(code, execution, clientId);
}


The getCurrentAuthenticationSession method checks a cookie to get the session, which isn?t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn?t use the clientId query parameter and defaults to the account client.

Is this a bug? A security issue?

I couldn?t find a bug for it in Jira. Should I create a bug and fix it? It?s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior.

Jerry S


Jerry Saravia
Senior Software Engineer
P (516) 603-6914
virginpulse.com
globalchallenge.virginpulse.com
75 Fountain Street, Suite 310, Providence, RI 02902
Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this
e-mail, including any attachment(s), is intended solely for use by the
designated recipient(s). Unauthorized use, dissemination, distribution, or
reproduction of this message by anyone other than the intended recipient(s), or
a person designated as responsible for delivering such messages to the intended
recipient, is strictly prohibited and may be unlawful. This e-mail may contain
proprietary, confidential or privileged information. Any views or opinions
expressed are solely those of the author and do not necessarily represent those
of Virgin Pulse, Inc. If you have received this message in error, or are not
the named recipient(s), please immediately notify the sender and delete this
e-mail message.    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image849887.jpg
Type: image/jpeg
Size: 114273 bytes
Desc: image849887.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image932556.png
Type: image/png
Size: 691 bytes
Desc: image932556.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image803465.png
Type: image/png
Size: 710 bytes
Desc: image803465.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image995202.png
Type: image/png
Size: 783 bytes
Desc: image995202.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0005.png 

From jason.lei.wang at gmail.com  Thu Mar  1 15:03:28 2018
From: jason.lei.wang at gmail.com (Jason Wang)
Date: Fri, 2 Mar 2018 09:03:28 +1300
Subject: [keycloak-user] how to setup an admin user for selective realms?
Message-ID: <CAJMhmJBh-UdrR-QzJAxZLmMhjzL8nD=mL0o8TrsUkfc7t8iGvQ@mail.gmail.com>

Hi all,

In a multi-tenant environment (multiple organisations using one keycloak),
I would like to setup some privileged users who can manage other users,
setting up LDAP for the realm that user belongs to.

Role based permissions would be ideal, but I have not figured out how to
associate roles with permissions. Wishing there is resource based ACL lists
to query and manage.

Whats the best way to achieve this?

Many thanks
Jason

From rudolf.jurisic at degordian.com  Thu Mar  1 15:42:16 2018
From: rudolf.jurisic at degordian.com (=?UTF-8?B?UnVkb2xmIEp1cmnFoWnEhw==?=)
Date: Thu, 1 Mar 2018 21:42:16 +0100
Subject: [keycloak-user] Securing rest api with keycloak without cookie
Message-ID: <CABfKcEcL=PrWKcdPG7E+-=wW+iUY1uQUSo38Er_5Wuv1n6tr-A@mail.gmail.com>

Hi guys!

I am building a nodejs restify app.
I want to protect my endpoints, but to use the login programatically.

I used the example from
https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/app.js

I make a request to the server
http://localhost:3000/login?login=admin_user&password=
admin_user&client_id=CAMPAIGN_CLIENT

and get a response with tokens.
{
    "access_token": {
        "token": "eyJhbGciOiJSUzI1NiIs...

With this token I then make a request with Authorization header bearer plus
token to a keycloak.protected endpoint.

If I do it with cookie, everythig works fine.

Can I do it without cookie (for example from postman), just by using the
token in every request I make on the protected endpoints?

And more importantly, is this a good flow and can it work like this:
1. obtain tokens
2. use bearer with the access token for every request to protected endpoints

?

Thanks


-- 
*RUDOLF JURI?I?*
 #SENIOR_SOFTWARE_DEVELOPER
rudolf.jurisic at degordian.com
+385 99 2737 781

www.degordian.com
<http://www.degordian.com/?utm_source=signature&utm_medium=email&utm_content=rudolf.jurisic&utm_campaign=_d_email%20signature>
www.facebook.com/Degordian

From postmaster at lists.jboss.org  Thu Mar  1 22:15:47 2018
From: postmaster at lists.jboss.org (Mail Administrator)
Date: Fri, 2 Mar 2018 11:15:47 +0800
Subject: [keycloak-user] Mail System Error - Returned Mail
Message-ID: <201803020315.w223FMwt017242@lists01.dmz-a.mwc.hst.phx2.redhat.com>

Your message was not delivered due to the following reason(s):

Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message could not be delivered within 5 days:
Host 33.117.234.98 is not responding.

The following recipients did not receive this message:
<keycloak-user at lists.jboss.org>

Please reply to postmaster at lists.jboss.org
if you feel this message to be in error.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: text.zip
Type: application/octet-stream
Size: 29208 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180302/3db1a269/attachment-0001.obj 

From hmidi.slim2 at gmail.com  Fri Mar  2 02:54:47 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Fri, 2 Mar 2018 08:54:47 +0100
Subject: [keycloak-user] Keycloak's database
Message-ID: <CAMsqVxuMNr_KfgCDVBT257aT=uCzcpKew8HjMu3zWQzooabOXQ@mail.gmail.com>

Hi,
I didn't find any section in the official documentation talking about the
different tables contained in the keycloak database. Is there any link
describes the different tables and their relations with the admin
console.For example which table contains the permissions given  for a
ressource and so on.
Best Reagrds,
Slim.

From cedric.thiebault at sensefly.com  Fri Mar  2 03:25:46 2018
From: cedric.thiebault at sensefly.com (Cedric Thiebault)
Date: Fri, 2 Mar 2018 08:25:46 +0000
Subject: [keycloak-user] Spring Boot with multiple Keycloak instances
Message-ID: <HE1P190MB018760B2DA66C7338B3D8F55E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>

Hello,

We are developing a REST API (Spring Boot micro-services) secured by Keycloak.

We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side when modifying internal services...

Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks guys!). But I don't see in documentation how use 2 Keycloak instances as we always refer to a single keycloak.json.

Is securing a Spring Boot app with 2 different Keycloak instances possible?

Thanks for your help!

Cedric


From sblanc at redhat.com  Fri Mar  2 03:48:57 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 2 Mar 2018 09:48:57 +0100
Subject: [keycloak-user] Spring Boot with multiple Keycloak instances
In-Reply-To: <HE1P190MB018760B2DA66C7338B3D8F55E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>
References: <HE1P190MB018760B2DA66C7338B3D8F55E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>
Message-ID: <CAMZCGg8x0pg5r8UQYb+hL=DcyNY7__YpLYVsXXEtFkfWdy=tNg@mail.gmail.com>

Hi Cedric,

You mention "keycloak.json" so I assume you are using the Spring Security
Adapter ? If this is the case we don't' have an out of the box solution but
you can solve it by implementing your own KeycloakConfigResolver , take a
look here
http://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
then in your Spring Boot app declare a bean to point to the new config
resolver like :

@Bean
    public KeycloakConfigResolver KeycloakConfigResolver() {
        return new MyCustomConfigResolver();
    }

If you are using Spring Boot adapter "standalone" with the config in the
properties file, then we don't support multitenancy yet but we are working
on a solution.

On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <
cedric.thiebault at sensefly.com> wrote:

> Hello,
>
> We are developing a REST API (Spring Boot micro-services) secured by
> Keycloak.
>
> We would like to use 2 different Keycloak instances:
> - one for employees linked to our Active Directory
> - one for our customers
> The idea is to isolate environments to reduce the impact on customer side
> when modifying internal services...
>
> Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks
> guys!). But I don't see in documentation how use 2 Keycloak instances as we
> always refer to a single keycloak.json.
>
> Is securing a Spring Boot app with 2 different Keycloak instances possible?
>
> Thanks for your help!
>
> Cedric
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Fri Mar  2 04:09:00 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 2 Mar 2018 10:09:00 +0100
Subject: [keycloak-user] Securing rest api with keycloak without cookie
In-Reply-To: <CABfKcEcL=PrWKcdPG7E+-=wW+iUY1uQUSo38Er_5Wuv1n6tr-A@mail.gmail.com>
References: <CABfKcEcL=PrWKcdPG7E+-=wW+iUY1uQUSo38Er_5Wuv1n6tr-A@mail.gmail.com>
Message-ID: <CAMZCGg_AZKt2d6gJX8HH4Wj_Pi5=gejOg8MmkwK_PzPtsU3S+w@mail.gmail.com>

On Thu, Mar 1, 2018 at 9:42 PM, Rudolf Juri?i? <rudolf.jurisic at degordian.com
> wrote:

> Hi guys!
>
> I am building a nodejs restify app.
> I want to protect my endpoints, but to use the login programatically.
>
> I used the example from
> https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/app.js
>
> I make a request to the server
> http://localhost:3000/login?login=admin_user&password=
> admin_user&client_id=CAMPAIGN_CLIENT
>
> and get a response with tokens.
> {
>     "access_token": {
>         "token": "eyJhbGciOiJSUzI1NiIs...
>
> With this token I then make a request with Authorization header bearer plus
> token to a keycloak.protected endpoint.
>
> If I do it with cookie, everythig works fine.
>
> Can I do it without cookie (for example from postman), just by using the
> token in every request I make on the protected endpoints?
>
yes

>
> And more importantly, is this a good flow and can it work like this:
> 1. obtain tokens
> 2. use bearer with the access token for every request to protected
> endpoints
>
Yes this is the basic flow of a Front End obtaining the token (through
redirect or programatically like you do) and using it against a bearer-only
backend.

>
> ?
>
> Thanks
>
>
> --
> *RUDOLF JURI?I?*
>  #SENIOR_SOFTWARE_DEVELOPER
> rudolf.jurisic at degordian.com
> +385 99 2737 781
>
> www.degordian.com
> <http://www.degordian.com/?utm_source=signature&utm_
> medium=email&utm_content=rudolf.jurisic&utm_campaign=_d_email%20signature>
> www.facebook.com/Degordian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From betalb at gmail.com  Fri Mar  2 06:01:17 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 02 Mar 2018 11:01:17 +0000
Subject: [keycloak-user] how to setup an admin user for selective realms?
In-Reply-To: <CAJMhmJBh-UdrR-QzJAxZLmMhjzL8nD=mL0o8TrsUkfc7t8iGvQ@mail.gmail.com>
References: <CAJMhmJBh-UdrR-QzJAxZLmMhjzL8nD=mL0o8TrsUkfc7t8iGvQ@mail.gmail.com>
Message-ID: <CANYoZJmArqTPufL4m+HxM2OzkV4dXfSTC547EU4SQ55HM7pDnw@mail.gmail.com>

Hi Jason, have you checked
http://www.keycloak.org/docs/latest/server_admin/index.html#_admin_permissions
?


??, 1 ????? 2018 ?. ? 23:05, Jason Wang <jason.lei.wang at gmail.com>:

> Hi all,
>
> In a multi-tenant environment (multiple organisations using one keycloak),
> I would like to setup some privileged users who can manage other users,
> setting up LDAP for the realm that user belongs to.
>
> Role based permissions would be ideal, but I have not figured out how to
> associate roles with permissions. Wishing there is resource based ACL lists
> to query and manage.
>
> Whats the best way to achieve this?
>
> Many thanks
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jose.goncalves at inov.pt  Fri Mar  2 06:17:37 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Fri, 2 Mar 2018 11:17:37 +0000
Subject: [keycloak-user] REST API: Get List of users
Message-ID: <3e35befb-dcd2-9381-020a-6e12f64e61d8@inov.pt>

Hi,

How can I add permissions to all users (or a group of users) on a newly 
created Realm to be able to access the list of users for that Realm?

Out of the box, if I perform;

GET /admin/realms/{realm}/users

I get a 403 Forbidden.

Best regards,
Jos? Gon?alves

From melissa.palmer at gmail.com  Fri Mar  2 06:26:14 2018
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Fri, 2 Mar 2018 13:26:14 +0200
Subject: [keycloak-user] Project Member Role in Keycloak (similar to Redmine
	or Jira)?
Message-ID: <CAHTQH9+Vkee1gWbJbuONwQorAxkx+uSBLjPx+PaEAXZTGG-wjw@mail.gmail.com>

 Hi,

Is there a way to setup a MemberRole type configuration with Keyclaok?
I am trying to represent something similar to what is done on Redmine or
Jira, where you have
Roles, Projects are assigned Roles, and a User is assigned a Role
Associated to specific project roles. (meaning the only get the lowest
permission for that specific project, not all projects).

*I have already asked on Stackoverflow more details here: *
https://stackoverflow.com/questions/49028313/how-to-add-keycloak
-cusom-member-role-relationship

https://stackoverflow.com/questions/49001694/how-to-
model-project-role-membership-in-keycloak-like-redmine-or-jira

Thanks, in advance

From fquirogam8 at gmail.com  Fri Mar  2 07:00:53 2018
From: fquirogam8 at gmail.com (Fernando Quiroga)
Date: Fri, 2 Mar 2018 13:00:53 +0100
Subject: [keycloak-user] Login width AD FS avoiding login page
Message-ID: <CADCJ91rVRW=EYN78sNQ=Q6Kt+c1FyW7dCirt4o1uwJhgW_vcQA@mail.gmail.com>

Hie everyone,

I'm following this post
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
to configure my application to login with AD FS with SAML protocol.

My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
making the Keycloak login page to appear. right now I'm able to login usin
email and password or by clicking the SAML SSO button and login thorught
the AD FS login page.

What I want to do? I want to Keycloak to trigger the SAML SSO before
showing the login screen, I mean, if in my pc I'm loged with and AD FS
account I want Keycloak to log me in directly with this account and only
get me to the login page if I'm not a member of the AD FS so I'm could be
able to login via email and password.

Regards
Fernando

From luis.villaca at gmail.com  Fri Mar  2 08:28:34 2018
From: luis.villaca at gmail.com (=?UTF-8?Q?Luis_Villa=C3=A7a?=)
Date: Fri, 2 Mar 2018 10:28:34 -0300
Subject: [keycloak-user] Authorization issue (missing customized provider
	roles)
Message-ID: <CAOKYQx-wAb+PszDa8oBCSzZ8ND=N7YJ4faXmYQzJQMaJczaFjw@mail.gmail.com>

Greetings,

I am implementing a strategy to reuse our company?s authentication /
authorization strategy with Keycloak. I?ve read the documentation and
started a use case based on the links below:

http://www.keycloak.org/docs/3.3/server_development/topics/providers.html#providers
http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/simple-example.html

So far I have a class that implements UserStorageProviderFactory and
instantiates my own Provider (implementing UserStorageProvider,
UserLookupProvider and CredentialInputValidator). For the last one
I?ve overridden the method "isValid..", where I am validating
UserModel by calling our solution, using credentials captured in
Keycloak login screen, which works fine.

Now, at this same place I am also setting this user?s roles (those
roles were never included in Keycloak Realm, I am pulling from my
provider), and the way I was able to push those into UserModel was
calling grantRole method of my UserModel, and providing a UserAdapter
for that (AbstractUserAdapter throws a ReadOnlyException). I am able
to include my roles by using getRoleMappingsInternal (I  use  my own
Set<RoleModel>), so that in my SpringBoot configuration I am able to
use the setting bellow:
.antMatchers("/monitoring/**").hasRole("MONITOR_PORTAL")

The issue starts only when my access token lifespan expires (I?ve test
it with different settings). It does a call to keycloak, retrieves the
authenticated User, redirects back to my app, but the role I included
right after I logged in is lost.

I couldn?t find anywhere in the server how to adjust this behavior, or
at least some point to intercept the event of token refresh. So I
couple questions here:

1) Am I in the right path? Maybe I am overcomplicating something that
should be simpler.
2) How is UserModel rebuilt after refreshing the token?
3) Is there another SPI interface indicated for my case?

Appreciate your attention, thanks in advance!

Follow my SpringBoot settings:

application.yml
=============
keycloak:
  realm: SpringBootCA4
  auth-server-url: http://10.30.211.101:8081/auth
  ssl-required: external
  resource: dashboard
  credentials:
    secret: 2xxxxxxf
  autodetect-bearer-only: true
  confidential-port: 0
  principal-attribute: preferred_username

build.gradle
===========
    compile("org.springframework.boot:spring-boot-starter-web")
    testCompile("org.springframework.boot:spring-boot-starter-test")
    compile group: 'javax.servlet', name: 'javax.servlet-api', version: '4.0.0'
    compile group: 'org.json', name: 'json', version: '20171018'
    compile group: 'org.apache.poi', name: 'poi-ooxml', version: '3.17'
    compile group: 'commons-io', name: 'commons-io', version: '2.6'
    compile group: 'mysql', name: 'mysql-connector-java', version: '6.0.6'
    compile group: 'org.springframework.boot', name:
'spring-boot-starter-security', version: '1.5.10.RELEASE'
    compile group: 'org.keycloak', name: 'keycloak-tomcat8-adapter',
version: '3.4.3.Final'
    compile group: 'org.keycloak', name:
'keycloak-spring-boot-adapter', version: '3.4.3.Final'


From hmidi.slim2 at gmail.com  Fri Mar  2 12:31:02 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Fri, 2 Mar 2018 18:31:02 +0100
Subject: [keycloak-user] Export realm inside a docker container
Message-ID: <CAMsqVxv4E_JNrpd5ErXJ=QwoX6mtXQ0FNZYqSCONhwYZ7LGLwQ@mail.gmail.com>

Hi,
Is it possible to make the export inside a keycloak docker container?

From hmidi.slim2 at gmail.com  Fri Mar  2 13:47:01 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Fri, 2 Mar 2018 19:47:01 +0100
Subject: [keycloak-user] Stop keycloak server
Message-ID: <CAMsqVxvmbm9S1zD3ekir-mcDM8gnSAFjDKhq7CWgu_ty8LmJdA@mail.gmail.com>

Hi,
I'm looking for an option or a method to stop a running keycloak server in
docker to make the export of files. Is there any argument to pass to the
standalone.sh to stop the server?

From hmidi.slim2 at gmail.com  Fri Mar  2 14:27:17 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Fri, 2 Mar 2018 20:27:17 +0100
Subject: [keycloak-user] STOP KEYCLOAK SERVER IN DOCKER CONTAINER
Message-ID: <CAMsqVxsPNJ5dsFHFN3o5CJnPrXgzU=C+T9pCKinVKSj7YAR-kg@mail.gmail.com>

When I  tried to stop the server using ./bin/jboss-cli.sh shutdown, I got
this message:

*[disconnected /] command terminated with exit code 137*

And I'm redirected out of the container.Anyone knows how to shutdown the
server in docker without exiting the container?

From betalb at gmail.com  Fri Mar  2 14:33:08 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 02 Mar 2018 19:33:08 +0000
Subject: [keycloak-user] REST API: Get List of users
In-Reply-To: <3e35befb-dcd2-9381-020a-6e12f64e61d8@inov.pt>
References: <3e35befb-dcd2-9381-020a-6e12f64e61d8@inov.pt>
Message-ID: <CANYoZJkMY0bydC0EujpSHucOFPMofLJgmCSZxxN1LPNF7b3jOQ@mail.gmail.com>

Hi, try to check fine grain permissions

http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
??, 2 ????? 2018 ?. ? 14:22, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>:

> Hi,
>
> How can I add permissions to all users (or a group of users) on a newly
> created Realm to be able to access the list of users for that Realm?
>
> Out of the box, if I perform;
>
> GET /admin/realms/{realm}/users
>
> I get a 403 Forbidden.
>
> Best regards,
> Jos? Gon?alves
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From betalb at gmail.com  Fri Mar  2 14:38:16 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 02 Mar 2018 19:38:16 +0000
Subject: [keycloak-user] STOP KEYCLOAK SERVER IN DOCKER CONTAINER
In-Reply-To: <CAMsqVxsPNJ5dsFHFN3o5CJnPrXgzU=C+T9pCKinVKSj7YAR-kg@mail.gmail.com>
References: <CAMsqVxsPNJ5dsFHFN3o5CJnPrXgzU=C+T9pCKinVKSj7YAR-kg@mail.gmail.com>
Message-ID: <CANYoZJmD6Yy82dr+ePjxV=YABZJxf2NQ8ZOJrLn06XCDS9bpFA@mail.gmail.com>

This is the nature of docker containers: it is running while main process
is working inside container. If you stop wildfly, container stops too.
??, 2 ????? 2018 ?. ? 22:31, hmidi slim <hmidi.slim2 at gmail.com>:

> When I  tried to stop the server using ./bin/jboss-cli.sh shutdown, I got
> this message:
>
> *[disconnected /] command terminated with exit code 137*
>
> And I'm redirected out of the container.Anyone knows how to shutdown the
> server in docker without exiting the container?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From betalb at gmail.com  Fri Mar  2 14:40:32 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 02 Mar 2018 19:40:32 +0000
Subject: [keycloak-user] Stop keycloak server
In-Reply-To: <CAMsqVxvmbm9S1zD3ekir-mcDM8gnSAFjDKhq7CWgu_ty8LmJdA@mail.gmail.com>
References: <CAMsqVxvmbm9S1zD3ekir-mcDM8gnSAFjDKhq7CWgu_ty8LmJdA@mail.gmail.com>
Message-ID: <CANYoZJ=zL0cuiCFNj8nmj_4rK1D_Sik0EWnfYPdP9Nj+HFhFKA@mail.gmail.com>

Hi,

You need to stop container with docker stop. After that you can export it?s
contents using https://docs.docker.com/engine/reference/commandline/export/
??, 2 ????? 2018 ?. ? 21:52, hmidi slim <hmidi.slim2 at gmail.com>:

> Hi,
> I'm looking for an option or a method to stop a running keycloak server in
> docker to make the export of files. Is there any argument to pass to the
> standalone.sh to stop the server?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hmidi.slim2 at gmail.com  Fri Mar  2 17:39:27 2018
From: hmidi.slim2 at gmail.com (slimhs)
Date: Fri, 2 Mar 2018 15:39:27 -0700 (MST)
Subject: [keycloak-user] How to stop the keycloak server from standalone
 sh
In-Reply-To: <583EC84A.4040004@redhat.com>
References: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>
	<583DC254.7050303@redhat.com>
	<8n3uajkjh8hh2feqo6b2rn4h.1480448567185@email.android.com>
	<583EC84A.4040004@redhat.com>
Message-ID: <1520030367739-0.post@n6.nabble.com>

I don't think that reload will solve the problem even the shutdown does not
fix the problem.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From hmidi.slim2 at gmail.com  Fri Mar  2 17:57:25 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Fri, 2 Mar 2018 23:57:25 +0100
Subject: [keycloak-user] how to make export with standalone.xml
Message-ID: <CAMsqVxuTZE-zT2AUquATxsOpb0W5wifYS8XuAufDpy6OwUqL6Q@mail.gmail.com>

Due to the lack of documentation and resources to make a realm export into
a docker container and after hours of search on the net without getting any
solution, I found a similar question :
*
http://keycloak-user.88327.x6.nabble.com/keycloak-user-How-to-stop-the-keycloak-server-from-standalone-sh-td1677.html#a1682
<http://keycloak-user.88327.x6.nabble.com/keycloak-user-How-to-stop-the-keycloak-server-from-standalone-sh-td1677.html#a1682>*

Is there any link or example to make the export with some config of
standalone.xml?

From saeid3 at gmail.com  Sun Mar  4 04:09:21 2018
From: saeid3 at gmail.com (Saeid Moradi)
Date: Sun, 4 Mar 2018 12:39:21 +0330
Subject: [keycloak-user] Microsoft social identity provider returns
 id_token while access_token is expected
In-Reply-To: <d374591f-274d-b31c-aa60-f6d008f7b27a@gmail.com>
References: <d374591f-274d-b31c-aa60-f6d008f7b27a@gmail.com>
Message-ID: <CAOMD22TtcK4_7OU=obLQjLgq6g_sKZZK3gt7-dDM5ajRT5zJyQ@mail.gmail.com>

I found what was wrong:

Google Identity provider works fine with "Default Scopes" = openid profile
email
While Microsoft identity provider works as expected when "Default Scopes"
is empty.?

Thanks for creating Keycloak.
--
Sid

On Sun, Dec 10, 2017 at 11:33 AM, Sid 0 <saeid3 at gmail.com> wrote:

> I am using keycloak 3.4.1.Final (deployed by docker). diving into the
> issue, here are the logs:
>
> WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory]
> (default task-7) Truststore is disabled
>
> ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> task-7) Failed to make identity provider oauth callback:
> org.keycloak.broker.provider.IdentityBrokerException: No access token
> available in OAuth server response: {"id_token":"eyJ0eXAiOi..."}
>
> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.
> getFederatedIdentity(AbstractOAuth2IdentityProvider.java:279)
>
> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$
> Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
>
>
> Note: with my current setup I don't have any issue with Google identity
> provider.
>
> Please let me know if more information needed for solving this issue,
> thanks.
>
> --
>
> Sid
>
>

From ntle at castortech.com  Sun Mar  4 11:09:43 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Sun, 4 Mar 2018 11:09:43 -0500
Subject: [keycloak-user] How to get permission to all child resources
Message-ID: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>

Hello,

We are new to Keycloak and we are exploring its abilities for securing our
web api. One things we are trying to do is to get all permissions
associated with a user for all child resources in a RPT. For example, let's
say I'm trying to expose the folder Document on my file system to the
network via REST. This Document folder may have millions of files and
subfolders, most of them are accessible by all Users, some are only
available to Admin, and some are for Customers only.

On Keycloak server, i would define 3 resources named:
"All Docs" with URL /Document/* and Role policy granting access to all Users
"For Admin" with URL /Document/Administration/* and Role policy granting
access to only Admins
"For Customer" with URL /Document/Products/* and Role policy granting
access to only Customers

If i use the entitlement API, i can ask if Sarah who is a Users and a
Customers can access "All Docs". However, if Sarah want to know/list all
files under /Document/Administration/Contracts/Sarah/* then how should i
ask entitlement API since this URL is not declared as a resource in
Keycloak? If i can call the API for this path, I would like to receive from
the API some permissions info starting from /Document/Administration
because this is the closest ancestor known to Keycloak regarding the path
being asked.

Hope to get some insight soon

?Thai?

From rudolf.jurisic at degordian.com  Sun Mar  4 15:53:23 2018
From: rudolf.jurisic at degordian.com (=?UTF-8?B?UnVkb2xmIEp1cmnFoWnEhw==?=)
Date: Sun, 4 Mar 2018 21:53:23 +0100
Subject: [keycloak-user] Client side token verification
Message-ID: <CABfKcEemHPObbpH=P627G3-jXZk=gWsoqoVeuNFOOV5s9XbYiA@mail.gmail.com>

Can the verification of jwt token be done on the client side, assuming the
client has the (same) secret that the server uses to sign the tokens?

Is this a good idea?

Or is it necessary to ask the server?

My components:
1. Web app - resource consumer
2. Resource server - Keycloak registered client, REST API, bearer-only
3. Keycloak - authorization server

Thanks

From nielsbne at gmail.com  Sun Mar  4 23:20:09 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 5 Mar 2018 14:20:09 +1000
Subject: [keycloak-user] Delete large realm fails with timeout
Message-ID: <CAPLPygn2rY50LT9uTRqRBr60mXyE4V3HnKQbHd3XWL4fCTLaRw@mail.gmail.com>

Is there a database script that we can run to delete a keycloak realm with
large volume of synchronised users? We have a realm with a "few" users
synced from LDAP in our RH-SSO 7.0 / Keycloak 1.9.8 installation and trying
to delete the realm via the console fails with a timeout. Cheers Niels

From subodhcjoshi82 at gmail.com  Mon Mar  5 06:53:25 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Mon, 5 Mar 2018 17:23:25 +0530
Subject: [keycloak-user] Is User Role Mappings possible by admin-cli
Message-ID: <CAFss9rpXwY8jOsr+z-4c-Co3_JfZgp+eggthmz7JUt38zZ5pXg@mail.gmail.com>

I have a client role like this
kcadm.sh create clients/590c3a24-gf46-4ce2-9589-6d2d166d1a8d/roles -r
T0_Realm -s name=user -s 'description=user can access the portal'

Now i want to map this newly created role[user] via user role mapping what
will admin-cli command ,though ui its possible

http://www.keycloak.org/docs/3.3/server_admin/topics/roles/user-role-mappings.html

-- 
Subodh Chandra Joshi
  <subodh1_joshi82 at yahoo.co.in>
http://www.questioninmind.com

From hmidi.slim2 at gmail.com  Mon Mar  5 06:54:17 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Mon, 5 Mar 2018 12:54:17 +0100
Subject: [keycloak-user] stop keyclaok server
Message-ID: <CAMsqVxvgOcpKqYZzwtcPazS0saVWX1Y8nojpgm2x0k_0GemDjQ@mail.gmail.com>

Hi,
I'm trying to stop a server using this command:
*./bin/standalone.sh && ./bin/jboss-cli.sh -c --commands=shutdown*
The server was launched and it did not been stopped. Is not possible to
excute this two instructions sequentially?

From subodhcjoshi82 at gmail.com  Mon Mar  5 07:05:20 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Mon, 5 Mar 2018 17:35:20 +0530
Subject: [keycloak-user] Is User Role Mappings possible by admin-cli
In-Reply-To: <CAFss9rpXwY8jOsr+z-4c-Co3_JfZgp+eggthmz7JUt38zZ5pXg@mail.gmail.com>
References: <CAFss9rpXwY8jOsr+z-4c-Co3_JfZgp+eggthmz7JUt38zZ5pXg@mail.gmail.com>
Message-ID: <CAFss9rotyWZTUGOw22Yt0Lpz5zf8t+saxsdo38eCW4KJBmZQRA@mail.gmail.com>

Ok I found it and here is the command

/opt/keycloak/bin/kcadm.sh add-roles -r <REALM-NAME> --uusername <ADMIN>
--cclientid <YOUR_APP> --rolename <ROLE-NAME>


On Mon, Mar 5, 2018 at 5:23 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

>
> I have a client role like this
> kcadm.sh create clients/590c3a24-gf46-4ce2-9589-6d2d166d1a8d/roles -r
> T0_Realm -s name=user -s 'description=user can access the portal'
>
> Now i want to map this newly created role[user] via user role mapping what
> will admin-cli command ,though ui its possible
>
> http://www.keycloak.org/docs/3.3/server_admin/topics/roles/
> user-role-mappings.html
>
> --
> Subodh Chandra Joshi
>   <subodh1_joshi82 at yahoo.co.in>
> http://www.questioninmind.com
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From psilva at redhat.com  Mon Mar  5 07:20:24 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 5 Mar 2018 09:20:24 -0300
Subject: [keycloak-user] How to get permission to all child resources
In-Reply-To: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
References: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
Message-ID: <CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>

Hey,

In your application you could perform some logic that asks permissions for
the resource with URI "/Document/Administration". Right now Keycloak does
not perform any parent/child mapping between resources on the server side.

Would that work for you ?

Regards.
Pedro Igor

On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> We are new to Keycloak and we are exploring its abilities for securing our
> web api. One things we are trying to do is to get all permissions
> associated with a user for all child resources in a RPT. For example, let's
> say I'm trying to expose the folder Document on my file system to the
> network via REST. This Document folder may have millions of files and
> subfolders, most of them are accessible by all Users, some are only
> available to Admin, and some are for Customers only.
>
> On Keycloak server, i would define 3 resources named:
> "All Docs" with URL /Document/* and Role policy granting access to all
> Users
> "For Admin" with URL /Document/Administration/* and Role policy granting
> access to only Admins
> "For Customer" with URL /Document/Products/* and Role policy granting
> access to only Customers
>
> If i use the entitlement API, i can ask if Sarah who is a Users and a
> Customers can access "All Docs". However, if Sarah want to know/list all
> files under /Document/Administration/Contracts/Sarah/* then how should i
> ask entitlement API since this URL is not declared as a resource in
> Keycloak? If i can call the API for this path, I would like to receive from
> the API some permissions info starting from /Document/Administration
> because this is the closest ancestor known to Keycloak regarding the path
> being asked.
>
> Hope to get some insight soon
>
> ?Thai?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vrinda.nayak at j4care.com  Mon Mar  5 07:28:02 2018
From: vrinda.nayak at j4care.com (vrinda nayak)
Date: Mon, 5 Mar 2018 13:28:02 +0100
Subject: [keycloak-user] User Role(s) in Event
Message-ID: <CAPJgXT13hTxg9d4ib4wkX-05D4zk6Ubkv1xVoe19s2ZFzTmJUg@mail.gmail.com>

Hello All,

For our dcm4che archive, we use Keycloak as an Authentification layer. We
have built a custom Dcm4cheEventListenerProvider which implements
Keycloak's EventListenerProvider to listen to the LOGIN and LOGOUT events.
The Event class does not have roles of a user in the details. Based on
role(s) of a user, we have to emit specific audit messages.

Can someone please advise how we can extract the role(s) of a user when
events are being listened?

Thanks in advance.

Best Regards
Vrinda Nayak

From Maickel.Hagemann at topicus.nl  Mon Mar  5 09:04:48 2018
From: Maickel.Hagemann at topicus.nl (Maickel Hagemann)
Date: Mon, 5 Mar 2018 14:04:48 +0000
Subject: [keycloak-user] Keycloak client hangs after creating 9 users
Message-ID: <05E348922DCC404F855ABDA25E6FA66073F9C39F@EXCH-MBX04.topicus.local>

Hi all,

I'm having some trouble with creating users, using the Keycloak Admin REST API in Java.

I'm trying to create a few dozen users in Keycloak and I want to send each user an email to notify them to update their passwords in a for-loop.
But everytime, after creating a user and sending an email for 9 users, the Keycloak client hangs indefinitely when it's trying to send an email for the 10th user.

Im running Keycloak in a docker container with PostgreSQL and MailHog.

Do any of you have any ideas?


Regards,
Maickel

From ntle at castortech.com  Mon Mar  5 09:51:36 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 5 Mar 2018 09:51:36 -0500
Subject: [keycloak-user] How to get permission to all child resources
In-Reply-To: <CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>
References: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
	<CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>
Message-ID: <CAJVRZt8=YUqYDKdGXasoZmSing8Y3n6fq9qy0CTb9MFo+4r=bg@mail.gmail.com>

?thanks for the suggestion but the application which uses the REST API
protected by Keycloak will not know all the resources i defined on keycloak
to start asking permission for the closest ancestor known to Keycloak
(/Document/Administration) when it needs to know permissions for all
files/folders under /Document/Administration/Contracts/Sarah/*.

When testing Keycloak, we know that if Sarah tried to access a specific
child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf) from
the browser then she got access denied although this specific resource is
not defined in Keycloak. Can we use any API to get this result? The
Entitlement API only allow me to ask permission for a specific
resource_set_name, not a path. If i can do this then i may be able loop
through all the files within  /Dcoument/Administration/Contacts/Sarah/* to
get permission, although it gonna be a huge performance issue.

Thai

On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hey,
>
> In your application you could perform some logic that asks permissions for
> the resource with URI "/Document/Administration". Right now Keycloak does
> not perform any parent/child mapping between resources on the server side.
>
> Would that work for you ?
>
> Regards.
> Pedro Igor
>
> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> We are new to Keycloak and we are exploring its abilities for securing our
>> web api. One things we are trying to do is to get all permissions
>> associated with a user for all child resources in a RPT. For example,
>> let's
>> say I'm trying to expose the folder Document on my file system to the
>> network via REST. This Document folder may have millions of files and
>> subfolders, most of them are accessible by all Users, some are only
>> available to Admin, and some are for Customers only.
>>
>> On Keycloak server, i would define 3 resources named:
>> "All Docs" with URL /Document/* and Role policy granting access to all
>> Users
>> "For Admin" with URL /Document/Administration/* and Role policy granting
>> access to only Admins
>> "For Customer" with URL /Document/Products/* and Role policy granting
>> access to only Customers
>>
>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>> Customers can access "All Docs". However, if Sarah want to know/list all
>> files under /Document/Administration/Contracts/Sarah/* then how should i
>> ask entitlement API since this URL is not declared as a resource in
>> Keycloak? If i can call the API for this path, I would like to receive
>> from
>> the API some permissions info starting from /Document/Administration
>> because this is the closest ancestor known to Keycloak regarding the path
>> being asked.
>>
>> Hope to get some insight soon
>>
>> ?Thai?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From cedric.thiebault at sensefly.com  Mon Mar  5 10:25:21 2018
From: cedric.thiebault at sensefly.com (Cedric Thiebault)
Date: Mon, 5 Mar 2018 15:25:21 +0000
Subject: [keycloak-user] Spring Boot with multiple Keycloak instances
In-Reply-To: <CAMZCGg8x0pg5r8UQYb+hL=DcyNY7__YpLYVsXXEtFkfWdy=tNg@mail.gmail.com>
References: <HE1P190MB018760B2DA66C7338B3D8F55E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>,
	<CAMZCGg8x0pg5r8UQYb+hL=DcyNY7__YpLYVsXXEtFkfWdy=tNg@mail.gmail.com>
Message-ID: <HE1P190MB01875DC8D99F99C457185575E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>

Thanks Sebastien!


Multi-tenancy config implies that secured resources have different paths depending on which keycloak should be used.


But let's imagine I have a user-service (bearer-only) with secured resource /users/{user-id}.

This resource is used by:

- internal apps (user is authenticated by keycloak for employee)

- customer portal (user is authenticated by keycloak for customers)


I don't see how I can configure user-service to iterate over available Keycloak...


Should I duplicate authentication filters in org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter#configure

.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
.addFilterBefore(keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
.addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)


I hope I'm clear enough :-/


Thanks for your help!


Cedric


________________________________
From: Sebastien Blanc <sblanc at redhat.com>
Sent: Friday, March 2, 2018 9:48:57 AM
To: Cedric Thiebault
Cc: keycloak-user
Subject: Re: [keycloak-user] Spring Boot with multiple Keycloak instances

Hi Cedric,

You mention "keycloak.json" so I assume you are using the Spring Security Adapter ? If this is the case we don't' have an out of the box solution but you can solve it by implementing your own KeycloakConfigResolver , take a look here http://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy then in your Spring Boot app declare a bean to point to the new config resolver like :

@Bean
    public KeycloakConfigResolver KeycloakConfigResolver() {
        return new MyCustomConfigResolver();
    }

If you are using Spring Boot adapter "standalone" with the config in the properties file, then we don't support multitenancy yet but we are working on a solution.

On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <cedric.thiebault at sensefly.com<mailto:cedric.thiebault at sensefly.com>> wrote:
Hello,

We are developing a REST API (Spring Boot micro-services) secured by Keycloak.

We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side when modifying internal services...

Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks guys!). But I don't see in documentation how use 2 Keycloak instances as we always refer to a single keycloak.json.

Is securing a Spring Boot app with 2 different Keycloak instances possible?

Thanks for your help!

Cedric

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Mon Mar  5 10:49:56 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 5 Mar 2018 16:49:56 +0100
Subject: [keycloak-user] Spring Boot with multiple Keycloak instances
In-Reply-To: <HE1P190MB01875DC8D99F99C457185575E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>
References: <HE1P190MB018760B2DA66C7338B3D8F55E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>
	<CAMZCGg8x0pg5r8UQYb+hL=DcyNY7__YpLYVsXXEtFkfWdy=tNg@mail.gmail.com>
	<HE1P190MB01875DC8D99F99C457185575E2C50@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>
Message-ID: <CAMZCGg-qEXsJhSpkKcFHRK0wk-zKJrTkBqNAgk7xsLXWzX3Esg@mail.gmail.com>

On Mon, Mar 5, 2018 at 4:25 PM, Cedric Thiebault <
cedric.thiebault at sensefly.com> wrote:

> Thanks Sebastien!
>
>
> Multi-tenancy config implies that secured resources have different paths
> depending on which keycloak should be used.
>

That particular example just uses the path as discriminator but you can use
anything to pickup the right config file. Imagine a custom header that the
clients add to the request :

public KeycloakDeployment resolve(HttpFacade.Request request) {
    if(request.getHeader("my-custom-header").equals("customer")) {
        KeycloakDeployment deployment = cache.get(realm);
        if (null == deployment) {
            InputStream is =
getClass().getResourceAsStream("/customer-keycloak.json");
            return KeycloakDeploymentBuilder.build(is);
        }
    }
    else {
        InputStream is =
getClass().getResourceAsStream("/employee-keycloak.json");
        return KeycloakDeploymentBuilder.build(is);
    }
}


> But let's imagine I have a user-service (bearer-only) with secured
> resource */users/{user-id}*.
>
> This resource is used by:
>
> - internal apps (user is authenticated by keycloak for employee)
>
> - customer portal (user is authenticated by keycloak for customers)
>
>
> I don't see how I can configure user-service to iterate over available
> Keycloak...
>
>
> Should I duplicate authentication filters in org.keycloak.adapters.
> springsecurity.config.KeycloakWebSecurityConfigurerAdapter#configure
>
> .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
> .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
> .addFilterBefore(keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
> .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
>
>
> Not sure I understand what you to achieve here.

> I hope I'm clear enough :-/
>
>
> Thanks for your help!
>
>
> Cedric
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Friday, March 2, 2018 9:48:57 AM
> *To:* Cedric Thiebault
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Spring Boot with multiple Keycloak
> instances
>
> Hi Cedric,
>
> You mention "keycloak.json" so I assume you are using the Spring Security
> Adapter ? If this is the case we don't' have an out of the box solution but
> you can solve it by implementing your own KeycloakConfigResolver , take a
> look here http://www.keycloak.org/docs/latest/securing_apps/index.
> html#_multi_tenancy then in your Spring Boot app declare a bean to point
> to the new config resolver like :
>
> @Bean
>     public KeycloakConfigResolver KeycloakConfigResolver() {
>         return new MyCustomConfigResolver();
>     }
>
> If you are using Spring Boot adapter "standalone" with the config in the
> properties file, then we don't support multitenancy yet but we are working
> on a solution.
>
> On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <
> cedric.thiebault at sensefly.com> wrote:
>
> Hello,
>
> We are developing a REST API (Spring Boot micro-services) secured by
> Keycloak.
>
> We would like to use 2 different Keycloak instances:
> - one for employees linked to our Active Directory
> - one for our customers
> The idea is to isolate environments to reduce the impact on customer side
> when modifying internal services...
>
> Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks
> guys!). But I don't see in documentation how use 2 Keycloak instances as we
> always refer to a single keycloak.json.
>
> Is securing a Spring Boot app with 2 different Keycloak instances possible?
>
> Thanks for your help!
>
> Cedric
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From psilva at redhat.com  Mon Mar  5 11:42:48 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 5 Mar 2018 13:42:48 -0300
Subject: [keycloak-user] How to get permission to all child resources
In-Reply-To: <CAJVRZt8=YUqYDKdGXasoZmSing8Y3n6fq9qy0CTb9MFo+4r=bg@mail.gmail.com>
References: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
	<CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>
	<CAJVRZt8=YUqYDKdGXasoZmSing8Y3n6fq9qy0CTb9MFo+4r=bg@mail.gmail.com>
Message-ID: <CAJrcDBd2NW6vBmejj+CQEZ=OojL3EhXSSW5HegAGtqohfCaVew@mail.gmail.com>

There is no way to ask permissions based on paths. Currently, all the logic
that maps URIs/paths to protected resources in Keycloak is is within the
policy enforcers (adapters). One thing we might do is maybe have a similar
logic on the server where we could resolve resources based on patterns, etc
.... Something we need to think about ....

That is an area we are looking to improve though. We are working on some
improvements in order to offer better support for RESTful security. Things
like what you are asking is what we are looking for.

Could you create an issue in JIRA describing your requirements so we can
include them in our roadmap ?

Thanks.
Pedro Igor

On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle at castortech.com> wrote:

> ?thanks for the suggestion but the application which uses the REST API
> protected by Keycloak will not know all the resources i defined on keycloak
> to start asking permission for the closest ancestor known to Keycloak
> (/Document/Administration) when it needs to know permissions for all
> files/folders under /Document/Administration/Contracts/Sarah/*.
>
> When testing Keycloak, we know that if Sarah tried to access a specific
> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
> from the browser then she got access denied although this specific resource
> is not defined in Keycloak. Can we use any API to get this result? The
> Entitlement API only allow me to ask permission for a specific
> resource_set_name, not a path. If i can do this then i may be able loop
> through all the files within  /Dcoument/Administration/Contacts/Sarah/*
> to get permission, although it gonna be a huge performance issue.
>
> Thai
>
> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hey,
>>
>> In your application you could perform some logic that asks permissions
>> for the resource with URI "/Document/Administration". Right now Keycloak
>> does not perform any parent/child mapping between resources on the server
>> side.
>>
>> Would that work for you ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> We are new to Keycloak and we are exploring its abilities for securing
>>> our
>>> web api. One things we are trying to do is to get all permissions
>>> associated with a user for all child resources in a RPT. For example,
>>> let's
>>> say I'm trying to expose the folder Document on my file system to the
>>> network via REST. This Document folder may have millions of files and
>>> subfolders, most of them are accessible by all Users, some are only
>>> available to Admin, and some are for Customers only.
>>>
>>> On Keycloak server, i would define 3 resources named:
>>> "All Docs" with URL /Document/* and Role policy granting access to all
>>> Users
>>> "For Admin" with URL /Document/Administration/* and Role policy granting
>>> access to only Admins
>>> "For Customer" with URL /Document/Products/* and Role policy granting
>>> access to only Customers
>>>
>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>> Customers can access "All Docs". However, if Sarah want to know/list all
>>> files under /Document/Administration/Contracts/Sarah/* then how should i
>>> ask entitlement API since this URL is not declared as a resource in
>>> Keycloak? If i can call the API for this path, I would like to receive
>>> from
>>> the API some permissions info starting from /Document/Administration
>>> because this is the closest ancestor known to Keycloak regarding the path
>>> being asked.
>>>
>>> Hope to get some insight soon
>>>
>>> ?Thai?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>

From ssilvert at redhat.com  Mon Mar  5 11:53:56 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 5 Mar 2018 11:53:56 -0500
Subject: [keycloak-user] how to make export with standalone.xml
In-Reply-To: <CAMsqVxuTZE-zT2AUquATxsOpb0W5wifYS8XuAufDpy6OwUqL6Q@mail.gmail.com>
References: <CAMsqVxuTZE-zT2AUquATxsOpb0W5wifYS8XuAufDpy6OwUqL6Q@mail.gmail.com>
Message-ID: <c1e317f3-fdd0-35fb-9303-172479962a0e@redhat.com>

I tried to explain how to do it in the post you cited.  Are you asking 
how to set the System (-D) properties in standalone.xml?
This should help: https://developer.jboss.org/wiki/JBossAS7SystemProperties

If you can't edit manually, you can use jboss-cli.sh to set system 
properties that will trigger the export on startup.

For instance, from jboss-cli you can issue a command like this:

/system-property=keycloak.migration.action/:add(value=export)

Stan

On 3/2/2018 5:57 PM, hmidi slim wrote:
> Due to the lack of documentation and resources to make a realm export into
> a docker container and after hours of search on the net without getting any
> solution, I found a similar question :
> *
> http://keycloak-user.88327.x6.nabble.com/keycloak-user-How-to-stop-the-keycloak-server-from-standalone-sh-td1677.html#a1682
> <http://keycloak-user.88327.x6.nabble.com/keycloak-user-How-to-stop-the-keycloak-server-from-standalone-sh-td1677.html#a1682>*
>
> Is there any link or example to make the export with some config of
> standalone.xml?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ntle at castortech.com  Mon Mar  5 13:43:34 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 5 Mar 2018 13:43:34 -0500
Subject: [keycloak-user] How to get permission to all child resources
In-Reply-To: <CAJrcDBd2NW6vBmejj+CQEZ=OojL3EhXSSW5HegAGtqohfCaVew@mail.gmail.com>
References: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
	<CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>
	<CAJVRZt8=YUqYDKdGXasoZmSing8Y3n6fq9qy0CTb9MFo+4r=bg@mail.gmail.com>
	<CAJrcDBd2NW6vBmejj+CQEZ=OojL3EhXSSW5HegAGtqohfCaVew@mail.gmail.com>
Message-ID: <CAJVRZt_YYHgG18AtuNjQM-T_8oZh19ugEhbBf_iNwRG68gBTeA@mail.gmail.com>

Is it possible to customize the adapter to return all resource mapped
permission ? I know keycloak is opensource so we can customize it but i
need a general guideline where to put my change.

Thanks

Thai
---------- Forwarded message ----------
From: Pedro Igor Silva <psilva at redhat.com>
Date: Mon, Mar 5, 2018 at 11:42 AM
Subject: Re: [keycloak-user] How to get permission to all child resources
To: Nhut Thai Le <ntle at castortech.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>


There is no way to ask permissions based on paths. Currently, all the logic
that maps URIs/paths to protected resources in Keycloak is is within the
policy enforcers (adapters). One thing we might do is maybe have a similar
logic on the server where we could resolve resources based on patterns, etc
.... Something we need to think about ....

That is an area we are looking to improve though. We are working on some
improvements in order to offer better support for RESTful security. Things
like what you are asking is what we are looking for.

Could you create an issue in JIRA describing your requirements so we can
include them in our roadmap ?

Thanks.
Pedro Igor

On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle at castortech.com> wrote:

> ?thanks for the suggestion but the application which uses the REST API
> protected by Keycloak will not know all the resources i defined on keycloak
> to start asking permission for the closest ancestor known to Keycloak
> (/Document/Administration) when it needs to know permissions for all
> files/folders under /Document/Administration/Contracts/Sarah/*.
>
> When testing Keycloak, we know that if Sarah tried to access a specific
> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
> from the browser then she got access denied although this specific resource
> is not defined in Keycloak. Can we use any API to get this result? The
> Entitlement API only allow me to ask permission for a specific
> resource_set_name, not a path. If i can do this then i may be able loop
> through all the files within  /Dcoument/Administration/Contacts/Sarah/*
> to get permission, although it gonna be a huge performance issue.
>
> Thai
>
> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hey,
>>
>> In your application you could perform some logic that asks permissions
>> for the resource with URI "/Document/Administration". Right now Keycloak
>> does not perform any parent/child mapping between resources on the server
>> side.
>>
>> Would that work for you ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> We are new to Keycloak and we are exploring its abilities for securing
>>> our
>>> web api. One things we are trying to do is to get all permissions
>>> associated with a user for all child resources in a RPT. For example,
>>> let's
>>> say I'm trying to expose the folder Document on my file system to the
>>> network via REST. This Document folder may have millions of files and
>>> subfolders, most of them are accessible by all Users, some are only
>>> available to Admin, and some are for Customers only.
>>>
>>> On Keycloak server, i would define 3 resources named:
>>> "All Docs" with URL /Document/* and Role policy granting access to all
>>> Users
>>> "For Admin" with URL /Document/Administration/* and Role policy granting
>>> access to only Admins
>>> "For Customer" with URL /Document/Products/* and Role policy granting
>>> access to only Customers
>>>
>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>> Customers can access "All Docs". However, if Sarah want to know/list all
>>> files under /Document/Administration/Contracts/Sarah/* then how should i
>>> ask entitlement API since this URL is not declared as a resource in
>>> Keycloak? If i can call the API for this path, I would like to receive
>>> from
>>> the API some permissions info starting from /Document/Administration
>>> because this is the closest ancestor known to Keycloak regarding the path
>>> being asked.
>>>
>>> Hope to get some insight soon
>>>
>>> ?Thai?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>




-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From psilva at redhat.com  Mon Mar  5 14:23:00 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 5 Mar 2018 16:23:00 -0300
Subject: [keycloak-user] How to get permission to all child resources
In-Reply-To: <CAJVRZt_YYHgG18AtuNjQM-T_8oZh19ugEhbBf_iNwRG68gBTeA@mail.gmail.com>
References: <CAJVRZt9H8tJ8EXu3s9rWGp3vszvbjDJW+5-phTt0HmcBVkmFSw@mail.gmail.com>
	<CAJrcDBeyfT5oV11eCPdWZ7J-PP_Q1i5ppgcjFRYs6fJRaxdD-A@mail.gmail.com>
	<CAJVRZt8=YUqYDKdGXasoZmSing8Y3n6fq9qy0CTb9MFo+4r=bg@mail.gmail.com>
	<CAJrcDBd2NW6vBmejj+CQEZ=OojL3EhXSSW5HegAGtqohfCaVew@mail.gmail.com>
	<CAJVRZt_YYHgG18AtuNjQM-T_8oZh19ugEhbBf_iNwRG68gBTeA@mail.gmail.com>
Message-ID: <CAJrcDBfcAkVBwUUqrz8gyv4fYXqwi9JFkiOHmc-vb+0mv_1SyA@mail.gmail.com>

Do you mean, return all permissions associated with a resource ? If so, yes
you can do that through Keycloak Java Admin Client. See
https://github.com/keycloak/keycloak/blob/3.4.3.Final/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
.

On Mon, Mar 5, 2018 at 3:43 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Is it possible to customize the adapter to return all resource mapped
> permission ? I know keycloak is opensource so we can customize it but i
> need a general guideline where to put my change.
>
> Thanks
>
> Thai
> ---------- Forwarded message ----------
> From: Pedro Igor Silva <psilva at redhat.com>
> Date: Mon, Mar 5, 2018 at 11:42 AM
> Subject: Re: [keycloak-user] How to get permission to all child resources
> To: Nhut Thai Le <ntle at castortech.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>
>
> There is no way to ask permissions based on paths. Currently, all the
> logic that maps URIs/paths to protected resources in Keycloak is is within
> the policy enforcers (adapters). One thing we might do is maybe have a
> similar logic on the server where we could resolve resources based on
> patterns, etc .... Something we need to think about ....
>
> That is an area we are looking to improve though. We are working on some
> improvements in order to offer better support for RESTful security. Things
> like what you are asking is what we are looking for.
>
> Could you create an issue in JIRA describing your requirements so we can
> include them in our roadmap ?
>
> Thanks.
> Pedro Igor
>
> On Mon, Mar 5, 2018 at 11:51 AM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> ?thanks for the suggestion but the application which uses the REST API
>> protected by Keycloak will not know all the resources i defined on keycloak
>> to start asking permission for the closest ancestor known to Keycloak
>> (/Document/Administration) when it needs to know permissions for all
>> files/folders under /Document/Administration/Contracts/Sarah/*.
>>
>> When testing Keycloak, we know that if Sarah tried to access a specific
>> child resource (/Dcoument/Administration/Contacts/Sarah/inventory.pdf)
>> from the browser then she got access denied although this specific resource
>> is not defined in Keycloak. Can we use any API to get this result? The
>> Entitlement API only allow me to ask permission for a specific
>> resource_set_name, not a path. If i can do this then i may be able loop
>> through all the files within  /Dcoument/Administration/Contacts/Sarah/*
>> to get permission, although it gonna be a huge performance issue.
>>
>> Thai
>>
>> On Mon, Mar 5, 2018 at 7:20 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hey,
>>>
>>> In your application you could perform some logic that asks permissions
>>> for the resource with URI "/Document/Administration". Right now Keycloak
>>> does not perform any parent/child mapping between resources on the server
>>> side.
>>>
>>> Would that work for you ?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> We are new to Keycloak and we are exploring its abilities for securing
>>>> our
>>>> web api. One things we are trying to do is to get all permissions
>>>> associated with a user for all child resources in a RPT. For example,
>>>> let's
>>>> say I'm trying to expose the folder Document on my file system to the
>>>> network via REST. This Document folder may have millions of files and
>>>> subfolders, most of them are accessible by all Users, some are only
>>>> available to Admin, and some are for Customers only.
>>>>
>>>> On Keycloak server, i would define 3 resources named:
>>>> "All Docs" with URL /Document/* and Role policy granting access to all
>>>> Users
>>>> "For Admin" with URL /Document/Administration/* and Role policy granting
>>>> access to only Admins
>>>> "For Customer" with URL /Document/Products/* and Role policy granting
>>>> access to only Customers
>>>>
>>>> If i use the entitlement API, i can ask if Sarah who is a Users and a
>>>> Customers can access "All Docs". However, if Sarah want to know/list all
>>>> files under /Document/Administration/Contracts/Sarah/* then how should
>>>> i
>>>> ask entitlement API since this URL is not declared as a resource in
>>>> Keycloak? If i can call the API for this path, I would like to receive
>>>> from
>>>> the API some permissions info starting from /Document/Administration
>>>> because this is the closest ancestor known to Keycloak regarding the
>>>> path
>>>> being asked.
>>>>
>>>> Hope to get some insight soon
>>>>
>>>> ?Thai?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>> --
>> Castor Technologies Inc
>> 460 rue St-Catherine St
>> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
>> Ouest, Suite 613
>> Montr?al, Qu?bec H3B-1A7
>> (514) 360-7208 o
>> (514) 798-2044 f
>> ntle at castortech.com
>> www.castortech.com
>>
>> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
>> confidential and may be proprietary information intended only for the use
>> of the individual or entity to whom it is addressed. If the reader of this
>> message is not the intended recipient, you are hereby notified that any
>> viewing, dissemination, distribution, disclosure, copy or use of the
>> information contained in this e-mail message is strictly prohibited. If you
>> have received and/or are viewing this e-mail in error, please immediately
>> notify the sender by reply e-mail, and delete it from your system without
>> reading, forwarding, copying or saving in any manner. Thank you.
>> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
>> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
>> ? l'usage exclusif du destinataire. Toute autre personne est par les
>> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
>> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
>> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>>
>
>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>

From lholmqui at redhat.com  Mon Mar  5 21:25:43 2018
From: lholmqui at redhat.com (Luke Holmquist)
Date: Mon, 5 Mar 2018 21:25:43 -0500
Subject: [keycloak-user] Question on Node.js adapter - Wrong response code
	when not logged in, maybe
Message-ID: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>

Hi,

given this example application
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
endpoint "/api/greeting", it is protected with the basic keycloak-connect
setup.
https://github.com/bucharest-gold/nodejs-rest-http-secured/blob/master/app.js#L49


If we run this locally, with "npm start", and just curl that endpoint,
"curl http://localhost:3000/api/greeting" it will return with a 403.

There was an issue raised that it should be a 401,
https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52

The way this comment makes it sound,
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#L232
is
that the 403 is correct


If we look at the complimentary vert.x and swarm examples,
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster and

https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured


a similar curl will result in a 401 when not logged in.


I'm just wondering if that 403 the node adapter is correct and if so, why
does it differ from the other runtimes


-Luke

From mposolda at redhat.com  Mon Mar  5 23:18:17 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Mar 2018 05:18:17 +0100
Subject: [keycloak-user] User Role(s) in Event
In-Reply-To: <CAPJgXT13hTxg9d4ib4wkX-05D4zk6Ubkv1xVoe19s2ZFzTmJUg@mail.gmail.com>
References: <CAPJgXT13hTxg9d4ib4wkX-05D4zk6Ubkv1xVoe19s2ZFzTmJUg@mail.gmail.com>
Message-ID: <57a675e1-04ba-d6d6-3f19-226a2b33c270@redhat.com>

You may lookup user (UserModel) by ID and then retrieve role mappings 
from it with user.getRoleMappings() .

Marek

On 05/03/18 13:28, vrinda nayak wrote:
> Hello All,
>
> For our dcm4che archive, we use Keycloak as an Authentification layer. We
> have built a custom Dcm4cheEventListenerProvider which implements
> Keycloak's EventListenerProvider to listen to the LOGIN and LOGOUT events.
> The Event class does not have roles of a user in the details. Based on
> role(s) of a user, we have to emit specific audit messages.
>
> Can someone please advise how we can extract the role(s) of a user when
> events are being listened?
>
> Thanks in advance.
>
> Best Regards
> Vrinda Nayak
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From cav at uniscope.jp  Mon Mar  5 23:19:49 2018
From: cav at uniscope.jp (Carlos Villegas)
Date: Tue, 6 Mar 2018 13:19:49 +0900 (JST)
Subject: [keycloak-user] Login UI locale reverting to browser's on wrong
	user/password
Message-ID: <165863238.169.1520309990071@xchange.uniscope.jp>

Hi,

I'm using the docker image version 3.4.0.Final. I've setup a realm and enabled internationalization, set default locale to English.

I'm using the Javascript adapter and I set the locale I want in the login options. I have a custom theme where I've hidden Keycloak's login screen Locale selection menu. I'm sending the locale using the login options of the login call of the Javascript adapter.

The keycloak login screen comes up in the correct locale I requested in the login options. However, if I put the wrong password and submit, the next error screen comes in what it seems is the web browser's default language.

For example, in a English Windows 10 installation using Chrome which is in English, I request Japanese locale. The Keycloak login screen comes correctly in Japanese, but if I enter the wrong password, next error screen requesting to reenter login info is in English, all labels and error messages in English. It seems Keycloak's forgetting my locale option and using the browser's.

Using the same server, from a Japanese Windows 10 machine, using Chrome in Japanese, the user requests English locale, it gets correctly the English login screen. Enters the wrong password, and the next error screen is in Japanese!. Note that this is not even the default locale I've set up in Keycloak which is English.

I see in the login URL sent from the client that the ui_locales parameter is properly set to the value I want, as I said the first login screen is in the correct locale I've requested. The problem is if there's any error, the screens with error messages don't have the correct locale.

Any idea of what can be happening, and if by any change this has been corrected the latest version of Keycloak. I'm haven't had the chance to test the latest version yet.

Cheers,

Carlos

From mposolda at redhat.com  Mon Mar  5 23:21:14 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Mar 2018 05:21:14 +0100
Subject: [keycloak-user] Keycloak client hangs after creating 9 users
In-Reply-To: <05E348922DCC404F855ABDA25E6FA66073F9C39F@EXCH-MBX04.topicus.local>
References: <05E348922DCC404F855ABDA25E6FA66073F9C39F@EXCH-MBX04.topicus.local>
Message-ID: <774d723e-2013-4653-fb6e-ee3ee039ee5c@redhat.com>

Some admin client methods, and especially "create" methods, return 
Response (javax.ws.rs.core.Response) objects from it. I guess you may 
need to close those responses to ensure connection is cleared.

Marek

On 05/03/18 15:04, Maickel Hagemann wrote:
> Hi all,
>
> I'm having some trouble with creating users, using the Keycloak Admin REST API in Java.
>
> I'm trying to create a few dozen users in Keycloak and I want to send each user an email to notify them to update their passwords in a for-loop.
> But everytime, after creating a user and sending an email for 9 users, the Keycloak client hangs indefinitely when it's trying to send an email for the 10th user.
>
> Im running Keycloak in a docker container with PostgreSQL and MailHog.
>
> Do any of you have any ideas?
>
>
> Regards,
> Maickel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Mar  5 23:23:32 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Mar 2018 05:23:32 +0100
Subject: [keycloak-user] Delete large realm fails with timeout
In-Reply-To: <CAPLPygn2rY50LT9uTRqRBr60mXyE4V3HnKQbHd3XWL4fCTLaRw@mail.gmail.com>
References: <CAPLPygn2rY50LT9uTRqRBr60mXyE4V3HnKQbHd3XWL4fCTLaRw@mail.gmail.com>
Message-ID: <5307f0f2-6226-0f7b-3dc1-f9b99049ca35@redhat.com>

That's quite an old version. There are lots of changes and fixes in the 
meantime. Do you have a chance to upgrade to latest 3.4.3 and try with it?

Marek

On 05/03/18 05:20, Niels Bertram wrote:
> Is there a database script that we can run to delete a keycloak realm with
> large volume of synchronised users? We have a realm with a "few" users
> synced from LDAP in our RH-SSO 7.0 / Keycloak 1.9.8 installation and trying
> to delete the realm via the console fails with a timeout. Cheers Niels
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Mar  5 23:26:54 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 6 Mar 2018 05:26:54 +0100
Subject: [keycloak-user] Login UI locale reverting to browser's on wrong
 user/password
In-Reply-To: <165863238.169.1520309990071@xchange.uniscope.jp>
References: <165863238.169.1520309990071@xchange.uniscope.jp>
Message-ID: <1032f10e-6de2-71f3-2bcf-d9e304213bb7@redhat.com>

On 06/03/18 05:19, Carlos Villegas wrote:
> Hi,
>
> I'm using the docker image version 3.4.0.Final. I've setup a realm and enabled internationalization, set default locale to English.
>
> I'm using the Javascript adapter and I set the locale I want in the login options. I have a custom theme where I've hidden Keycloak's login screen Locale selection menu. I'm sending the locale using the login options of the login call of the Javascript adapter.
>
> The keycloak login screen comes up in the correct locale I requested in the login options. However, if I put the wrong password and submit, the next error screen comes in what it seems is the web browser's default language.
>
> For example, in a English Windows 10 installation using Chrome which is in English, I request Japanese locale. The Keycloak login screen comes correctly in Japanese, but if I enter the wrong password, next error screen requesting to reenter login info is in English, all labels and error messages in English. It seems Keycloak's forgetting my locale option and using the browser's.
>
> Using the same server, from a Japanese Windows 10 machine, using Chrome in Japanese, the user requests English locale, it gets correctly the English login screen. Enters the wrong password, and the next error screen is in Japanese!. Note that this is not even the default locale I've set up in Keycloak which is English.
>
> I see in the login URL sent from the client that the ui_locales parameter is properly set to the value I want, as I said the first login screen is in the correct locale I've requested. The problem is if there's any error, the screens with error messages don't have the correct locale.
>
> Any idea of what can be happening, and if by any change this has been corrected the latest version of Keycloak. I'm haven't had the chance to test the latest version yet.
Yes, I would try to test with latest version. If it doesn't help, 
probably create JIRA with description of your usecase.

Marek
>
> Cheers,
>
> Carlos
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Tue Mar  6 01:55:10 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 6 Mar 2018 07:55:10 +0100
Subject: [keycloak-user] [keycloak-dev] Question on Node.js adapter -
 Wrong response code when not logged in, maybe
In-Reply-To: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>
References: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>
Message-ID: <CAMZCGg-F9u_5X83E9qgpRiJz1aTm-DpHp_91D+D7kqDg9=pCyQ@mail.gmail.com>

Hi Luke,

Yes this looks like a bug, 403 should only be returned if you are already
authorized but you don't have the needed role for instance. When you are
not authenticated we should just return a 401.
Could you open a ticket for us ?

Sebi



On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com> wrote:

> Hi,
>
> given this example application
> https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
> endpoint "/api/greeting", it is protected with the basic keycloak-connect
> setup.
> https://github.com/bucharest-gold/nodejs-rest-http-secured/
> blob/master/app.js#L49
>
>
> If we run this locally, with "npm start", and just curl that endpoint,
> "curl http://localhost:3000/api/greeting" it will return with a 403.
>
> There was an issue raised that it should be a 401,
> https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>
> The way this comment makes it sound,
> https://github.com/keycloak/keycloak-nodejs-connect/blob/
> master/index.js#L232
> is
> that the 403 is correct
>
>
> If we look at the complimentary vert.x and swarm examples,
> https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
> and
>
> https://github.com/wildfly-swarm-openshiftio-boosters/
> wfswarm-rest-http-secured
>
>
> a similar curl will result in a 401 when not logged in.
>
>
> I'm just wondering if that 403 the node adapter is correct and if so, why
> does it differ from the other runtimes
>
>
> -Luke
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From Chris.Brandhorst at topicus.nl  Tue Mar  6 03:48:28 2018
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Tue, 6 Mar 2018 08:48:28 +0000
Subject: [keycloak-user] Register new ProviderFactorys to Mappers
References: <992DE96F-FE29-4B45-960D-BAA5189973A6@topicus.nl>
Message-ID: <999773E2-8D9E-42EB-B36D-D582736B672D@topicus.nl>

We have developed a customised OIDCIdentityProviderFactory and OIDCIdentityProvider because some IdP does not fully adhere to the standards. However, when using this Provider, the UserAttributeMapper (and other mappers) are not used because they have a fixed list of COMPATIBLE_PROVIDERS.

We would suggest adding a registerCompatibleProvider to the IdentityProviderMapper in order to extend the usage of these mappers.

Just checking before we take the effort of creating a nice PR: is this something you would see fly? If yes, would you suggest changing COMPATIBLE_PROVIDERS to a List<String> or a List<IdentityProviderFactory> and subsequently changing the getCompatibleProviders() implementations?

Thanks,
Chris



From pulgupta at redhat.com  Tue Mar  6 04:12:55 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Tue, 6 Mar 2018 14:42:55 +0530
Subject: [keycloak-user] Weird reload issue in Keycloak + OIDC integrated
	application
Message-ID: <CAApADD03jKC2ECH9EUh_c0dastGoZE40dnWJfzk0sV2QXwUODg@mail.gmail.com>

Hi Team,

We have integrated one of our Angular 1.X + REST based application with
RH-SSO 7.1.
The application is working fine and we are able to make all the
authorization and authentication functionality work.
We are using the standard flow with auth and refresh token.

However we are seeing an issue which we are not able to fix even after
multiple hit and try.
It goes like this:

When we open the application the adapter checks and redirect us from
authentication. SSO works and we are redirected to the application and are
logged in successfully. Everything works and now we are using the
application. Suddenly after 5 mins the site reloads even if we are actively
using the application. The reloads works and now again we can use the
application for any duration and it never reloads again by itself and we
can work smoothly without any interruptions.

Please let me know in case someone has seen such an issue or can suggest
something which I can try.

-- 

PULKIT GUPTA

From pinguwien at gmail.com  Tue Mar  6 04:59:39 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Tue, 6 Mar 2018 10:59:39 +0100
Subject: [keycloak-user] "Error! Realm with same name exists" when trying to
	change theme
Message-ID: <2a9af80b-ad12-524d-acbe-2bb4e77393e7@gmail.com>

Hi all,

So I tried to crete a new realm and use a theme used also in a different 
realm, but all I get is the errormessage "Error! Realm with same name 
exists" when trying to apply the theme (click on save).

Logs are stating this:


2018-03-06 10:50:32,065 INFO 
[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default 
task-25) HHH000010: On release of batch it still contained JDBC statements
2018-03-06 10:51:38,652 WARN 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50) SQL 
Error: 1400, SQLState: 23000
2018-03-06 10:51:38,653 ERROR 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50) 
ORA-01400: Insert NULL in ("MY_TEST"."REALM_SUPPORTED_LOCALES"."VALUE") 
not possible*

Steps:
- I created one realm called "MYREALM" and applied the logintheme there 
without a problem (used kc standard for admin and so on).

- Then I created the other one "MYREALM_DEV" and tried to apply the 
custom theme.
- To check if its depending on the theme, I tried to apply the base 
keycloak theme, same effect.

This workflow worked for another application perfectly with one theme 
for different realms.
seems very weird, as if the realm is created on db-level with same name 
as the old one instead of my given name.

So, Could anybody give me a hint why SQL fails here? Or point me to the 
relating DB Tables please so I could investigate further myself? Thanks 
in advance!

Best regards,
Dominik


*: freely translated from german database locale ;)

From pinguwien at gmail.com  Tue Mar  6 05:13:40 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Tue, 6 Mar 2018 11:13:40 +0100
Subject: [keycloak-user] "Error! Realm with same name exists" when
	trying to change theme
In-Reply-To: <2a9af80b-ad12-524d-acbe-2bb4e77393e7@gmail.com>
References: <2a9af80b-ad12-524d-acbe-2bb4e77393e7@gmail.com>
Message-ID: <b508559f-9ad3-682d-90e3-0cb8ac694230@gmail.com>

Weird as is, after putting the internationalization for the realm on and 
off again, I could choose the themes right as before. Database driver is 
oracle. There might be a bug somewhere in keycloak which leads to this 
behaviour, but for now I won't investigate further, sorry.

Am 06.03.18 um 10:59 schrieb Dominik Guhr:
> Hi all,
> 
> So I tried to crete a new realm and use a theme used also in a different 
> realm, but all I get is the errormessage "Error! Realm with same name 
> exists" when trying to apply the theme (click on save).
> 
> Logs are stating this:
> 
> 
> 2018-03-06 10:50:32,065 INFO 
> [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default 
> task-25) HHH000010: On release of batch it still contained JDBC statements
> 2018-03-06 10:51:38,652 WARN 
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50) SQL 
> Error: 1400, SQLState: 23000
> 2018-03-06 10:51:38,653 ERROR 
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50) 
> ORA-01400: Insert NULL in ("MY_TEST"."REALM_SUPPORTED_LOCALES"."VALUE") 
> not possible*
> 
> Steps:
> - I created one realm called "MYREALM" and applied the logintheme there 
> without a problem (used kc standard for admin and so on).
> 
> - Then I created the other one "MYREALM_DEV" and tried to apply the 
> custom theme.
> - To check if its depending on the theme, I tried to apply the base 
> keycloak theme, same effect.
> 
> This workflow worked for another application perfectly with one theme 
> for different realms.
> seems very weird, as if the realm is created on db-level with same name 
> as the old one instead of my given name.
> 
> So, Could anybody give me a hint why SQL fails here? Or point me to the 
> relating DB Tables please so I could investigate further myself? Thanks 
> in advance!
> 
> Best regards,
> Dominik
> 
> 
> *: freely translated from german database locale ;)

From Bjoern.Peemoeller at berenberg.de  Tue Mar  6 07:42:54 2018
From: Bjoern.Peemoeller at berenberg.de (=?iso-8859-1?Q?Peem=F6ller=2C_Bj=F6rn?=)
Date: Tue, 6 Mar 2018 12:42:54 +0000
Subject: [keycloak-user] How to setup CORS for Angular frontend and Spring
	Boot backend
Message-ID: <CB46949C2F22AC48BDB4771532A5FC7325302E12@NT-EX02.dnsbego.de>

Hi,

I'm struggling to setup our application with Keycloak. First, let me explain our setup:


-       We have an Angular 5 application as the frontend.

-       We have a Spring Boot application providing a REST api as our backend.

-       During build, the frontend is placed into the webapp folder, such that it is delivered as static content by the backend.

-       The backend is secured using Keycloak.

-       The user is automatically authenticated using Kerberos.

If I build the application and then request the frontend's index.html, then a redirect to /sso/login occurs, which redirects to Keycloak, which redirects back to the application, and authentication is successful. After that, calls to our backend api (for which the user must be authenticated and authorized), are also successful.

During development, however, the frontend is served using webpack (angular-cli), and the backend is served individually. In this setup, the index.html can be loaded without authentication, and the frontend then starts to call the backend API. At first, the backend directly returned a 401 Unauthorized, and I figured out that this was raised at the KeycloakAuthenticationEntryPoint since the request was considered to be an API request. To work around this problem, I replaced the KeycloakAuthenticationEntryPoint by a subclass not checking for API requests. After that, the API request is now redirected to /sso/login, which then redirects to Keycloak. Since now the host has changed, the invoking browser has to perform a CORS request, and thus issued a CORS preflight request using the OPTIONS method, to which Keycloak answers with a 204 No Content without any CORS headers, such that the preflight fails, even though the Keycloak client has been configured to allow CORS requests. In consequence, the backend API cannot be reached.

My questions now are:

-       Is there some configuration that we are missing to allow authentication during API requests?

-       The behavioral change of the KeycloakAuthenticationEntryPoint seems incorrect to me, as if I'm working against the intended design. Could you provide me some guidance on how to setup my frontend and backend? I can think of doing authentication directly in the frontend using the Keycloak JS library, but have found no indication that a REST API should not do (Kerberos) authentication itself.

Many thanks in advance,
Bj?rn

Bj?rn Peem?ller
IT & IT Operations

BERENBERG
Joh. Berenberg, Gossler & Co. KG
Neuer Jungfernstieg 20
20354 Hamburg

Telefon +49 40 350 60-8548
Telefax +49 40 350 60-900
E-Mail bjoern.peemoeller at berenberg.de<mailto:bjoern.peemoeller at berenberg.de>
www.berenberg.de<http://www.berenberg.de/>

Sitz: Hamburg - Amtsgericht Hamburg HRA 42659


Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender ?ber die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen. 
Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info at berenberg.de. Please refer to http://www.berenberg.de/my_berenberg/disclaimer_e.html for our confidentiality notice.


From bruno at abstractj.org  Tue Mar  6 08:07:25 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 06 Mar 2018 13:07:25 +0000
Subject: [keycloak-user] [keycloak-dev] Question on Node.js adapter -
 Wrong response code when not logged in, maybe
In-Reply-To: <CAMZCGg-F9u_5X83E9qgpRiJz1aTm-DpHp_91D+D7kqDg9=pCyQ@mail.gmail.com>
References: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>
	<CAMZCGg-F9u_5X83E9qgpRiJz1aTm-DpHp_91D+D7kqDg9=pCyQ@mail.gmail.com>
Message-ID: <CAM5SUC41zoJ5+b5ynoYRBLot1y1id9dCU06rNYpKtim9L6K5uw@mail.gmail.com>

+1 please file a Jira for it.

On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi Luke,
>
> Yes this looks like a bug, 403 should only be returned if you are already
> authorized but you don't have the needed role for instance. When you are
> not authenticated we should just return a 401.
> Could you open a ticket for us ?
>
> Sebi
>
>
>
> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
> wrote:
>
> > Hi,
> >
> > given this example application
> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
> > endpoint "/api/greeting", it is protected with the basic keycloak-connect
> > setup.
> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
> > blob/master/app.js#L49
> >
> >
> > If we run this locally, with "npm start", and just curl that endpoint,
> > "curl http://localhost:3000/api/greeting" it will return with a 403.
> >
> > There was an issue raised that it should be a 401,
> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
> >
> > The way this comment makes it sound,
> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
> > master/index.js#L232
> > is
> > that the 403 is correct
> >
> >
> > If we look at the complimentary vert.x and swarm examples,
> > https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
> > and
> >
> > https://github.com/wildfly-swarm-openshiftio-boosters/
> > wfswarm-rest-http-secured
> >
> >
> > a similar curl will result in a 401 when not logged in.
> >
> >
> > I'm just wondering if that 403 the node adapter is correct and if so, why
> > does it differ from the other runtimes
> >
> >
> > -Luke
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From lholmqui at redhat.com  Tue Mar  6 08:29:59 2018
From: lholmqui at redhat.com (Luke Holmquist)
Date: Tue, 6 Mar 2018 08:29:59 -0500
Subject: [keycloak-user] [keycloak-dev] Question on Node.js adapter -
 Wrong response code when not logged in, maybe
In-Reply-To: <CAM5SUC41zoJ5+b5ynoYRBLot1y1id9dCU06rNYpKtim9L6K5uw@mail.gmail.com>
References: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>
	<CAMZCGg-F9u_5X83E9qgpRiJz1aTm-DpHp_91D+D7kqDg9=pCyQ@mail.gmail.com>
	<CAM5SUC41zoJ5+b5ynoYRBLot1y1id9dCU06rNYpKtim9L6K5uw@mail.gmail.com>
Message-ID: <CALD3Fd2cXwFbD7K+tF=+Vm9vVqwf6F9sTHtOaupEKZuFF+K3jQ@mail.gmail.com>

thanks guys!!,  will do

On Tue, Mar 6, 2018 at 8:07 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> +1 please file a Jira for it.
>
> On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Hi Luke,
>>
>> Yes this looks like a bug, 403 should only be returned if you are already
>> authorized but you don't have the needed role for instance. When you are
>> not authenticated we should just return a 401.
>> Could you open a ticket for us ?
>>
>> Sebi
>>
>>
>>
>> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
>> wrote:
>>
>> > Hi,
>> >
>> > given this example application
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
>> > endpoint "/api/greeting", it is protected with the basic
>> keycloak-connect
>> > setup.
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
>> > blob/master/app.js#L49
>> >
>> >
>> > If we run this locally, with "npm start", and just curl that endpoint,
>> > "curl http://localhost:3000/api/greeting" it will return with a 403.
>> >
>> > There was an issue raised that it should be a 401,
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>> >
>> > The way this comment makes it sound,
>> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
>> > master/index.js#L232
>> > is
>> > that the 403 is correct
>> >
>> >
>> > If we look at the complimentary vert.x and swarm examples,
>> > https://github.com/openshiftio-vertx-boosters/
>> vertx-secured-http-booster
>> > and
>> >
>> > https://github.com/wildfly-swarm-openshiftio-boosters/
>> > wfswarm-rest-http-secured
>> >
>> >
>> > a similar curl will result in a 401 when not logged in.
>> >
>> >
>> > I'm just wondering if that 403 the node adapter is correct and if so,
>> why
>> > does it differ from the other runtimes
>> >
>> >
>> > -Luke
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From lholmqui at redhat.com  Tue Mar  6 08:32:04 2018
From: lholmqui at redhat.com (Luke Holmquist)
Date: Tue, 6 Mar 2018 08:32:04 -0500
Subject: [keycloak-user] [keycloak-dev] Question on Node.js adapter -
 Wrong response code when not logged in, maybe
In-Reply-To: <CALD3Fd2cXwFbD7K+tF=+Vm9vVqwf6F9sTHtOaupEKZuFF+K3jQ@mail.gmail.com>
References: <CALD3Fd0ARYbGY=4WyD97qzs37cK7N6=wo1zdup4ENHAeSUAtNA@mail.gmail.com>
	<CAMZCGg-F9u_5X83E9qgpRiJz1aTm-DpHp_91D+D7kqDg9=pCyQ@mail.gmail.com>
	<CAM5SUC41zoJ5+b5ynoYRBLot1y1id9dCU06rNYpKtim9L6K5uw@mail.gmail.com>
	<CALD3Fd2cXwFbD7K+tF=+Vm9vVqwf6F9sTHtOaupEKZuFF+K3jQ@mail.gmail.com>
Message-ID: <CALD3Fd2PHB-FipdYaQseyD9OdeJnOPo6B6+3oDWikz7u2Wopjg@mail.gmail.com>

https://issues.jboss.org/browse/KEYCLOAK-6810

On Tue, Mar 6, 2018 at 8:29 AM, Luke Holmquist <lholmqui at redhat.com> wrote:

> thanks guys!!,  will do
>
> On Tue, Mar 6, 2018 at 8:07 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> +1 please file a Jira for it.
>>
>> On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>>
>>> Hi Luke,
>>>
>>> Yes this looks like a bug, 403 should only be returned if you are already
>>> authorized but you don't have the needed role for instance. When you are
>>> not authenticated we should just return a 401.
>>> Could you open a ticket for us ?
>>>
>>> Sebi
>>>
>>>
>>>
>>> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > given this example application
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is
>>> 1
>>> > endpoint "/api/greeting", it is protected with the basic
>>> keycloak-connect
>>> > setup.
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
>>> > blob/master/app.js#L49
>>> >
>>> >
>>> > If we run this locally, with "npm start", and just curl that endpoint,
>>> > "curl http://localhost:3000/api/greeting" it will return with a 403.
>>> >
>>> > There was an issue raised that it should be a 401,
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>>> >
>>> > The way this comment makes it sound,
>>> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
>>> > master/index.js#L232
>>> > is
>>> > that the 403 is correct
>>> >
>>> >
>>> > If we look at the complimentary vert.x and swarm examples,
>>> > https://github.com/openshiftio-vertx-boosters/vertx-secured-
>>> http-booster
>>> > and
>>> >
>>> > https://github.com/wildfly-swarm-openshiftio-boosters/
>>> > wfswarm-rest-http-secured
>>> >
>>> >
>>> > a similar curl will result in a 401 when not logged in.
>>> >
>>> >
>>> > I'm just wondering if that 403 the node adapter is correct and if so,
>>> why
>>> > does it differ from the other runtimes
>>> >
>>> >
>>> > -Luke
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>

From hmidi.slim2 at gmail.com  Tue Mar  6 13:46:45 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Tue, 6 Mar 2018 19:46:45 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <CAMsqVxvvqAW2BQvBvHnNPwAD31jJ3QF-cdto0AX9tnbnkyabVw@mail.gmail.com>

Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.

I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).

Then I tried to give the user User the realm roles: res_r

After I configure keycloak using keycloak-connect, I added:

const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)

However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
    "roles": [
      "res_r",
      "uma_authorization",
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

How can I fix the probelm?

From hmidi.slim2 at gmail.com  Tue Mar  6 13:47:21 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Tue, 6 Mar 2018 19:47:21 +0100
Subject: [keycloak-user] Unable to access a resource with a given realm role
Message-ID: <CAMsqVxvuzWMFFybbyVJwX+vdQUmeu8bftqkavJqEzoJSk0-faQ@mail.gmail.com>

Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.

I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).

Then I tried to give the user User the realm roles: res_r

After I configure keycloak using keycloak-connect, I added:

const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)

However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
    "roles": [
      "res_r",
      "uma_authorization",
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

How can I fix the probelm?

From corentin.dupont at gmail.com  Tue Mar  6 14:11:35 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 6 Mar 2018 20:11:35 +0100
Subject: [keycloak-user] Guest account
Message-ID: <CAEyhvmrUmcM_y5-aSBAwGjojcG99VDPWGRoyxp_goPKn_pimQw@mail.gmail.com>

Hi all,
I have a javascript web app using keycloak for authentication.
When the user opens the app, he is first redirected to the Keycloak login
screen.
However it's a bit annoying for the user to have to create an account
before seeing anything.
Personally I close this kind of application :)

I would like that the application uses a "guest" account if the user is not
registered.
"guest" is a real keycloak account that have particular access rights.
How to do that? My application probably needs to provide login/password for
guest and store the token.
I use keycloak-js library. Now my login code is standard:


 var keycloak = Keycloak({
    url: config.keycloakUrl,
    realm: config.realm,
    clientId: config.clientId
  });

  keycloak.init({ onLoad: 'login-required', checkLoginIframe: false
}).success(authenticated => {
    if (authenticated) {
      store.getState().keycloak = keycloak;
      setInterval(() => {
        keycloak.updateToken(3600).success(function (refreshed) {
            getSensors();
            getUsers();
          }).error(function () {
            alert('Your session has expired, please log in again');
            keycloak.logout();
          })
        }, 10000);

      displayPage();
    }
  }).error(function (error) {
    console.log("Authentication error. Check Keycloak params and cors
issues.");
  });

From corentin.dupont at gmail.com  Tue Mar  6 14:27:11 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 6 Mar 2018 20:27:11 +0100
Subject: [keycloak-user] Viewing permissions
Message-ID: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>

Hi all,
I have a question around the representation and result of permissions.
Say I have an application that manages socks inventory. The UI is
displaying a button to delete socks. However, some user doesn't have the
right to delete socks!
So, I perform a request to Keycloak to get the permission.
It works well: if the user doesn't have permission, the message
"authorization denied" is displayed on the screen.

However, it would be nicer to remove the "delete" button entirely.
My policies are quite complex and multi-dimensional: You can delete socks
if you are admin, but also if it belongs to you, you belong to some groups
etc.
So anticipating the reply to an authorization request can be very hard.

What do you suggest? Should we perform a "test" authorization request
before display the "delete" button?

From ogusakov at cisco.com  Tue Mar  6 14:36:44 2018
From: ogusakov at cisco.com (Oleg Gusakov (ogusakov))
Date: Tue, 6 Mar 2018 19:36:44 +0000
Subject: [keycloak-user] Is a KeycloakSession object unique per transaction
	or per user?
Message-ID: <461562bd0e6d41acbaaf0b3bb07041d8@XCH-RCD-005.cisco.com>

Is a KeycloakSession object unique per transaction or per user? If neither, what is the lifecycle of the object?

From ntle at castortech.com  Tue Mar  6 14:46:11 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 6 Mar 2018 14:46:11 -0500
Subject: [keycloak-user] Java client for managing keycloak
Message-ID: <CAJVRZt_a1cvbi4z23yU1aPgXwKf5LU8yvez7uZ6QmErigF6E6A@mail.gmail.com>

Hello,

Is there a java libraries that correspond to the Keycloak admin REST API ?
I just want to make
sure i don't reinvent the wheel by using Apache httpclient to call Keycloak
admin API.

Thank you

Thai

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From hmidi.slim2 at gmail.com  Tue Mar  6 18:13:07 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Wed, 7 Mar 2018 00:13:07 +0100
Subject: [keycloak-user] How to communicate access token in microservice
	architecture
Message-ID: <CAMsqVxt=YAiufw5ougtw0MQ2p-E+tjZOf1TZ3jzSG=mMBOcHQA@mail.gmail.com>

HI,
I have a node.js app designed with microservice architecutre and I'm trying
to add some roles for each service to deny the access. Supposed that the
app consists of 3 services called service1, service2 and service3.
To access the main page of the app, a user should enter a login and
password to authenticate the keycloak server. If the authentication
succeeds it will show the index page. In the index page there are two
choices: resource B and resource C.
If a user check resource B a query will be send to service2 to get all the
data contained on it.
If a user check resource C a query will be send to service 3 to get all the
data.
In Keycloak admin console I created a realm MyApp with some realm role
RA_r (resourceA read) and RB_r (resource read) RC_r (resourceC read).
Then I created 3 clients called resource A and resource B resource C.
I created also a User called user and I associate for him the RB_r.
For each service I installed keycloak-connect and make the configurations
and I added the keycloak.json for each of them (
{
"serverUrl": url_auth_server,
"realm": "MyApp",
"clientId": "resource X",
"bearerOnly": true
}
)

In the service 2 I want to protect the get route:
app.get('resource', keycloak.protect('realm:RB_r'), handler)

The query starts from the first service (service1) and arrives to service
2. I got a status code of 403. However when I delete
keycloak.protect('realm:RB_r') I receive the data.
I decode the access token from the headers using jwt.io and I found that
the realm role (RB_r) exists.
So how can I transfer the access token between different service and
protect them using RBAC mechanism? Did I miss something in the config or
should I added a specific configuration?

From jim.groffen at gmail.com  Wed Mar  7 01:51:41 2018
From: jim.groffen at gmail.com (Jim Groffen)
Date: Wed, 7 Mar 2018 17:21:41 +1030
Subject: [keycloak-user] Cannot create users when a Kerberos Federation is
 configured but the KDC is unreachable
Message-ID: <CAGqTrPW6+fs6TLabLviCdZsXHTOd-ZJYrDe8CPqM9DCwhcddwQ@mail.gmail.com>

Hello folks,

I am using KeyCloak (3.4.3) with a Kerberos based User Federation - using a
keytab only with no communication available between the KDC and the
KeyCloak server. Note that no connection between the KDC and KeyCloak is
possible in my scenario so I need to rely on the keytab alone for
authentication.

This works well - new users from the network that can perform Kerberos auth
just need to add any missing information on first login. I have noticed the
following problem though:

I also need to add users manually to KeyCloak. I find that I have to
disable the Kerberos based User Federation to create a non-Kerberos based
user, or I get an error.

Digging in to the logs I find that KeyCloak is attempting to query the KDC
directly, which fails with:


    DEBUG
[org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator]
(default task-10) Message from kerberos: Cannot locate KDC
    ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-10) Uncaught server error: org.keycloak.models.ModelException:
Kerberos unreachable
            at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
            ...
    Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
            at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
            ...
    Caused by: KrbException: Cannot locate KDC
            at sun.security.krb5.Config.getKDCList(Config.java:1084)
            ...
    Caused by: KrbException: Generic error (description in e-text) (60) -
Unable to locate KDC for realm XXXXXXX


I have verified that I can successfully create a user in KeyCloak if the
KDC is accessible. In this case KeyCloak logs no error, simply reporting
that the user was not found in the KDC.

Given the above, I have a few questions I'm hoping you can help me with:

1: Am I trying to do something that is unsupported by KeyCloak?
2: If this is currently unsupported, would you like me to raise a feature
request?
3: If it should be supported, is it possible I mis-configured something, or
should I raise a bug report?

KeyCloak is behaving how I want for the most part. With some advice /
direction I could work on a pull request targeting this.

Thanks in advance,

Jim Groffen.

From pinguwien at gmail.com  Wed Mar  7 05:03:31 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 7 Mar 2018 11:03:31 +0100
Subject: [keycloak-user] How do I set a field for idToken when implementing
 custom Provider / Authenticator?
Message-ID: <62bebae4-72ee-baf1-e6bf-f3059205c386@gmail.com>

Hi all,

so I create3d a custom Provider for my legacy db and a custom 
authenticator due to special requirements.

Now when I debug in validatePassword in 
AbstractUsernameFormAuthenticator.java, I get the user entity with all 
the fields I need.

Now my conrecete question is: How do I map these fields to the idtoken 
to use them in my application?

I tried adding a User Attribute Mapper to my client directly, but this 
gives me a nullpointerexception.
Also, in Admin Interface, the Field "Mappers" is missing from my custom 
Provider. Perhaps this is the fault? Did I forget to implement one 
thing? I used the storage-jpa example.

Any hints would be highly appreciated. If some code is needed, just ask :-)

Best regards,
Dominik

From psilva at redhat.com  Wed Mar  7 06:31:38 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 7 Mar 2018 08:31:38 -0300
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
Message-ID: <CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>

I think this is the best way to go ....

In fact, this is exactly what we are pushing now with UMA 2.0 and support
for asynchronous authorization. Suppose you have a "Request Access" button
in case the user is not allowed to perform operation on a resource
belonging to a different user. This button could be displayed based on a
"test" authorization request to which you can also specify whether or not
you want to start an authorization flow to get approval from resource owner.

Regards.
Pedro Igor

On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi all,
> I have a question around the representation and result of permissions.
> Say I have an application that manages socks inventory. The UI is
> displaying a button to delete socks. However, some user doesn't have the
> right to delete socks!
> So, I perform a request to Keycloak to get the permission.
> It works well: if the user doesn't have permission, the message
> "authorization denied" is displayed on the screen.
>
> However, it would be nicer to remove the "delete" button entirely.
> My policies are quite complex and multi-dimensional: You can delete socks
> if you are admin, but also if it belongs to you, you belong to some groups
> etc.
> So anticipating the reply to an authorization request can be very hard.
>
> What do you suggest? Should we perform a "test" authorization request
> before display the "delete" button?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pinguwien at gmail.com  Wed Mar  7 07:58:45 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 7 Mar 2018 13:58:45 +0100
Subject: [keycloak-user] How do I set a field for idToken when
 implementing custom Provider / Authenticator?
In-Reply-To: <62bebae4-72ee-baf1-e6bf-f3059205c386@gmail.com>
References: <62bebae4-72ee-baf1-e6bf-f3059205c386@gmail.com>
Message-ID: <bb5cf61f-8d41-b978-55f1-9925ab071778@gmail.com>

So, after further investigation I got it working by now. For future ppl 
who don't want to search around:

As said, I implemented a custom loginform based on 
AbstractUsernameFormAuthenticator. There, in method 
validateUsernameAndPassword, where in the end the context gets set by 
context.setUser(user);

So, I was particularly interested in the "builtin" field locale, which I 
added to the client mappers.

First try was to add this line:
user.setAttribute(UserModel.LOCALE, 
Collections.singletonList(context.getHttpRequest().getHttpHeaders().getCookies().get("KEYCLOAK_LOCALE").getValue()));

BUT: This only seems to work in Firefox, for some reason (didnt 
investigate further), the KEYCLOAK_LOCALE - Cookie wasn't set in Chrome.

So, to make it work I had to add a custom cookie to my custom theme via 
js, which was pretty straightforward. Now this is working and I get the 
locale-field populated with the previously chosen value of locale 
dropdown when internationalization is enabled. Pretty hard way to go 
before I found all this little things out. Actually, I thought the 
locale would've been set internally for the user who logs in when 
logging in, based on the value of the dropdown, so that I could just add 
the mapper and... works. :)

Best regards,
Dominik

Am 07.03.18 um 11:03 schrieb Dominik Guhr:
> Hi all,
> 
> so I create3d a custom Provider for my legacy db and a custom 
> authenticator due to special requirements.
> 
> Now when I debug in validatePassword in 
> AbstractUsernameFormAuthenticator.java, I get the user entity with all 
> the fields I need.
> 
> Now my conrecete question is: How do I map these fields to the idtoken 
> to use them in my application?
> 
> I tried adding a User Attribute Mapper to my client directly, but this 
> gives me a nullpointerexception.
> Also, in Admin Interface, the Field "Mappers" is missing from my custom 
> Provider. Perhaps this is the fault? Did I forget to implement one 
> thing? I used the storage-jpa example.
> 
> Any hints would be highly appreciated. If some code is needed, just ask :-)
> 
> Best regards,
> Dominik

From chris.savory at edlogics.com  Wed Mar  7 08:40:12 2018
From: chris.savory at edlogics.com (Chris Savory)
Date: Wed, 7 Mar 2018 13:40:12 +0000
Subject: [keycloak-user] Java client for managing keycloak
In-Reply-To: <CAJVRZt_a1cvbi4z23yU1aPgXwKf5LU8yvez7uZ6QmErigF6E6A@mail.gmail.com>
References: <CAJVRZt_a1cvbi4z23yU1aPgXwKf5LU8yvez7uZ6QmErigF6E6A@mail.gmail.com>
Message-ID: <B9DBCCC2-E82D-455B-88A1-BD4C09A0AE15@edlogics.com>

https://github.com/keycloak/keycloak/tree/master/integration/admin-client

--
Christopher Savory
Software Engineer | EdLogics

On 3/6/18, 1:46 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Nhut Thai Le" <keycloak-user-bounces at lists.jboss.org on behalf of ntle at castortech.com> wrote:

    Hello,
    
    Is there a java libraries that correspond to the Keycloak admin REST API ?
    I just want to make
    sure i don't reinvent the wheel by using Apache httpclient to call Keycloak
    admin API.
    
    Thank you
    
    Thai
    
    -- 
    Castor Technologies Inc
    460 rue St-Catherine St Ouest, Suite 613
    Montr?al, Qu?bec H3B-1A7
    (514) 360-7208 o
    (514) 798-2044 f
    ntle at castortech.com
    www.castortech.com
    
    CONFIDENTIALITY NOTICE: The information contained in this e-mail is
    confidential and may be proprietary information intended only for the use
    of the individual or entity to whom it is addressed. If the reader of this
    message is not the intended recipient, you are hereby notified that any
    viewing, dissemination, distribution, disclosure, copy or use of the
    information contained in this e-mail message is strictly prohibited. If you
    have received and/or are viewing this e-mail in error, please immediately
    notify the sender by reply e-mail, and delete it from your system without
    reading, forwarding, copying or saving in any manner. Thank you.
    AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
    confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
    ? l'usage exclusif du destinataire. Toute autre personne est par les
    pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
    ou reproduire ce message. Si vous avez re?u cette communication par erreur,
    veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Mar  7 12:30:34 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 7 Mar 2018 18:30:34 +0100
Subject: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered
	mode
In-Reply-To: <CAB8J2R4qFyoP=1pX8Efu5_UR3s_8NhnP-fjj4PEbvHedXcsH9A@mail.gmail.com>
References: <KU1PR02MB243722BAF1DAE8CE29BB0BED9EC70@KU1PR02MB2437.apcprd02.prod.outlook.com>
	<d58fa288-bbcf-47f2-11a4-3f1f1023d088@redhat.com>
	<CAB8J2R4qFyoP=1pX8Efu5_UR3s_8NhnP-fjj4PEbvHedXcsH9A@mail.gmail.com>
Message-ID: <99fdb6b6-ce06-92f6-40db-ff26854aa0c4@redhat.com>

On 07/03/18 13:51, Chervine Majeri wrote:
> Hi,
> We're considering attempting the exact same setup, with 2 standalone 
> keycloaks connected to the same backend DB.
>
>     User session is one example. There are some other things, which won't
>
>     work. We never tried to test such setup and I wouldn't do it.
>
> From what I've seen, only what's stored in the cache ends up being 
> different, meaning the HA models really only differ in that they have 
> a distributed cache. Is this correct? Or does it affect the connection 
> to the DB too?
>
> From that assumption, seeing the content of "standalone-ha.xml", I see 
> that it's mostly session related stuff and things like loginFailures 
> that end up in the distributed cache.
> Since we have a session cookie, unique for every session, can we use 
> session stickiness in the reverse-proxy to circumvent most the issues?
The session stickyness is usually not sufficient. The OpenID Connect 
specification uses some "backchannel" requests, which are not sent as 
part of browser session, but they are sent directly between client 
application and Keycloak (For example code-to-token request, Refresh 
token request etc). Those requests won't see sticky session cookie, and 
hence can be directed to the other node, then the one who owns the session.

Only possibility, when everything may work is, if all your clients are 
using keycloak.js adapter (javascript clients run fully inside browser 
and so they can participate in sticky session as backchannel requests 
are sent from browser as well).

There are also some other cases when sticky session is not sufficient. 
For example in scenarios when mail is sent to user (EG. "Forget 
password" functionality) and user clicks on the link, but the link is 
opened in the other browser then the one, who "owns" sticky session 
cookie. Then it may happen that request is served on the other browser 
then the one, who owns the session.

Finally invalidations won't work. Keycloak uses caches to cache some 
data for performance reasons. Those caches are "realms", "users" and 
"keys" . Every cluster node cache the data locally, however when some 
change happens (data are updated), then the node, who did the update, 
must notify other nodes in cluster about the change. If you don't use 
cluster, this won't work and other cluster nodes won't be notified and 
will still see stale data in their caches. In other words, when for 
example you update user "john" on node1, then node2 won't be aware about 
this update and will still see stale (old) data of user "john" in it's 
cache. The only possibilities how to workaround is:
- Disable cache entirely (See our docs for more details)
- Ensure that cache is cleared after every update (This is usually not 
possible to achieve unless you have some special kind of deployment (EG. 
something close to read-only deployment)).

Marek

>
> Obviously the loginFailures feature wouldn't work all that well, but 
> that would be acceptable for my use-case.
>
> Thanks,
> Chervine.



From keycloak at ackermann.ca  Wed Mar  7 14:10:19 2018
From: keycloak at ackermann.ca (Jakob Ackermann)
Date: Wed, 7 Mar 2018 11:10:19 -0800
Subject: [keycloak-user] Restrict Enduser Access to some Clients.
Message-ID: <CAAaHrP9kfAfY=WOr1WxFiL2VT4kZ1f4JTuBWamozV-RRE8K-0w@mail.gmail.com>

 Hello Keycloak users,

I'm trying to archive the following scenario with Keycloak and failing.
I've read through documentation and could not find how I suppose to solve
this. If someone could help me to point to the right direction it would be
much appreciated.

Realm: organization

clients:
google (as SP)
custom01
custom02 (without access to check for roles in the authentication script)


user roles:
user-google
user-custom01
user-custom02

users:
user1 -> roles: user-google, user-custom01
user2 -> roles: user-custom02


How can I permit only users with role user-google to access the the google
client? For custom clients I can change the code to look for the role but
most SSO setups like Google don't have an option to do this. Is there a way
in Keycloak to restrict access?

Thanks so much.

From ntle at castortech.com  Wed Mar  7 14:31:48 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 7 Mar 2018 14:31:48 -0500
Subject: [keycloak-user] Create realm from java admin client with access
	token vs username+password
Message-ID: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>

Hello,

In the admin client i see there is an overload method to create Keycloak
instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
authToken)), is this considered more secure than using the
username+password since if i'm using the access token in the method above,
i still need to make another call earlier with the username + password to
get the token, either way, the username +password will be in my code repo.

I think i can create an account in the master realm with role create-realm,
can I use that as a service account or there is an existing service account
somewhere in the master realm?

I'm trying to integrate keycloak to my multitenancy application where each
client has his own realm to config his security. My application need to
create the realm when the client register to my app.

Thai

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From myoder at cloudera.com  Wed Mar  7 18:05:27 2018
From: myoder at cloudera.com (Michael Yoder)
Date: Wed, 7 Mar 2018 15:05:27 -0800
Subject: [keycloak-user] How to create a realm using the admin client
In-Reply-To: <CA+1OW+gZm74NsV08xk7Gi+vrskZFhWLLOJ8hv2vQbNnGTFmp+w@mail.gmail.com>
References: <CAGGJhVcmoabSpa4giihxoXU4pT12L+_w9ax4WwqpToyPLnL==g@mail.gmail.com>
	<CA+1OW+jssHF2An_B4uintf4-ixoXgSTfMmitQJCFxr+9_ovu5g@mail.gmail.com>
	<CA+1OW+gZm74NsV08xk7Gi+vrskZFhWLLOJ8hv2vQbNnGTFmp+w@mail.gmail.com>
Message-ID: <CAGGJhVc7oHGEL+ktsq65jfZsnkkA99OEXPFoTeMz90ki+OdBSQ@mail.gmail.com>

Thanks for the help!  I dug through your code (which helped), and I'll just
go ahead and use httpclient to send the POSTs myself.  I really do want to
do this inside a java program and not deal with a fork/exec of kcadm.sh.

Regards,
-Mike


On Thu, Feb 22, 2018 at 7:19 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> And of course if the realm does not yet exist in the target server you
> have to create it first:
>
> $ kcadm.sh create realms -s realm=demorealm -s enabled=true
>
> On Thu, Feb 22, 2018 at 4:12 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> You can achieve that by using Admin CLI (for example - if you have
>> exported a demorealm.json using boot time export, you can import it into a
>> live server as follows):
>>
>> $ kcadm.sh create -r demorealm partialImport -s ifResourceExists=FAIL -o
>> -f - < demorealm.json
>>
>>
>> Basically you POST the demorealm.json as a body to
>> http://localhost:8080/auth/admin/realms/demorealm/partialImport
>>
>>
>> And you add additional attribute into realm JSON body
>> ("ifResourceExists": "FAIL").
>>
>>
>> If you only want to add extra things into existing realm, you can use
>> "SKIP". And there is also "OVERWRITE" which you probably want to avoid.
>>
>> On Wed, Feb 21, 2018 at 12:58 AM, Michael Yoder <myoder at cloudera.com>
>> wrote:
>>
>>> I've got the json from a realm export. Now I'd like to re-create that
>>> realm
>>> using the keycloak-admin-client library.  Is there any sample code out
>>> there?  Hints?
>>> I've found
>>>
>>> http://www.keycloak.org/docs/3.4/server_development/#admin-rest-api
>>>
>>> and
>>>
>>> http://www.keycloak.org/docs-api/3.4/javadocs/
>>>
>>> and even
>>>
>>> https://github.com/keycloak/keycloak/blob/master/integration
>>> /admin-client/src/main/java/org/keycloak/admin/client/resour
>>> ce/RealmResource.java
>>>
>>> I feel like I've got parts of it, but I don't know how to put the pieces
>>> together. Any help would be appreciated.
>>>
>>> Thanks,
>>> -Mike Yoder
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From cav at uniscope.jp  Wed Mar  7 23:05:57 2018
From: cav at uniscope.jp (Carlos Villegas)
Date: Thu, 8 Mar 2018 13:05:57 +0900 (JST)
Subject: [keycloak-user] Login UI locale reverting to browser's on wrong
 user/password
In-Reply-To: <1032f10e-6de2-71f3-2bcf-d9e304213bb7@redhat.com>
References: <165863238.169.1520309990071@xchange.uniscope.jp>
	<1032f10e-6de2-71f3-2bcf-d9e304213bb7@redhat.com>
Message-ID: <1434696426.206.1520481957234@xchange.uniscope.jp>

Yes, I've tested it with 3.4.3.Final and same results. To make sure I tested with the default login theme, I had a custom login theme and had set "display: none" to the locale selection tag. However, I see that this is not submitted with the form, instead, the locale pulldown reloads the login form sending a 'kc_locale' parameter in the login actions URL. An then after that if there's an error it works OK. 
However, on first getting to the login form with a ui_locales parameter sent from the client, things don't work. I was thinking that if I add an hidden input field to the form, setting the kc_locale parameter with the current locale, maybe that'll do it. Can somebody confirm this?

If that works, is the current locale available in some freemarker variable? I'm not familiar with freemarker, or how is setup in Keycloak, or can I get access to the URL parameters? I can also try some javascript to extract it from the locale menu, but it's simpler if it's available somewhere from the template. I can then send it with the form as kc_locale param, to make sure the locale stays where it is. 

Carlos


> On March 6, 2018 at 1:26 PM Marek Posolda <mposolda at redhat.com> wrote:
> 
> 
> On 06/03/18 05:19, Carlos Villegas wrote:
> > Hi,
> >
> > I'm using the docker image version 3.4.0.Final. I've setup a realm and enabled internationalization, set default locale to English.
> >
> > I'm using the Javascript adapter and I set the locale I want in the login options. I have a custom theme where I've hidden Keycloak's login screen Locale selection menu. I'm sending the locale using the login options of the login call of the Javascript adapter.
> >
> > The keycloak login screen comes up in the correct locale I requested in the login options. However, if I put the wrong password and submit, the next error screen comes in what it seems is the web browser's default language.
> >
> > For example, in a English Windows 10 installation using Chrome which is in English, I request Japanese locale. The Keycloak login screen comes correctly in Japanese, but if I enter the wrong password, next error screen requesting to reenter login info is in English, all labels and error messages in English. It seems Keycloak's forgetting my locale option and using the browser's.
> >
> > Using the same server, from a Japanese Windows 10 machine, using Chrome in Japanese, the user requests English locale, it gets correctly the English login screen. Enters the wrong password, and the next error screen is in Japanese!. Note that this is not even the default locale I've set up in Keycloak which is English.
> >
> > I see in the login URL sent from the client that the ui_locales parameter is properly set to the value I want, as I said the first login screen is in the correct locale I've requested. The problem is if there's any error, the screens with error messages don't have the correct locale.
> >
> > Any idea of what can be happening, and if by any change this has been corrected the latest version of Keycloak. I'm haven't had the chance to test the latest version yet.
> Yes, I would try to test with latest version. If it doesn't help, 
> probably create JIRA with description of your usecase.
> 
> Marek
> >
> > Cheers,
> >
> > Carlos
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
>

From c.majeri at gmail.com  Thu Mar  8 07:34:48 2018
From: c.majeri at gmail.com (Chervine Majeri)
Date: Thu, 8 Mar 2018 13:34:48 +0100
Subject: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered
	mode
In-Reply-To: <99fdb6b6-ce06-92f6-40db-ff26854aa0c4@redhat.com>
References: <KU1PR02MB243722BAF1DAE8CE29BB0BED9EC70@KU1PR02MB2437.apcprd02.prod.outlook.com>
	<d58fa288-bbcf-47f2-11a4-3f1f1023d088@redhat.com>
	<CAB8J2R4qFyoP=1pX8Efu5_UR3s_8NhnP-fjj4PEbvHedXcsH9A@mail.gmail.com>
	<99fdb6b6-ce06-92f6-40db-ff26854aa0c4@redhat.com>
Message-ID: <CAB8J2R77vmgVbkxZZXhFe2qhVf68KYOmnYV1-GmgLSjt5o2=Nw@mail.gmail.com>

That's a lot more than I imagined, good thing I consulted here first!
Sounds like I'll have to use the standalone-ha mode with distributed cache
then.

Thanks a lot for the explanations,
Chervine.

From carreraariel at gmail.com  Thu Mar  8 10:40:25 2018
From: carreraariel at gmail.com (Ariel Carrera)
Date: Thu, 8 Mar 2018 12:40:25 -0300
Subject: [keycloak-user] Keycloak - Application Clustering with sticky
	session
Message-ID: <CAFzO_6d2g207g1X+LpxZssXGUHsqfQCjnHrdeMxuCzs8p01kPg@mail.gmail.com>

When you use "application.session.host" in the client's admin url, in some
environments there is no way to reach to the exact application node (with
session created) to send a logout signal.
Keycloak doesn't have inside "application.session.host" information about
port number and it is impossible to reach the exact application server node.
So... when your environment have more than one application server (wildfly,
jboss, etc) listening using port offsets... Keycloak try to reach
application.session.host (port 80) but it's not a valid endpoint.
Is there a variable available to this (something like
"application.session.port")?

Thanks,

-- 
Ariel Carrera

From ntle at castortech.com  Thu Mar  8 14:30:48 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 8 Mar 2018 14:30:48 -0500
Subject: [keycloak-user] mandatory fields when create new realm from
	admin-client
Message-ID: <CAJVRZt8n_2Xy+m_zOi3dF8X0RbGd2sFCWeFBVQgbBEJ_LTZAAQ@mail.gmail.com>

Hello,

I used the admin-client to create a new realm and i just want the default
settings so i only set the name and enabled:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",
"master", "admin", "admin", "admin-cli");
RealmRepresentation newRealm = new RealmRepresentation();
newRealm.setRealm(realmName);
newRealm.setEnabled(true);
keycloak.realms().create(newRealm);

I can see the realm created and enabled but seem like i cannot use it, when
i select the newly created realm, there is only 1 General tab and no menu
on the left to config the realm, roles, clients,... I cant even delete the
realm since there is no delete button, trying to delete it from master
realm clients give the following error: org.h2.jdbc.JdbcSQLException:
Referential integrity constraint violation: "FK_TRAF444KK6QRKMS7N56AIWQ5Y:
PUBLIC.REALM FOREIGN KEY(MASTER_ADMIN_CLIENT) REFERENCES PUBLIC.CLIENT(ID)
('9626e6d0-bbd6-44bc-8b61-06be07d08a17')"; SQL statement:
delete from CLIENT where ID=? [23503-193]

As I look at the RealmRepresentation (
http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_realmrepresentation),
all the fields are optional which i assume they have default values if not
specified. If this is a wrong assumption, could anyone tell me which fields
i should set to have a working realm?

?I'm using 3.4.3Final by the way.

Thai?

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From hmidi.slim2 at gmail.com  Thu Mar  8 15:18:26 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Thu, 8 Mar 2018 21:18:26 +0100
Subject: [keycloak-user] Run commands with jboss-cli when server is off.
Message-ID: <CAMsqVxub2U5tWi6_QRE8J2nGMsRVMm2-iBPjQSE4tEewkdc38Q@mail.gmail.com>

Hi,
I want to add some system properties with jboss-cli:
jboss-cli.sh --connect
--commands="/system-property=keycloak.migration.action/:add(value=export)","/system-property=keycloak.migration.provider/:add(value=dir)","/system-property=keycloak.migration.dir/:add(value=export_dir)".
this instruction will be executed only if the server is launched. Can I
execute this instruction when the server is off?

From moritz.becker at gmx.at  Thu Mar  8 20:35:12 2018
From: moritz.becker at gmx.at (moritz.becker at gmx.at)
Date: Fri, 9 Mar 2018 02:35:12 +0100
Subject: [keycloak-user] Authenticate against multiple realm management
	clients simultaneously
Message-ID: <00ec01d3b746$de7bded0$9b739c70$@gmx.at>

Hi,

 

I use Keycloak to secure an application that has two types of users: vendors
and customers.

I created one 'customer-realm' and one 'vendor-realm'.

Each realm also has one client which the application authenticates against,
depending on whether the vendor login or the customer login is used.

 

I also have a backoffice application that is separate from my main
application. Backoffice users should be able to manage both vendors and
customers.

I planned to utilize the auto-created realm management clients in the master
realm called 'customer-realm-realm' and 'vendor-realm-realm' that would

allow me to assign permissions to users in the master realm to manage the
other realms as needed.

However, when a user logs in to the backoffice application, it can only
authenticate against one of the realm management clients and not both (as
far as I see). So the user

would only receive half of the required permissions.

 

What is the best approach here?

 

Thank you!

 


From mstrukel at redhat.com  Fri Mar  9 03:56:39 2018
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 9 Mar 2018 09:56:39 +0100
Subject: [keycloak-user] mandatory fields when create new realm from
	admin-client
In-Reply-To: <CAJVRZt8n_2Xy+m_zOi3dF8X0RbGd2sFCWeFBVQgbBEJ_LTZAAQ@mail.gmail.com>
References: <CAJVRZt8n_2Xy+m_zOi3dF8X0RbGd2sFCWeFBVQgbBEJ_LTZAAQ@mail.gmail.com>
Message-ID: <CA+1OW+jOJtNnMO_GRjdXwckYAQ_S-ZnpWuNSRUFgC2aNuFJrMg@mail.gmail.com>

There's nothing wrong with how you created your realm. You can confirm that
your realm exists by using:

$ kcadm.sh get realms

On Thu, Mar 8, 2018 at 8:30 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> I used the admin-client to create a new realm and i just want the default
> settings so i only set the name and enabled:
> Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",
> "master", "admin", "admin", "admin-cli");
> RealmRepresentation newRealm = new RealmRepresentation();
> newRealm.setRealm(realmName);
> newRealm.setEnabled(true);
> keycloak.realms().create(newRealm);
>
> I can see the realm created and enabled but seem like i cannot use it, when
> i select the newly created realm, there is only 1 General tab and no menu
> on the left to config the realm, roles, clients,... I cant even delete the
> realm since there is no delete button, trying to delete it from master
> realm clients give the following error: org.h2.jdbc.JdbcSQLException:
> Referential integrity constraint violation: "FK_TRAF444KK6QRKMS7N56AIWQ5Y:
> PUBLIC.REALM FOREIGN KEY(MASTER_ADMIN_CLIENT) REFERENCES PUBLIC.CLIENT(ID)
> ('9626e6d0-bbd6-44bc-8b61-06be07d08a17')"; SQL statement:
> delete from CLIENT where ID=? [23503-193]
>
> As I look at the RealmRepresentation (
> http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_
> realmrepresentation),
> all the fields are optional which i assume they have default values if not
> specified. If this is a wrong assumption, could anyone tell me which fields
> i should set to have a working realm?
>
> ?I'm using 3.4.3Final by the way.
>
> Thai?
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mstrukel at redhat.com  Fri Mar  9 04:12:43 2018
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 9 Mar 2018 10:12:43 +0100
Subject: [keycloak-user] Create realm from java admin client with access
 token vs username+password
In-Reply-To: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>
References: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>
Message-ID: <CA+1OW+iG2VWHksP_Q2uJ=oLYUkWOacB43OCcgKJSdi00J6K+Sg@mail.gmail.com>

Sometimes you already have an access token - your java client may have a
custom login mechanism for example that delegates username and password
input in order to retrieve it interactively from user. In that case client
doesn't even have to know about username and password - it only receives
fresh access and refresh tokens for example. A concrete example is
Registration Client CLI which stores the tokens in a private file so it
doesn't need to ask client for username and password all the time, and can
just use a still valid access token / refresh token.

For your case you'll want to create a custom client configuration, protect
it with clientId and client secret (or signed jwt), and enable the service
account for that client.

See: http://www.keycloak.org/docs/latest/server_admin/index.
html#_service_accounts



On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> In the admin client i see there is an overload method to create Keycloak
> instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
> authToken)), is this considered more secure than using the
> username+password since if i'm using the access token in the method above,
> i still need to make another call earlier with the username + password to
> get the token, either way, the username +password will be in my code repo.
>
> I think i can create an account in the master realm with role create-realm,
> can I use that as a service account or there is an existing service account
> somewhere in the master realm?
>
> I'm trying to integrate keycloak to my multitenancy application where each
> client has his own realm to config his security. My application need to
> create the realm when the client register to my app.
>
> Thai
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Fri Mar  9 04:47:23 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 9 Mar 2018 10:47:23 +0100
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
Message-ID: <CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>

Based on my current API, I can see two strategies for displaying the
"delete" (or request access) button.

I have an API like this:

GET /cars
POST /cars
GET /cars/<carID>
DELETE /cars/<carID>

When I receive a request, I call keycloak to get authorization on the
resource/scope.
I also create/delete resources in Keycloak for the POST/DELETE requests.

Regarding the display of the "delete" button on the UI, what should I do?
I see two options:
1. Add a "dry_run" query parameter on the DELETE endpoint:

DELETE /cars/myCar?dry_run=true

This would query only keycloak, and return the status code (200 or 403).
Based on that I can display my button or not.

2. Create a specific endpoint for viewing authorizations:

GET /permissions
{
  cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
}

What do you think?






On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I think this is the best way to go ....
>
> In fact, this is exactly what we are pushing now with UMA 2.0 and support
> for asynchronous authorization. Suppose you have a "Request Access" button
> in case the user is not allowed to perform operation on a resource
> belonging to a different user. This button could be displayed based on a
> "test" authorization request to which you can also specify whether or not
> you want to start an authorization flow to get approval from resource owner.
>
> Regards.
> Pedro Igor
>
> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Hi all,
>> I have a question around the representation and result of permissions.
>> Say I have an application that manages socks inventory. The UI is
>> displaying a button to delete socks. However, some user doesn't have the
>> right to delete socks!
>> So, I perform a request to Keycloak to get the permission.
>> It works well: if the user doesn't have permission, the message
>> "authorization denied" is displayed on the screen.
>>
>> However, it would be nicer to remove the "delete" button entirely.
>> My policies are quite complex and multi-dimensional: You can delete socks
>> if you are admin, but also if it belongs to you, you belong to some groups
>> etc.
>> So anticipating the reply to an authorization request can be very hard.
>>
>> What do you suggest? Should we perform a "test" authorization request
>> before display the "delete" button?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From marco.deluca at carity.se  Fri Mar  9 04:51:04 2018
From: marco.deluca at carity.se (Marco de Luca)
Date: Fri, 9 Mar 2018 10:51:04 +0100
Subject: [keycloak-user] Problem: We're sorry ...You are already
 authenticated as different user
Message-ID: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>

Scenario:

We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external SAML IdP.  

We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).

 

Problem:

When the first application ?A? uses Keycloak to authenticate the user everything is OK. When application ?B? (using the same  browser) uses Keycloak to authenticate the user an error occurs. ?We're sorry ...You are already authenticated as different user ?xx' in this session. Please logout first.? (DIFFERENT_USER_AUTHENTICATED)

 The current configuration uses the IdP ?Subject.NameID? as username (preferred_username).

-- 
Marco 



From mposolda at redhat.com  Fri Mar  9 05:14:19 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 9 Mar 2018 11:14:19 +0100
Subject: [keycloak-user] Problem: We're sorry ...You are already
 authenticated as different user
In-Reply-To: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>
References: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>
Message-ID: <cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>

Hi,

could you try to upgrade to latest version 3.4.3 and see if the issue is 
still here for your scenario?

Marek

On 09/03/18 10:51, Marco de Luca wrote:
> Scenario:
>
> We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external SAML IdP.
>
> We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).
>
>   
>
> Problem:
>
> When the first application ?A? uses Keycloak to authenticate the user everything is OK. When application ?B? (using the same  browser) uses Keycloak to authenticate the user an error occurs. ?We're sorry ...You are already authenticated as different user ?xx' in this session. Please logout first.? (DIFFERENT_USER_AUTHENTICATED)
>
>   The current configuration uses the IdP ?Subject.NameID? as username (preferred_username).
>


From marco.deluca at carity.se  Fri Mar  9 06:38:03 2018
From: marco.deluca at carity.se (Marco de Luca)
Date: Fri, 9 Mar 2018 12:38:03 +0100
Subject: [keycloak-user] Problem: We're sorry ...You are already
 authenticated as different user
In-Reply-To: <cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>
References: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>
	<cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>
Message-ID: <46C64489-37C9-4503-932C-F97E8479FAF7@carity.se>

Hello,

Sorry, my bad. We ar currently running Keycloak 3.4.3.Final.


-- 
Marco

> On 9 Mar 2018, at 11:14, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Hi,
> 
> could you try to upgrade to latest version 3.4.3 and see if the issue is still here for your scenario?
> 
> Marek
> 
> On 09/03/18 10:51, Marco de Luca wrote:
>> Scenario:
>> 
>> We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external SAML IdP.
>> 
>> We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).
>> 
>>  
>> Problem:
>> 
>> When the first application ?A? uses Keycloak to authenticate the user everything is OK. When application ?B? (using the same  browser) uses Keycloak to authenticate the user an error occurs. ?We're sorry ...You are already authenticated as different user ?xx' in this session. Please logout first.? (DIFFERENT_USER_AUTHENTICATED)
>> 
>>  The current configuration uses the IdP ?Subject.NameID? as username (preferred_username).
>> 
> 


From psilva at redhat.com  Fri Mar  9 06:53:16 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 9 Mar 2018 08:53:16 -0300
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
	<CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
Message-ID: <CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>

On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Based on my current API, I can see two strategies for displaying the
> "delete" (or request access) button.
>
> I have an API like this:
>
> GET /cars
> POST /cars
> GET /cars/<carID>
> DELETE /cars/<carID>
>
> When I receive a request, I call keycloak to get authorization on the
> resource/scope.
> I also create/delete resources in Keycloak for the POST/DELETE requests.
>
> Regarding the display of the "delete" button on the UI, what should I do?
> I see two options:
> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>
> DELETE /cars/myCar?dry_run=true
>
> This would query only keycloak, and return the status code (200 or 403).
> Based on that I can display my button or not.
>

You can send a entitlement request to Keycloak asking permissions for the
resource. 200/403 will be returned accordingly.


>
> 2. Create a specific endpoint for viewing authorizations:
>
> GET /permissions
> {
>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
> }
>
> What do you think?
>
>
>
>
>
>
> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I think this is the best way to go ....
>>
>> In fact, this is exactly what we are pushing now with UMA 2.0 and support
>> for asynchronous authorization. Suppose you have a "Request Access" button
>> in case the user is not allowed to perform operation on a resource
>> belonging to a different user. This button could be displayed based on a
>> "test" authorization request to which you can also specify whether or not
>> you want to start an authorization flow to get approval from resource owner.
>>
>> Regards.
>> Pedro Igor
>>
>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi all,
>>> I have a question around the representation and result of permissions.
>>> Say I have an application that manages socks inventory. The UI is
>>> displaying a button to delete socks. However, some user doesn't have the
>>> right to delete socks!
>>> So, I perform a request to Keycloak to get the permission.
>>> It works well: if the user doesn't have permission, the message
>>> "authorization denied" is displayed on the screen.
>>>
>>> However, it would be nicer to remove the "delete" button entirely.
>>> My policies are quite complex and multi-dimensional: You can delete socks
>>> if you are admin, but also if it belongs to you, you belong to some
>>> groups
>>> etc.
>>> So anticipating the reply to an authorization request can be very hard.
>>>
>>> What do you suggest? Should we perform a "test" authorization request
>>> before display the "delete" button?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From corentin.dupont at gmail.com  Fri Mar  9 07:11:07 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 9 Mar 2018 13:11:07 +0100
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
	<CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
	<CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>
Message-ID: <CAEyhvmr8GRN93Bt1mj=F8EA79ji0Rfu=n8-idhQABFqr10jHNQ@mail.gmail.com>

On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Based on my current API, I can see two strategies for displaying the
>> "delete" (or request access) button.
>>
>> I have an API like this:
>>
>> GET /cars
>> POST /cars
>> GET /cars/<carID>
>> DELETE /cars/<carID>
>>
>> When I receive a request, I call keycloak to get authorization on the
>> resource/scope.
>> I also create/delete resources in Keycloak for the POST/DELETE requests.
>>
>> Regarding the display of the "delete" button on the UI, what should I do?
>> I see two options:
>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>
>> DELETE /cars/myCar?dry_run=true
>>
>> This would query only keycloak, and return the status code (200 or 403).
>> Based on that I can display my button or not.
>>
>
> You can send a entitlement request to Keycloak asking permissions for the
> resource. 200/403 will be returned accordingly.
>

Exactly. But my question was more on how to design an API using this
feature :)



>
>
>>
>> 2. Create a specific endpoint for viewing authorizations:
>>
>> GET /permissions
>> {
>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>> }
>>
>> What do you think?
>>
>>
>>
>>
>>
>>
>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> I think this is the best way to go ....
>>>
>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>> button in case the user is not allowed to perform operation on a resource
>>> belonging to a different user. This button could be displayed based on a
>>> "test" authorization request to which you can also specify whether or not
>>> you want to start an authorization flow to get approval from resource owner.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi all,
>>>> I have a question around the representation and result of permissions.
>>>> Say I have an application that manages socks inventory. The UI is
>>>> displaying a button to delete socks. However, some user doesn't have the
>>>> right to delete socks!
>>>> So, I perform a request to Keycloak to get the permission.
>>>> It works well: if the user doesn't have permission, the message
>>>> "authorization denied" is displayed on the screen.
>>>>
>>>> However, it would be nicer to remove the "delete" button entirely.
>>>> My policies are quite complex and multi-dimensional: You can delete
>>>> socks
>>>> if you are admin, but also if it belongs to you, you belong to some
>>>> groups
>>>> etc.
>>>> So anticipating the reply to an authorization request can be very hard.
>>>>
>>>> What do you suggest? Should we perform a "test" authorization request
>>>> before display the "delete" button?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From psilva at redhat.com  Fri Mar  9 08:47:38 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 9 Mar 2018 10:47:38 -0300
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAEyhvmr8GRN93Bt1mj=F8EA79ji0Rfu=n8-idhQABFqr10jHNQ@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
	<CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
	<CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>
	<CAEyhvmr8GRN93Bt1mj=F8EA79ji0Rfu=n8-idhQABFqr10jHNQ@mail.gmail.com>
Message-ID: <CAJrcDBdH5KRzvG1tpr6KRBOhom7cBwb5fJA_H-WFEdbfsVfK_w@mail.gmail.com>

I see ... Does your client know the name of the resource representing the
"/cars/myCar" URI ?

If so, I think you don't even need to design an API for that. But just send
from your client an entitlement request passing the resource/scopes you
want to check for access.

On Fri, Mar 9, 2018 at 9:11 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
>
> On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Based on my current API, I can see two strategies for displaying the
>>> "delete" (or request access) button.
>>>
>>> I have an API like this:
>>>
>>> GET /cars
>>> POST /cars
>>> GET /cars/<carID>
>>> DELETE /cars/<carID>
>>>
>>> When I receive a request, I call keycloak to get authorization on the
>>> resource/scope.
>>> I also create/delete resources in Keycloak for the POST/DELETE requests.
>>>
>>> Regarding the display of the "delete" button on the UI, what should I do?
>>> I see two options:
>>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>>
>>> DELETE /cars/myCar?dry_run=true
>>>
>>> This would query only keycloak, and return the status code (200 or 403).
>>> Based on that I can display my button or not.
>>>
>>
>> You can send a entitlement request to Keycloak asking permissions for the
>> resource. 200/403 will be returned accordingly.
>>
>
> Exactly. But my question was more on how to design an API using this
> feature :)
>
>
>
>>
>>
>>>
>>> 2. Create a specific endpoint for viewing authorizations:
>>>
>>> GET /permissions
>>> {
>>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>>> }
>>>
>>> What do you think?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> I think this is the best way to go ....
>>>>
>>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>>> button in case the user is not allowed to perform operation on a resource
>>>> belonging to a different user. This button could be displayed based on a
>>>> "test" authorization request to which you can also specify whether or not
>>>> you want to start an authorization flow to get approval from resource owner.
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi all,
>>>>> I have a question around the representation and result of permissions.
>>>>> Say I have an application that manages socks inventory. The UI is
>>>>> displaying a button to delete socks. However, some user doesn't have
>>>>> the
>>>>> right to delete socks!
>>>>> So, I perform a request to Keycloak to get the permission.
>>>>> It works well: if the user doesn't have permission, the message
>>>>> "authorization denied" is displayed on the screen.
>>>>>
>>>>> However, it would be nicer to remove the "delete" button entirely.
>>>>> My policies are quite complex and multi-dimensional: You can delete
>>>>> socks
>>>>> if you are admin, but also if it belongs to you, you belong to some
>>>>> groups
>>>>> etc.
>>>>> So anticipating the reply to an authorization request can be very hard.
>>>>>
>>>>> What do you suggest? Should we perform a "test" authorization request
>>>>> before display the "delete" button?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Fri Mar  9 09:51:35 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 9 Mar 2018 15:51:35 +0100
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAJrcDBdH5KRzvG1tpr6KRBOhom7cBwb5fJA_H-WFEdbfsVfK_w@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
	<CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
	<CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>
	<CAEyhvmr8GRN93Bt1mj=F8EA79ji0Rfu=n8-idhQABFqr10jHNQ@mail.gmail.com>
	<CAJrcDBdH5KRzvG1tpr6KRBOhom7cBwb5fJA_H-WFEdbfsVfK_w@mail.gmail.com>
Message-ID: <CAEyhvmrmVbgZDKXvsxATSW7a65F=0BgaGhVkWg52mw+Hxox16A@mail.gmail.com>

At the moment, no, the client does not know the resource name. To get the
cars it just calls GET www.myAPI.com/cars.
My client does not talk directly to Keycloak: there is an intermediary
between the two called the "API server".
So it's like that:

Client --> API server -> Keycloak (and other backend components).

The API server creates the authorization requests to Keycloak.
The client just knows the endpoint name and the data format behind it (the
format of a car, for instance).

So I'm wondering if I should create a specific endpoint for the access
checking in that API, with the corresponding data format.
This new data format would contain something similar to the resource/scopes
as you suggest.
The other solution is to enhance each endpoint with a "dry run" or "check
permission" option.



On Fri, Mar 9, 2018 at 2:47 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see ... Does your client know the name of the resource representing the
> "/cars/myCar" URI ?
>
> If so, I think you don't even need to design an API for that. But just
> send from your client an entitlement request passing the resource/scopes
> you want to check for access.
>
>
> On Fri, Mar 9, 2018 at 9:11 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>>
>>
>> On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Based on my current API, I can see two strategies for displaying the
>>>> "delete" (or request access) button.
>>>>
>>>> I have an API like this:
>>>>
>>>> GET /cars
>>>> POST /cars
>>>> GET /cars/<carID>
>>>> DELETE /cars/<carID>
>>>>
>>>> When I receive a request, I call keycloak to get authorization on the
>>>> resource/scope.
>>>> I also create/delete resources in Keycloak for the POST/DELETE requests.
>>>>
>>>> Regarding the display of the "delete" button on the UI, what should I
>>>> do?
>>>> I see two options:
>>>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>>>
>>>> DELETE /cars/myCar?dry_run=true
>>>>
>>>> This would query only keycloak, and return the status code (200 or
>>>> 403). Based on that I can display my button or not.
>>>>
>>>
>>> You can send a entitlement request to Keycloak asking permissions for
>>> the resource. 200/403 will be returned accordingly.
>>>
>>
>> Exactly. But my question was more on how to design an API using this
>> feature :)
>>
>>
>>
>>>
>>>
>>>>
>>>> 2. Create a specific endpoint for viewing authorizations:
>>>>
>>>> GET /permissions
>>>> {
>>>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>>>> }
>>>>
>>>> What do you think?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> I think this is the best way to go ....
>>>>>
>>>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>>>> button in case the user is not allowed to perform operation on a resource
>>>>> belonging to a different user. This button could be displayed based on a
>>>>> "test" authorization request to which you can also specify whether or not
>>>>> you want to start an authorization flow to get approval from resource owner.
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>> I have a question around the representation and result of permissions.
>>>>>> Say I have an application that manages socks inventory. The UI is
>>>>>> displaying a button to delete socks. However, some user doesn't have
>>>>>> the
>>>>>> right to delete socks!
>>>>>> So, I perform a request to Keycloak to get the permission.
>>>>>> It works well: if the user doesn't have permission, the message
>>>>>> "authorization denied" is displayed on the screen.
>>>>>>
>>>>>> However, it would be nicer to remove the "delete" button entirely.
>>>>>> My policies are quite complex and multi-dimensional: You can delete
>>>>>> socks
>>>>>> if you are admin, but also if it belongs to you, you belong to some
>>>>>> groups
>>>>>> etc.
>>>>>> So anticipating the reply to an authorization request can be very
>>>>>> hard.
>>>>>>
>>>>>> What do you suggest? Should we perform a "test" authorization request
>>>>>> before display the "delete" button?
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

From Thomas.Kuestermann at sabre.com  Fri Mar  9 09:53:01 2018
From: Thomas.Kuestermann at sabre.com (Kuestermann, Thomas)
Date: Fri, 9 Mar 2018 14:53:01 +0000
Subject: [keycloak-user] Access Token not refreshed // KEYCLOAK-2517
Message-ID: <BN6PR13MB1443776CB382FAB9BFBD56AC97DE0@BN6PR13MB1443.namprd13.prod.outlook.com>

Keycloak experts,

We're currently developing a Spring Boot based application and we're using Keycloak for the identity management. Works great so far. We recently updated Keycloak and the respective spring boot adapter and spring security module to 3.4.1.Final. 

We've configured access tokens with a lifespan of 5 minutes, I think that's also the default. After the upgrade we noticed that every HTTP call is answered with a 401 - Unauthorized after the access token timed out (due to inactivity in the application). This wasn't the case before. Keycloak documentation states that

> By default the application adapter will only refresh the access token when it's expired. [1]

which doesn't seem to work anymore.

I debugged the application and came across KEYCLOAK-2517 [2] which introduced KeycloakSecurityContextRequestFilter. Looking at the code, it seems that access tokens are only refreshed when they're valid:

+            if (refreshableSecurityContext.isActive()) {
+                KeycloakDeployment deployment = resolveDeployment(request, response);
+
+                if (deployment.isAlwaysRefreshToken()) {
+                    if (refreshableSecurityContext.refreshExpiredToken(false)) {
+                        request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext);
+                    } else {
+                        clearAuthenticationContext();
+                    }
+                }
+            } else {
+                clearAuthenticationContext();
+            }

Otherwise the authentication context is cleared and access to resources is denied. 

Is this intended behavior? For me, it looks like a bug. If not, what's the general guideline on how to handle access token timeouts?

Our current workaround is to overwrite keycloakSecurityContextRequestFilter() in our derived KeycloakWebSecurityConfigurerAdapter like this:

+    @Override
+    protected KeycloakSecurityContextRequestFilter keycloakSecurityContextRequestFilter() {
+        return new KeycloakSecurityContextRequestFilter() {
+            @Override
+            public void doFilter(ServletRequest request, ServletResponse response,
+                    FilterChain filterChain) throws IOException, ServletException {
+                filterChain.doFilter(request, response);
+            }
+        };
+    }

It also look like others are facing the same issue [3].

Any help or pointer is highly appreciated.

[1] http://www.keycloak.org/docs/3.4/securing_apps/index.html#_refresh_token_each_req
[2] https://issues.jboss.org/browse/KEYCLOAK-2517 PR: https://github.com/keycloak/keycloak/pull/4741 
[3] https://github.com/jhipster/generator-jhipster/issues/6929

-- Thomas



From psilva at redhat.com  Fri Mar  9 10:05:18 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 9 Mar 2018 12:05:18 -0300
Subject: [keycloak-user] Viewing permissions
In-Reply-To: <CAEyhvmrmVbgZDKXvsxATSW7a65F=0BgaGhVkWg52mw+Hxox16A@mail.gmail.com>
References: <CAEyhvmq-QwMyOiPu1vBt4gmg-CU+7sC0i6GzP8z+BXcH8BSY_A@mail.gmail.com>
	<CAJrcDBfhZZiP==ZwZaARf_9jZ4SKkYqw2SX0GW4CwjR+8GejXg@mail.gmail.com>
	<CAEyhvmqv0ZQm4GtxSFxjwaOVfdWVa6Zy8vAv_7_+8BLsZkcBww@mail.gmail.com>
	<CAJrcDBc5W1t40=_3h7Wyt7BfDrScj-F2t5ayOoPS4dsVComaow@mail.gmail.com>
	<CAEyhvmr8GRN93Bt1mj=F8EA79ji0Rfu=n8-idhQABFqr10jHNQ@mail.gmail.com>
	<CAJrcDBdH5KRzvG1tpr6KRBOhom7cBwb5fJA_H-WFEdbfsVfK_w@mail.gmail.com>
	<CAEyhvmrmVbgZDKXvsxATSW7a65F=0BgaGhVkWg52mw+Hxox16A@mail.gmail.com>
Message-ID: <CAJrcDBdUqt-Z+w_UxEHOh=_8_QrQkRYtsrdBi7oV2vnCq98E6g@mail.gmail.com>

I think a specific endpoint makes more sense. It seems to provide a better
SoC and more give you more flexibility as you can enhance the endpoint with
additional capabilities, if necessary, when checking for permissions.

On Fri, Mar 9, 2018 at 11:51 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> At the moment, no, the client does not know the resource name. To get the
> cars it just calls GET www.myAPI.com/cars.
> My client does not talk directly to Keycloak: there is an intermediary
> between the two called the "API server".
> So it's like that:
>
> Client --> API server -> Keycloak (and other backend components).
>
> The API server creates the authorization requests to Keycloak.
> The client just knows the endpoint name and the data format behind it (the
> format of a car, for instance).
>
> So I'm wondering if I should create a specific endpoint for the access
> checking in that API, with the corresponding data format.
> This new data format would contain something similar to the
> resource/scopes as you suggest.
> The other solution is to enhance each endpoint with a "dry run" or "check
> permission" option.
>
>
>
> On Fri, Mar 9, 2018 at 2:47 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I see ... Does your client know the name of the resource representing the
>> "/cars/myCar" URI ?
>>
>> If so, I think you don't even need to design an API for that. But just
>> send from your client an entitlement request passing the resource/scopes
>> you want to check for access.
>>
>>
>> On Fri, Mar 9, 2018 at 9:11 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>>
>>>
>>> On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Based on my current API, I can see two strategies for displaying the
>>>>> "delete" (or request access) button.
>>>>>
>>>>> I have an API like this:
>>>>>
>>>>> GET /cars
>>>>> POST /cars
>>>>> GET /cars/<carID>
>>>>> DELETE /cars/<carID>
>>>>>
>>>>> When I receive a request, I call keycloak to get authorization on the
>>>>> resource/scope.
>>>>> I also create/delete resources in Keycloak for the POST/DELETE
>>>>> requests.
>>>>>
>>>>> Regarding the display of the "delete" button on the UI, what should I
>>>>> do?
>>>>> I see two options:
>>>>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>>>>
>>>>> DELETE /cars/myCar?dry_run=true
>>>>>
>>>>> This would query only keycloak, and return the status code (200 or
>>>>> 403). Based on that I can display my button or not.
>>>>>
>>>>
>>>> You can send a entitlement request to Keycloak asking permissions for
>>>> the resource. 200/403 will be returned accordingly.
>>>>
>>>
>>> Exactly. But my question was more on how to design an API using this
>>> feature :)
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> 2. Create a specific endpoint for viewing authorizations:
>>>>>
>>>>> GET /permissions
>>>>> {
>>>>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>>>>> }
>>>>>
>>>>> What do you think?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> I think this is the best way to go ....
>>>>>>
>>>>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>>>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>>>>> button in case the user is not allowed to perform operation on a resource
>>>>>> belonging to a different user. This button could be displayed based on a
>>>>>> "test" authorization request to which you can also specify whether or not
>>>>>> you want to start an authorization flow to get approval from resource owner.
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>> I have a question around the representation and result of
>>>>>>> permissions.
>>>>>>> Say I have an application that manages socks inventory. The UI is
>>>>>>> displaying a button to delete socks. However, some user doesn't have
>>>>>>> the
>>>>>>> right to delete socks!
>>>>>>> So, I perform a request to Keycloak to get the permission.
>>>>>>> It works well: if the user doesn't have permission, the message
>>>>>>> "authorization denied" is displayed on the screen.
>>>>>>>
>>>>>>> However, it would be nicer to remove the "delete" button entirely.
>>>>>>> My policies are quite complex and multi-dimensional: You can delete
>>>>>>> socks
>>>>>>> if you are admin, but also if it belongs to you, you belong to some
>>>>>>> groups
>>>>>>> etc.
>>>>>>> So anticipating the reply to an authorization request can be very
>>>>>>> hard.
>>>>>>>
>>>>>>> What do you suggest? Should we perform a "test" authorization request
>>>>>>> before display the "delete" button?
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From ntle at castortech.com  Fri Mar  9 12:07:47 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 9 Mar 2018 12:07:47 -0500
Subject: [keycloak-user] Create realm from java admin client with access
 token vs username+password
In-Reply-To: <CA+1OW+iG2VWHksP_Q2uJ=oLYUkWOacB43OCcgKJSdi00J6K+Sg@mail.gmail.com>
References: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>
	<CA+1OW+iG2VWHksP_Q2uJ=oLYUkWOacB43OCcgKJSdi00J6K+Sg@mail.gmail.com>
Message-ID: <CAJVRZt-LqvXNoThcvmSSzhjMjCjkbKoN0TAd+yfKhSN8tt_V=A@mail.gmail.com>

Thank you for your suggestion and the link. Since i am making a stand alone
java app to create realms dynamically, i'm using the Keycloak admin-client
and authz-client in my code. As suggested in the document, i set Access
Type to Confidential, turned on Service Account Enabled and assign
create-realm role to service account for admin-cli client in the master
realm.
My code is pretty straight forward:
String realmName = "Realm5";

    Map<String, Object> adminCliSecret = new HashMap<String, Object>();
    adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
    Configuration adminClientConfig = new Configuration();
    adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
    adminClientConfig.setRealm("master");
    adminClientConfig.setResource("admin-cli");
    adminClientConfig.setCredentials(adminCliSecret);

    AuthzClient authzClient = AuthzClient.create(adminClientConfig);
    String serviceAccountAccessToken =
authzClient.obtainAccessToken("admin-cli",
"3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
    createNewRealm(realmName, serviceAccountAccessToken);

I got 401 when trying to get the access token, seem like the AuthzClient
uses grant_type=password instead of client_credential. However, there is no
method to set grant_type for the AuthzClient.

Is the AuthzClient not supposed to be used to get access token for Service
Account ? If it's not then is there other client i can use or i have to
issue http request manually ?

Thai

On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> Sometimes you already have an access token - your java client may have a
> custom login mechanism for example that delegates username and password
> input in order to retrieve it interactively from user. In that case client
> doesn't even have to know about username and password - it only receives
> fresh access and refresh tokens for example. A concrete example is
> Registration Client CLI which stores the tokens in a private file so it
> doesn't need to ask client for username and password all the time, and can
> just use a still valid access token / refresh token.
>
> For your case you'll want to create a custom client configuration, protect
> it with clientId and client secret (or signed jwt), and enable the service
> account for that client.
>
> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
> _service_accounts
>
>
>
> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> In the admin client i see there is an overload method to create Keycloak
>> instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
>> authToken)), is this considered more secure than using the
>> username+password since if i'm using the access token in the method above,
>> i still need to make another call earlier with the username + password to
>> get the token, either way, the username +password will be in my code repo.
>>
>> I think i can create an account in the master realm with role
>> create-realm,
>> can I use that as a service account or there is an existing service
>> account
>> somewhere in the master realm?
>>
>> I'm trying to integrate keycloak to my multitenancy application where each
>> client has his own realm to config his security. My application need to
>> create the realm when the client register to my app.
>>
>> Thai
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From andrew.the at cgi.com  Fri Mar  9 12:34:40 2018
From: andrew.the at cgi.com (The, Andrew)
Date: Fri, 9 Mar 2018 17:34:40 +0000
Subject: [keycloak-user] Login issue when using KeyCloak as an identity
	broker
Message-ID: <3B86A13D8D8EF24F89BF1A1FB746999801CACD88AC@corpowm-7>

Hi,

I have configured KeyCloak as an Identity broker for OIDC use, and we are experiencing an issue when attempting to log in.  I would appreciate some help regarding this situation.

Here are the steps we are using to experience the issue:
1) Connect to the SP, who redirects the user to sign on with KeyCloak;
2) The KeyCloak login page is displayed;
3) Select that IdP configured in KeyCloak; KeyCloak redirects the user to the IdP login page;
4) Login on that page;  IdP redirects user to KeyCloak;
5) KeyCloak displays the "We're sorry ." page.

Here is the error message found in the logs:
12:15:24,530 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-15) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
	at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:444)
	at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:346)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
	at sun.reflect.GeneratedMethodAccessor828.invoke(Unknown Source)
<snip>

My understanding is that KeyCloak requests a 'response_type' of 'code' flow for communication with the IdP.  However when the IdP responds, KeyCloak appears to require a 'token' response.

The closest JIRA I found was https://issues.jboss.org/browse/KEYCLOAK-5441.

Thank you,
--
Andrew The | Director Consulting
Global delivery center - Saguenay | CGI
930, Jacques Cartier Est, 3rd floor, Chicoutimi (Qu?bec) G7H 7K9
T: 877 696 6780 #1653251 | P: +1 418 696 6780 #1653251 | C: +1 418 540 4475
andrew.the at cgi.com
?
CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.



From weil at redhat.com  Fri Mar  9 12:44:28 2018
From: weil at redhat.com (Wei Li)
Date: Fri, 9 Mar 2018 17:44:28 +0000
Subject: [keycloak-user] Help needed to perform SSO on iOS
Message-ID: <CAHmyU2rZjd09y2ZFa6s20OdJ3m1LZzKMxip9B1ihWpEoSEghWQ@mail.gmail.com>

Hi,

We are trying to perform SSO with OpenID connect using the latest release
version of Keycloak for our mobile apps. The client libraries we are using
is AppAuth.

Everything works expected on Android. I have 2 apps and if I logged into
one of the apps, when I try to login the other app, I will just get
redirected back to the app and that's it.

However, this doesn't seem to be the case for iOS. On the second app, I was
presented with the login screen and I have to enter my username and
password again.

Initially I thought it might be a problem with AppAuth-ios so I asked the
question there[1]. However, it looks like the AppAuth lib is working as
expected. But one of the maintainers does mention that I have to make sure
the IDP is using persistent cookies.

So my questions are:

1. Is Keycloak using persistent cookies?
2. Has anyone tried using Keycloak to perform SSO on iOS, does it work?

Any help is appreciated.

Thanks.

[1] https://github.com/openid/AppAuth-iOS/issues/186
-- 

WEI LI

Principal SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>

From mstrukel at redhat.com  Fri Mar  9 14:02:46 2018
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 9 Mar 2018 20:02:46 +0100
Subject: [keycloak-user] Create realm from java admin client with access
 token vs username+password
In-Reply-To: <CAJVRZt-LqvXNoThcvmSSzhjMjCjkbKoN0TAd+yfKhSN8tt_V=A@mail.gmail.com>
References: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>
	<CA+1OW+iG2VWHksP_Q2uJ=oLYUkWOacB43OCcgKJSdi00J6K+Sg@mail.gmail.com>
	<CAJVRZt-LqvXNoThcvmSSzhjMjCjkbKoN0TAd+yfKhSN8tt_V=A@mail.gmail.com>
Message-ID: <CA+1OW+i0TW_ignojvfmqLwQOhCa=F46M_91_yqyXr8+qLDmEWQ@mail.gmail.com>

You're not using AdminClient API but AuthorizationClient API which is a
different API.

Using AdminClient API is as simple as:

Keycloak keycloak = Keycloak.getInstance(
        keycloakBaseUrl,
        "master",
        username,
        password,
        "admin-cli");




On Fri, Mar 9, 2018 at 6:07 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Thank you for your suggestion and the link. Since i am making a stand
> alone java app to create realms dynamically, i'm using the Keycloak
> admin-client and authz-client in my code. As suggested in the document, i
> set Access Type to Confidential, turned on Service Account Enabled and
> assign create-realm role to service account for admin-cli client in the
> master realm.
> My code is pretty straight forward:
> String realmName = "Realm5";
>
>     Map<String, Object> adminCliSecret = new HashMap<String, Object>();
>     adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
>     Configuration adminClientConfig = new Configuration();
>     adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
>     adminClientConfig.setRealm("master");
>     adminClientConfig.setResource("admin-cli");
>     adminClientConfig.setCredentials(adminCliSecret);
>
>     AuthzClient authzClient = AuthzClient.create(adminClientConfig);
>     String serviceAccountAccessToken = authzClient.obtainAccessToken("admin-cli",
> "3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
>     createNewRealm(realmName, serviceAccountAccessToken);
>
> I got 401 when trying to get the access token, seem like the AuthzClient
> uses grant_type=password instead of client_credential. However, there is no
> method to set grant_type for the AuthzClient.
>
> Is the AuthzClient not supposed to be used to get access token for Service
> Account ? If it's not then is there other client i can use or i have to
> issue http request manually ?
>
> Thai
>
> On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Sometimes you already have an access token - your java client may have a
>> custom login mechanism for example that delegates username and password
>> input in order to retrieve it interactively from user. In that case client
>> doesn't even have to know about username and password - it only receives
>> fresh access and refresh tokens for example. A concrete example is
>> Registration Client CLI which stores the tokens in a private file so it
>> doesn't need to ask client for username and password all the time, and can
>> just use a still valid access token / refresh token.
>>
>> For your case you'll want to create a custom client configuration,
>> protect it with clientId and client secret (or signed jwt), and enable the
>> service account for that client.
>>
>> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
>> _service_accounts
>>
>>
>>
>> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> In the admin client i see there is an overload method to create Keycloak
>>> instance using a token, (Keycloak.getInstance(serverUrl, realm,
>>> clientId,
>>> authToken)), is this considered more secure than using the
>>> username+password since if i'm using the access token in the method
>>> above,
>>> i still need to make another call earlier with the username + password to
>>> get the token, either way, the username +password will be in my code
>>> repo.
>>>
>>> I think i can create an account in the master realm with role
>>> create-realm,
>>> can I use that as a service account or there is an existing service
>>> account
>>> somewhere in the master realm?
>>>
>>> I'm trying to integrate keycloak to my multitenancy application where
>>> each
>>> client has his own realm to config his security. My application need to
>>> create the realm when the client register to my app.
>>>
>>> Thai
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>

From ntle at castortech.com  Fri Mar  9 14:11:51 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 9 Mar 2018 14:11:51 -0500
Subject: [keycloak-user] Create realm from java admin client with access
 token vs username+password
In-Reply-To: <CA+1OW+i0TW_ignojvfmqLwQOhCa=F46M_91_yqyXr8+qLDmEWQ@mail.gmail.com>
References: <CAJVRZt-_+01iS+vy90g=93xgu=dcw_NGJ2X_URRP97goU4zDhQ@mail.gmail.com>
	<CA+1OW+iG2VWHksP_Q2uJ=oLYUkWOacB43OCcgKJSdi00J6K+Sg@mail.gmail.com>
	<CAJVRZt-LqvXNoThcvmSSzhjMjCjkbKoN0TAd+yfKhSN8tt_V=A@mail.gmail.com>
	<CA+1OW+i0TW_ignojvfmqLwQOhCa=F46M_91_yqyXr8+qLDmEWQ@mail.gmail.com>
Message-ID: <CAJVRZt88k3j6wNtcToPef11O04msW-teAvnRJr3Vw7tT78NwkQ@mail.gmail.com>

The username, password in your example is the admin credential. How can I
use the service account to instantiate an AdminClient ?

Thai

On Fri, Mar 9, 2018 at 2:02 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> You're not using AdminClient API but AuthorizationClient API which is a
> different API.
>
> Using AdminClient API is as simple as:
>
> Keycloak keycloak = Keycloak.getInstance(
>         keycloakBaseUrl,
>         "master",
>         username,
>         password,
>         "admin-cli");
>
>
>
>
> On Fri, Mar 9, 2018 at 6:07 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Thank you for your suggestion and the link. Since i am making a stand
>> alone java app to create realms dynamically, i'm using the Keycloak
>> admin-client and authz-client in my code. As suggested in the document, i
>> set Access Type to Confidential, turned on Service Account Enabled and
>> assign create-realm role to service account for admin-cli client in the
>> master realm.
>> My code is pretty straight forward:
>> String realmName = "Realm5";
>>
>>     Map<String, Object> adminCliSecret = new HashMap<String, Object>();
>>     adminCliSecret.put("secret", "3b7122d9-1fe0-4417-9407-33818153c7fa");
>>     Configuration adminClientConfig = new Configuration();
>>     adminClientConfig.setAuthServerUrl("http://localhost:8180/auth");
>>     adminClientConfig.setRealm("master");
>>     adminClientConfig.setResource("admin-cli");
>>     adminClientConfig.setCredentials(adminCliSecret);
>>
>>     AuthzClient authzClient = AuthzClient.create(adminClientConfig);
>>     String serviceAccountAccessToken = authzClient.obtainAccessToken("admin-cli",
>> "3b7122d9-1fe0-4417-9407-33818153c7fa").getToken(); //GET 401 HERE
>>     createNewRealm(realmName, serviceAccountAccessToken);
>>
>> I got 401 when trying to get the access token, seem like the AuthzClient
>> uses grant_type=password instead of client_credential. However, there is no
>> method to set grant_type for the AuthzClient.
>>
>> Is the AuthzClient not supposed to be used to get access token for Service
>> Account ? If it's not then is there other client i can use or i have to
>> issue http request manually ?
>>
>> Thai
>>
>> On Fri, Mar 9, 2018 at 4:12 AM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> Sometimes you already have an access token - your java client may have a
>>> custom login mechanism for example that delegates username and password
>>> input in order to retrieve it interactively from user. In that case client
>>> doesn't even have to know about username and password - it only receives
>>> fresh access and refresh tokens for example. A concrete example is
>>> Registration Client CLI which stores the tokens in a private file so it
>>> doesn't need to ask client for username and password all the time, and can
>>> just use a still valid access token / refresh token.
>>>
>>> For your case you'll want to create a custom client configuration,
>>> protect it with clientId and client secret (or signed jwt), and enable the
>>> service account for that client.
>>>
>>> See: http://www.keycloak.org/docs/latest/server_admin/index.html#
>>> _service_accounts
>>>
>>>
>>>
>>> On Wed, Mar 7, 2018 at 8:31 PM, Nhut Thai Le <ntle at castortech.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> In the admin client i see there is an overload method to create Keycloak
>>>> instance using a token, (Keycloak.getInstance(serverUrl, realm,
>>>> clientId,
>>>> authToken)), is this considered more secure than using the
>>>> username+password since if i'm using the access token in the method
>>>> above,
>>>> i still need to make another call earlier with the username + password
>>>> to
>>>> get the token, either way, the username +password will be in my code
>>>> repo.
>>>>
>>>> I think i can create an account in the master realm with role
>>>> create-realm,
>>>> can I use that as a service account or there is an existing service
>>>> account
>>>> somewhere in the master realm?
>>>>
>>>> I'm trying to integrate keycloak to my multitenancy application where
>>>> each
>>>> client has his own realm to config his security. My application need to
>>>> create the realm when the client register to my app.
>>>>
>>>> Thai
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From nielsbne at gmail.com  Fri Mar  9 20:18:42 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Sat, 10 Mar 2018 11:18:42 +1000
Subject: [keycloak-user] Delete large realm fails with timeout
In-Reply-To: <5307f0f2-6226-0f7b-3dc1-f9b99049ca35@redhat.com>
References: <CAPLPygn2rY50LT9uTRqRBr60mXyE4V3HnKQbHd3XWL4fCTLaRw@mail.gmail.com>
	<5307f0f2-6226-0f7b-3dc1-f9b99049ca35@redhat.com>
Message-ID: <CAPLPyg=+ShrOJo-KMKPLYT50b72-5oLDfmVrkOZDgAWXLoS98w@mail.gmail.com>

Yes trying to upgrade to RH-SSO 7.2 but there are lots of errors during
database upgrade. Looks like the liquibase scripts work with a fresh
install but not after the database was "used" for 2 years and holds data.
When hitting delete on the realm admin page, the action starts but times
out before the database can finish its work. I did manage to reduce the
size of records that need to be deleted by manually clearing
out USER_ATTRIBUTE which held ~150k rows. After that, I was able to delete
the realm through the admin console.

On Tue, Mar 6, 2018 at 2:23 PM, Marek Posolda <mposolda at redhat.com> wrote:

> That's quite an old version. There are lots of changes and fixes in the
> meantime. Do you have a chance to upgrade to latest 3.4.3 and try with it?
>
> Marek
>
>
> On 05/03/18 05:20, Niels Bertram wrote:
>
>> Is there a database script that we can run to delete a keycloak realm with
>> large volume of synchronised users? We have a realm with a "few" users
>> synced from LDAP in our RH-SSO 7.0 / Keycloak 1.9.8 installation and
>> trying
>> to delete the realm via the console fails with a timeout. Cheers Niels
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From jpperata at gmail.com  Sat Mar 10 08:54:24 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Sat, 10 Mar 2018 10:54:24 -0300
Subject: [keycloak-user] Run commands with jboss-cli when server is off.
In-Reply-To: <CAMsqVxub2U5tWi6_QRE8J2nGMsRVMm2-iBPjQSE4tEewkdc38Q@mail.gmail.com>
References: <CAMsqVxub2U5tWi6_QRE8J2nGMsRVMm2-iBPjQSE4tEewkdc38Q@mail.gmail.com>
Message-ID: <CA+BZ0ji-WmXQOrACzvDnKQhQJLEwafAnFVO7yTOBQen=ihWgmw@mail.gmail.com>

You can use the CLI Embedded mode in jboss-cli.

Some links that may help:
-
http://www.keycloak.org/docs/3.3/server_installation/topics/config-subsystem/start-cli.html
-
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/management_cli_guide/running_embedded_server



On Thu, Mar 8, 2018 at 5:18 PM, hmidi slim <hmidi.slim2 at gmail.com> wrote:

> Hi,
> I want to add some system properties with jboss-cli:
> jboss-cli.sh --connect
> --commands="/system-property=keycloak.migration.action/:
> add(value=export)","/system-property=keycloak.migration.
> provider/:add(value=dir)","/system-property=keycloak.
> migration.dir/:add(value=export_dir)".
> this instruction will be executed only if the server is launched. Can I
> execute this instruction when the server is off?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hmidi.slim2 at gmail.com  Sun Mar 11 11:00:48 2018
From: hmidi.slim2 at gmail.com (hmidi slim)
Date: Sun, 11 Mar 2018 16:00:48 +0100
Subject: [keycloak-user] Run commands with jboss-cli when server is off.
In-Reply-To: <CA+BZ0ji-WmXQOrACzvDnKQhQJLEwafAnFVO7yTOBQen=ihWgmw@mail.gmail.com>
References: <CAMsqVxub2U5tWi6_QRE8J2nGMsRVMm2-iBPjQSE4tEewkdc38Q@mail.gmail.com>
	<CA+BZ0ji-WmXQOrACzvDnKQhQJLEwafAnFVO7yTOBQen=ihWgmw@mail.gmail.com>
Message-ID: <CAMsqVxshjhf2VFSVo-eTn5+GyYTRcmzsrhmbjcjwgr=hpc4YXA@mail.gmail.com>

Thanks a lot.

From marco.pasopas at gmail.com  Sun Mar 11 15:04:38 2018
From: marco.pasopas at gmail.com (Marco Pas)
Date: Sun, 11 Mar 2018 19:04:38 +0000
Subject: [keycloak-user] How to set PostgreSQL schema for Keycloak when
	using the Docker Image?
Message-ID: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>

Hi there,

i am trying to use the Docker Image for Keycloak but I seem to be unable to
set a schema for the tables that are created in PostgreSQL. Currently all
tables end up in the public schema.
Is there a way that i can instruct Keycloak to create the tables inside a
schema?

Kind regards,
Marco Pas

From nielsbne at gmail.com  Sun Mar 11 16:34:12 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 12 Mar 2018 06:34:12 +1000
Subject: [keycloak-user] Keycloak with XA Datasource and Timeout Errors
Message-ID: <CAPLPygnneiM-GHU4Pc_N5imLYshESaKK0bdcPiMkEVEdkJ1UCQ@mail.gmail.com>

Hi there,

we have a user federation provider that requires us to run Keycloak JPA
datasource with XA. Things do appear to work but when a user times out on
the login page or like, I get below error in the logs.

I don't want to mute the logger in case of real errors but I also don't
want to get errors for normal use cases. Can this be silenced otherwise?

Cheers,
Niels

15:35:12,425 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-12) Uncaught server error: java.lang.RuntimeException:
javax.transaction.RollbackException: ARJUNA016102: The transaction is not
active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
        at
org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:77)
        at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)
        at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
        at
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
        at
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
        at
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.transaction.RollbackException: ARJUNA016102: The
transaction is not active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
        at
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1279)
        at
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
        at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
        at
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
        at
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
        at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
        ... 54 more

From msakho at redhat.com  Sun Mar 11 16:49:39 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Sun, 11 Mar 2018 21:49:39 +0100
Subject: [keycloak-user] How to set PostgreSQL schema for Keycloak when
 using the Docker Image?
In-Reply-To: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>
References: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>
Message-ID: <CAF83W6Knu8d45g++XN9_J1FA9c=uVPKKY0romvtxyDy9mUOhsQ@mail.gmail.com>

Marco,
which docker image are you using?
The latest docker image the rely on Keycloak 3.4.3 has been updated to
handle either postgresql or mysql.
You'll find information you're looking for in the following link at the
PostgreSQL section.
https://hub.docker.com/r/jboss/keycloak/
thanks,
Meissa


On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas at gmail.com> wrote:

> Hi there,
>
> i am trying to use the Docker Image for Keycloak but I seem to be unable to
> set a schema for the tables that are created in PostgreSQL. Currently all
> tables end up in the public schema.
> Is there a way that i can instruct Keycloak to create the tables inside a
> schema?
>
> Kind regards,
> Marco Pas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ulrich.merckx at vlaanderen.be  Mon Mar 12 03:28:32 2018
From: ulrich.merckx at vlaanderen.be (Merckx, Ulrich)
Date: Mon, 12 Mar 2018 07:28:32 +0000
Subject: [keycloak-user] Missing Basic Authentication functionality for
 connecting to an OpenId Identity Provider
In-Reply-To: <A56F9FC9-A22B-441A-A0B7-CD4E1D859366@vlaanderen.be>
References: <A56F9FC9-A22B-441A-A0B7-CD4E1D859366@vlaanderen.be>
Message-ID: <42BDDA68-89A2-4384-9EA2-046858FFEAF4@vlaanderen.be>

I have created an issue for this problem, with a patch which adds extra functionality for an OpenID Identity Provider. (Maybe it is even better to add this functionality in the OAuth2Provider, but in my case, it was only relevant for OpenID). The patch adds an option in the OpenID Identity Provider which allows specifying if you want to send your client_id and client_secret as POST parameters of as an Authorization Header.

https://issues.jboss.org/browse/KEYCLOAK-6761

Regards,
Ulrich Merckx


On 23 Feb 2018, at 14:20, Merckx, Ulrich <ulrich.merckx at vlaanderen.be<mailto:ulrich.merckx at vlaanderen.be>> wrote:

Hi,

We are having an issue while connecting from keycloak to a certain OpenId Identity Provider.
The OpenId Provider only supports logging in with Basic Authentication (client_id and client_secret), as specified in
"token_endpoint_auth_methods_supported": [
       "client_secret_basic?
]

Currently keycloak does only support ?posting' the client_id and client_secret. This will not work with the OpenID Identity Provider.
Or maybe I don?t see how to configure it.

Code: https://github.com/keycloak/keycloak/blob/63efee6e158c4a06d4948819cb36ccf88bcf5e0f/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L423

Can you confirm connecting to an OpenId Identity Provider with Basic Authentication is not implemented in keycloak.
If this is not implemented I will make a JIRA issue.

The OAuth RFC also states that it is recommended to use Basic Authentication over Posting. (see: https://tools.ietf.org/html/rfc6749#section-2.3.1).

Kind regards,
Ulrich Merckx
Ontwikkelaar


From msakho at redhat.com  Mon Mar 12 03:41:57 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Mon, 12 Mar 2018 08:41:57 +0100
Subject: [keycloak-user] How to set PostgreSQL schema for Keycloak when
 using the Docker Image?
In-Reply-To: <CA+iPe9s=cThBQ=qqvF2mCvtPOn0y5QP1SuntG17Q+96Z9_Ny1Q@mail.gmail.com>
References: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>
	<CAF83W6Knu8d45g++XN9_J1FA9c=uVPKKY0romvtxyDy9mUOhsQ@mail.gmail.com>
	<CA+iPe9s=cThBQ=qqvF2mCvtPOn0y5QP1SuntG17Q+96Z9_Ny1Q@mail.gmail.com>
Message-ID: <CAF83W6K8=jFQEwuLyKNhEos-U=DQB-ThzSa9t-+YKAraZA=w0g@mail.gmail.com>

Stephen, the postgress-ha docker image is deprecated. It's clearly stated
in the following:
https://hub.docker.com/r/jboss/keycloak-postgres/
@Marco, I undestand your point.
Maybe do you need to extend the keyclaok image.
Meissa

On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen at chassi.com> wrote:

> Actually, the postgres-ha docker image that is tagged for 3.4.3.Final
> installs version 3.4.2. I had to rebuild that image myself and replace the
> "latest" tag with a "3.4.3.Final" tag in order to have the correct version.
>
> Regards,
> Stephen
>
> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <msakho at redhat.com>
> wrote:
>
>> Marco,
>> which docker image are you using?
>> The latest docker image the rely on Keycloak 3.4.3 has been updated to
>> handle either postgresql or mysql.
>> You'll find information you're looking for in the following link at the
>> PostgreSQL section.
>> https://hub.docker.com/r/jboss/keycloak/
>> thanks,
>> Meissa
>>
>>
>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas at gmail.com>
>> wrote:
>>
>> > Hi there,
>> >
>> > i am trying to use the Docker Image for Keycloak but I seem to be
>> unable to
>> > set a schema for the tables that are created in PostgreSQL. Currently
>> all
>> > tables end up in the public schema.
>> > Is there a way that i can instruct Keycloak to create the tables inside
>> a
>> > schema?
>> >
>> > Kind regards,
>> > Marco Pas
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From ralph.kraenzlein01 at metrosystems.net  Mon Mar 12 04:33:57 2018
From: ralph.kraenzlein01 at metrosystems.net (Kraenzlein, Ralph)
Date: Mon, 12 Mar 2018 08:33:57 +0000
Subject: [keycloak-user] Keycloak 3.4.3: Login With Kerberos and Active
 Directory with multiple Domains. seem not to work.
Message-ID: <AB9CA59125D98347A2C0B08CBF95DE8301DF12E70C@DUS30MBXC03N.comm.madm.net>

Hi,

we try out to use Keycloak 3.4.3 as Federation Service With Kerberos and  Active Directory with multiple Domains. (like ADFS)
First we only test authentication with Keycloak, Kerberos Ticket and Active Directory with multiple domains.

Problem:  

Keycloak only seem to read the sAMAccountName from Kerberos Ticket. Not the realm/domain. If the sAMAccountName is in top level (or highest prio) Federation provider authentication is successful. If not it fails.
It is crucial that Keycloak knows in which AD Domain the user from Kerberos ticket is located. Unless Keycloak is not able to get the correct claims for the user.

Test environment:  

Keycloak 3.4.3 standalone on Centos 7 with a Keycloak REALM  EMP_AD. 
We configured 3 LDAP Federation Providers (with Kerberos Integration) for 3 AD Domains: DE.MIT.NET, FR.MIT.NET and BE.MIT.NET.
Each Federation Provider has been configured with the following parameters: vendor:Active Directory, UserName LDAP attribute: sAMAccountName, Kerberos REALM: "Name of AD/Kerberos Domain", ...
sAMAccountName ist unique in each ad domain, but not in forest. In forest only userPrincipalName is unique.
We made the Kerberos Configuration as described in Keycloak-Doc. Also included a keytab file. Our productive company AD and KDCs are used.
2 Test user:  john.smith at de.mit.net (upn in Domain DE.MIT.NET), john.smith at fr.mit.net (upn in Domain FR.MIT.NET). sAMAccountName for both user is john.smith .


Testing:

Since we just test how can handle Keycloak Kerberos, AD and multiple domains we just call the admin realm url for login tests: https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console


First scenario:

User john.smith  is already authenticated in his Windows 7 Client (AD Domain DE.MIT.NET). In Keycloak only Federation Provider for AD Domain DE.MIT.NET is enabled.
When calling https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console  user john.smith gets a Kerberos Ticket for Keycloak. In the Ticket the user is identified with his sAMAccountName and its Kerberos REALM (AD Domain):

klist:

Client: john.smith @ DE.MIT.NET
Server: HTTP/DUS212kcsrv.wert.net @ DAS.MIT.NET
KerbTicket (Verschl?sselungstyp): RSADSI RC4-HMAC(NT)
Ticketkennzeichen 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
...

Result: User john.smith from AD Domain DE.MIT.NET is automatically successfully authenticated in Keycloak. --> Successful


Second scenario:

Same as first scenario, but this time only Federation Provider for AD Domain FR.MIT.NET is enabled. (user john.smith is also available in domain FR.MIT.NET)
Even though Kerberos ticket from user john smith in AD Domain DE.MIT.NET is used, in Keycloak john.smith from AD domain FR.MIT.NET is authenticated. 
 --> NOT successful


Third scenario:

Same as first scenario, but this time all FPs are enabled in Keycloak. The FP for Domain BE.MADM.NET is on top of the list (or has the highest prio) In BE.MADM.NET user john.smith does not exist.
Keycloak only lookup in Federation Provider from Domain BE.MADM.NET for john.smith.  Since there is no one, access to keycloak failed :

server.log:

2018-03-08 16:37:03,121 WARN  [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) Kerberos/SPNEGO authentication succeeded with username [john.smith], but couldn't find or create user with federation provider [BE.MADM.NET]
2018-03-08 16:37:03,122 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=EMP_AD, clientId=security-admin-console, userId=null, ipAddress=10.12.45.34, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console/, code_id=27a1da71-b5f2-4416-a0dd-6005b409a60a, response_mode=fragment


Best regards

Ralph
Gesch?ftsanschrift/Business address: METRO SYSTEMS GmbH, Metro-Stra?e 12, 40235 D?sseldorf, Germany
Aufsichtsrat/Supervisory Board: Heiko Hutmacher (Vorsitzender/ Chairman)
Gesch?ftsf?hrung/Management Board: Dr. Dirk Toepfer (Vorsitzender/CEO), Wim van Herwijnen
Sitz D?sseldorf, Amtsgericht D?sseldorf, HRB 18232/Registered Office D?sseldorf, Commercial Register of the D?sseldorf Local Court, HRB 18232

Betreffend Mails von *@metrosystems.net
Die in dieser E-Mail enthaltenen Nachrichten und Anh?nge sind ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Sie k?nnen rechtlich gesch?tzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empf?nger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielf?ltigung oder Weitergabe der Nachrichten und Anh?nge untersagt. Falls Sie diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte unverz?glich den Absender und vernichten Sie die E-Mail.

Regarding mails from *@metrosystems.net
This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.



From malys at mageos.com  Mon Mar 12 05:31:44 2018
From: malys at mageos.com (Malys)
Date: Mon, 12 Mar 2018 02:31:44 -0700 (MST)
Subject: [keycloak-user] 2FA protection  for a specific resource
Message-ID: <1520847104667-0.post@n6.nabble.com>

Hi,
I want to protect a high-level risk feature with 2FA. Historically, we use 
2FA SMS. I want to propose the same feature but ideally,  I wish to be able
to integrate also native Keycloak OTP authenticator (more secure).
That' s why based on  keycloak-sms-authenticator-sns <http://
https://github.com/nickpack/keycloak-sms-authenticator-sns>  , I have
improved this authenticator ( here
<https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS> 
).

I have searched in Keycloak 3.4.3 documentation but using the same realm, I
haven't seen any feature to ask 2FA when the final user want to access to a
specific resource.
Role mechanism allows managing access (403 - 200) but it seems that it isn't
cover my use case.
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It
isn't yet implemented.
Level of assurance seems very well but it isn't yet implemented and it would
be difficult to do it.

I could include a servlet filter on the business application (JBoss adapter)
to route user to 2FA authenticator when he wants to access the resource.
But in this case, I have to propagate a state between Keycloak and Java
adapter to not ask 2FA code for each access.
It could be a little bit tricky in cluster mode (stateless service).

Below, I describe the use case.

<http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png> 


Have you any idea to cover this use case easily based on native keycloak
features?
If that isn't the case, in your opinion, what is the best solution (see
above)? (easiest integration for maintainability, clustering support and 2FA
technic agnostic) 

Thank you for sharing your experience.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From marcel.nemet at gmail.com  Mon Mar 12 05:41:04 2018
From: marcel.nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Mon, 12 Mar 2018 10:41:04 +0100
Subject: [keycloak-user] Obtaining permissions for resources which are not
 registered as Keycloak Resources
Message-ID: <CAJbV=3ZD70r8RRUG=jeCt1apNTrg9uioHY8z391XimYFn3KSgg@mail.gmail.com>

Hi,

We have an application with a large number of documents which are being
sent between companies. A company can have multiple users. We have many
companies and users can (on behalf of their company) send documents to
other company. Then the document can be accessed either by the users of the
sending company or the users of the receiving company. All documents can be
also accessed by our customer-care operators (but this is a simple case
which can be easily covered by the role-based access control). Our data and
users are in SQL Server DB, so we would like to use user federation
interfaces to get the users.

I would like to solve the problem in following way:
1. Using the user federation "company ID" custom attribute to the identity
token of each user.
2. Write a rule-based Policy in Java or JavaScript named "Only users which
belong to a sender or receiver company"
3. When somebody wants to access a document with ID "abc-123" which was
sent by company "bbb" and received by company "ccc" the Java or JavaScript
policy could - based on the resource ID "abc-123" and based on the "company
ID" custom attribute - query our database to see whether the "company ID"
of the logged-in user is a sender company or a receiver company of a given
document
3*. Optionally the sender and receiver company of the document could be
sent along as additional attributes in the permission ticket by the policy
enforcer, then the resource server would do the reading from the database
and Keycloak Policy can decide without DB connection. But I am not sure
this is secure, the permission ticket from policy enforcer could be
manipulated and the company ID of a hacker's company could be added as a
sending company, then the hacker could access all documents. But I guess
permissions tickets are protected against manipulation.

The problems which I am facing:
Regarding the step 3., the only way to get "document ID" to the
$evaluation.permission variable of the Java/JavaScript Policy is to create
a Keycloak resource for every single document with a matching name and a
matching URI (e.g. name= "abc-123"  and URI= "/document/ abc-123").

It seems complicated for me to create a resource for every document which
we have and then delete those resources when we delete the documents since
the same policy applies to all documents anyway. We have huge numbers of
documents being sent every day between companies. At the same time, if we
do not create a Keycloak resource for every document, then I believe we can
not configure the policy enforcer to use the "/document/{id}" wildcard. The
Authorisation server will not receive the document ID unless there is a
Keycloak resource with the same name. Ideally, the Keycloak server should
be able to grant permissions even if it does not have a resource registered
and apply policies registered with URI /document/*. The
$evaluation.permission variable should hold the also the full URI not the
one with a wildcard. I understand that currently, the URI in
$evaluation.permission will be "document/*" even when a user is accessing
"/document/abc-123" (unless we create a Keycloak resource for every
document with a matching URI).

To summarize:
It would be great if the policy enforcer could obtain permissions to access
document  "abc-123" even without creating resource "abc-123" in Keycloak.
The idea is that the policy enforcer asks "Can this user access
document abc-123?"
and the Java policy in the Keycloak can decide based on the ID of the
resource and additional data inside the identity token or based on queries
to our DB.
Is there a workaround or recommended solution?

I have read through the previous mail-list topics below, and I saw that
some user "hacked" the policy enforcer to send the precise URI from the
policy enforcer. Or is there another way to pass the document ID to
Keycloak Policy (i.e. inside $evaluation.permission) without creating a
Keycloak resource for every document? Is there a feature request in Jira
which would cover such use cases? Allowing Keycloak to grant permissions
for resources without having to register all resources in Keycloak would
make it a more general solution.

Related topics from the mailing list:

"Performance with a large number of resources":
http://lists.jboss.org/pipermail/keycloak-user/2017-May/010583.html

and

"Additional attributes for an authorization request":
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Additional-attributes-for-an-authorization-request-td2571.html

Kind regards,
Marcel

From psilva at redhat.com  Mon Mar 12 07:43:41 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 12 Mar 2018 08:43:41 -0300
Subject: [keycloak-user] Obtaining permissions for resources which are
 not registered as Keycloak Resources
In-Reply-To: <CAJbV=3ZD70r8RRUG=jeCt1apNTrg9uioHY8z391XimYFn3KSgg@mail.gmail.com>
References: <CAJbV=3ZD70r8RRUG=jeCt1apNTrg9uioHY8z391XimYFn3KSgg@mail.gmail.com>
Message-ID: <CAJrcDBdMQVLQatu6XpdbPxD15jxcF3u7sjcQ=7N9fPGrE7S7ZQ@mail.gmail.com>

Hi Marcel,

These are all valid concerns.

Currently, we are working with some improvements to policy enforcers and
evaluation API. Some of them can help you achieve what you want:

* https://issues.jboss.org/browse/KEYCLOAK-6794
* https://issues.jboss.org/browse/KEYCLOAK-6628
* https://issues.jboss.org/browse/KEYCLOAK-6529

I do think your problem is pretty much related with KEYCLOAK-6529 as we are
planning to include some common information in a permission ticket such as:

* HTTP request information such as path, path parameters, request
parameters, etc.
* Provide some way that you, as a developer, can push any other claim to a
permission ticket

I have one question though. Have you implemented a custom Policy Provider
using the Policy Provider SPI ? Or are you just using a Javascript policy ?

Regards.
Pedro Igor

On Mon, Mar 12, 2018 at 6:41 AM, Marcel N?met <marcel.nemet at gmail.com>
wrote:

> Hi,
>
> We have an application with a large number of documents which are being
> sent between companies. A company can have multiple users. We have many
> companies and users can (on behalf of their company) send documents to
> other company. Then the document can be accessed either by the users of the
> sending company or the users of the receiving company. All documents can be
> also accessed by our customer-care operators (but this is a simple case
> which can be easily covered by the role-based access control). Our data and
> users are in SQL Server DB, so we would like to use user federation
> interfaces to get the users.
>
> I would like to solve the problem in following way:
> 1. Using the user federation "company ID" custom attribute to the identity
> token of each user.
> 2. Write a rule-based Policy in Java or JavaScript named "Only users which
> belong to a sender or receiver company"
> 3. When somebody wants to access a document with ID "abc-123" which was
> sent by company "bbb" and received by company "ccc" the Java or JavaScript
> policy could - based on the resource ID "abc-123" and based on the "company
> ID" custom attribute - query our database to see whether the "company ID"
> of the logged-in user is a sender company or a receiver company of a given
> document
> 3*. Optionally the sender and receiver company of the document could be
> sent along as additional attributes in the permission ticket by the policy
> enforcer, then the resource server would do the reading from the database
> and Keycloak Policy can decide without DB connection. But I am not sure
> this is secure, the permission ticket from policy enforcer could be
> manipulated and the company ID of a hacker's company could be added as a
> sending company, then the hacker could access all documents. But I guess
> permissions tickets are protected against manipulation.
>
> The problems which I am facing:
> Regarding the step 3., the only way to get "document ID" to the
> $evaluation.permission variable of the Java/JavaScript Policy is to create
> a Keycloak resource for every single document with a matching name and a
> matching URI (e.g. name= "abc-123"  and URI= "/document/ abc-123").
>
> It seems complicated for me to create a resource for every document which
> we have and then delete those resources when we delete the documents since
> the same policy applies to all documents anyway. We have huge numbers of
> documents being sent every day between companies. At the same time, if we
> do not create a Keycloak resource for every document, then I believe we can
> not configure the policy enforcer to use the "/document/{id}" wildcard. The
> Authorisation server will not receive the document ID unless there is a
> Keycloak resource with the same name. Ideally, the Keycloak server should
> be able to grant permissions even if it does not have a resource registered
> and apply policies registered with URI /document/*. The
> $evaluation.permission variable should hold the also the full URI not the
> one with a wildcard. I understand that currently, the URI in
> $evaluation.permission will be "document/*" even when a user is accessing
> "/document/abc-123" (unless we create a Keycloak resource for every
> document with a matching URI).
>
> To summarize:
> It would be great if the policy enforcer could obtain permissions to access
> document  "abc-123" even without creating resource "abc-123" in Keycloak.
> The idea is that the policy enforcer asks "Can this user access
> document abc-123?"
> and the Java policy in the Keycloak can decide based on the ID of the
> resource and additional data inside the identity token or based on queries
> to our DB.
> Is there a workaround or recommended solution?
>
> I have read through the previous mail-list topics below, and I saw that
> some user "hacked" the policy enforcer to send the precise URI from the
> policy enforcer. Or is there another way to pass the document ID to
> Keycloak Policy (i.e. inside $evaluation.permission) without creating a
> Keycloak resource for every document? Is there a feature request in Jira
> which would cover such use cases? Allowing Keycloak to grant permissions
> for resources without having to register all resources in Keycloak would
> make it a more general solution.
>
> Related topics from the mailing list:
>
> "Performance with a large number of resources":
> http://lists.jboss.org/pipermail/keycloak-user/2017-May/010583.html
>
> and
>
> "Additional attributes for an authorization request":
> http://keycloak-user.88327.x6.nabble.com/keycloak-user-
> Additional-attributes-for-an-authorization-request-td2571.html
>
> Kind regards,
> Marcel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fquirogam8 at gmail.com  Mon Mar 12 07:43:53 2018
From: fquirogam8 at gmail.com (Fernando Quiroga)
Date: Mon, 12 Mar 2018 12:43:53 +0100
Subject: [keycloak-user] Keycloak LDAP login without user interaction
Message-ID: <CADCJ91ocfBOhg+dFEKmmYh7QuUd9qLi46HwQf=7T7v+NxTGA1g@mail.gmail.com>

 Hi everyone,

I'm following this post http://blog.keycloak.org/
2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html to configure my
application to login with AD FS with SAML protocol.

My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
making the Keycloak login page to appear. right now I'm able to login usin
email and password or by clicking the SAML SSO button and login thorught
the AD FS login page.

What I want to do? I want to Keycloak to trigger the SAML SSO before
showing the login screen, I mean, if in my pc I'm loged with and AD FS
account I want Keycloak to log me in directly with this account and only
get me to the login page if I'm not a member of the AD FS so I'm could be
able to login via email and password.

Regards

From dz at scoutsengidsenvlaanderen.be  Mon Mar 12 08:07:09 2018
From: dz at scoutsengidsenvlaanderen.be (Daan Zwaenepoel)
Date: Mon, 12 Mar 2018 13:07:09 +0100
Subject: [keycloak-user] entitymanger is NULL
Message-ID: <b65e5d3b-ba1b-751c-8817-a6454f741411@scoutsengidsenvlaanderen.be>

Hello everyone

Itry to inject a entitymanger using @PersistenceContext but all that i 
get is a entitymanger that is null anyone who had the same problem?

*file: META-INF/persistence.xml*

<persistence xmlns="http://java.sun.com/xml/ns/persistence" 
<http://java.sun.com/xml/ns/persistence>
 ??? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
<http://www.w3.org/2001/XMLSchema-instance>
 ??? xsi:schemaLocation="http://java.sun.com/xml/ns/persistence 
http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd" 
<http://java.sun.com/xml/ns/persistencehttp://java.sun.com/xml/ns/persistence/persistence_1_0.xsd>
 ??? version="1.0">
 ??? <persistence-unit name="groepsadmin" transaction-type="JTA">

<jta-data-source>java:jboss/datasources/GroepsAdminDS</jta-data-source>
<class>be.scoutsengidsenvlaanderen.login.importer.LidEntity</class>

 ??????? <properties>
 ??????????? <property name="jboss.as.jpa.managed" value="true"/>
 ??????????? <property name="hibernate.show_sql" value="true"/>
 ??????????? <property name="hibernate.format_sql" value="true"/>
 ??????????? <property name="hibernate.dialect" 
value="org.hibernate.dialect.PostgreSQLDialect"/>
 ??????? </properties>
 ??? </persistence-unit>
</persistence>


*file: standelone.xml*

<datasource jta="true" jndi-name="java:jboss/datasources/GroepsAdminDS" 
pool-name="GroepsAdminDS" use-java-context="true" use-ccm="true">
<connection-url>jdbc:postgresql://URL</connection-url>
 ??????? <driver>postgresql</driver>
 ??????? <validation>
 ??????????? <check-valid-connection-sql>select 
1</check-valid-connection-sql>
<background-validation>true</background-validation>
<background-validation-millis>10000</background-validation-millis>
 ??????? </validation>
 ??????? <security>
 ??????????? <user-name>username</user-name>
 ??????????? <password>pass<password>
 ??????? </security>
 ??? </datasource>
 ??? <drivers>
 ??????? <driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
 ??????? </driver>
 ??????? <driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
 ??????? </driver>
 ??? </drivers>
</datasources>

*file: class waar ik de entitymanger wil gebruiken*

@Stateless
public class Leden {


 ??? @PersistenceContext(name = "groepsadmin")
 ??? private EntityManager entityManager;




 ??? public Leden(EntityManager em) {
 ??????? if (entityManager == null){
 ??????????? System.out.println("EntityManger is null");
 ??????? }
 ??? }



-- 

Met vriendelijke scouts- en gidsengroeten,

<https://www.scoutsengidsenvlaanderen.be> 		*Daan Zwaenepoel | 
Jobstudent - Groepsadministratie* 	 
<https://www.scoutsengidsenvlaanderen.be/het-uitzicht>
*Scouts en Gidsen Vlaanderen vzw*






dz at scoutsengidsenvlaanderen.be <mailto:dz at scoutsengidsenvlaanderen.be>


From pinguwien at gmail.com  Mon Mar 12 08:08:09 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Mon, 12 Mar 2018 13:08:09 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
Message-ID: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>

Hi everyone,

so I'm on kc 3.4.3.Final and running a custom UserStorageProvider 
("MyAppUserStorage" below) based on the github example jpa storage 
provider. It's all working well in dev-environment, which is not clustered.

But in my clustered production-kc-environment (using standalone-ha, 2 
nodes), the exception below is thrown.
Seems like it has no effect, though, I can successfully use the app, 
even stop one node and everythings working fine.

Now these logentries are at least annoying and I want to know whats 
happening here, so I hope someone could help me out. Do I have to make 
some classes @Serializable or something? (e.g. UserAdapter.java?) to 
work correctly in clustered mode?

Would be great to get some help here! If you need more information or 
code, feel free to ask :)

Best regards,
Dominik

Log:
2018-03-08 14:38:21,220 ERROR 
[org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14) 
ISPN000073: Unexpected error while replicating: 
org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60c

2018-03-08 14:38:21,220 ERROR 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-14) ISPN000136: Error executing command PrepareCommand, writing 
keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607], 
UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]: 
org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60c

2018-03-08 14:38:21,220 ERROR 
[org.infinispan.transaction.impl.TransactionCoordinator] (default 
task-14) ISPN000097: Error while processing a prepare in a single-phase 
transaction: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60c

2018-03-08 14:38:21,221 WARN 
[org.infinispan.transaction.tm.DummyTransaction] (default task-14) 
ISPN000112: exception while committing: javax.transaction.xa.XAException
         at 
org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
         at 
org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
         at 
org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
         at 
org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
         at 
org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
         at 
org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
         at 
org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
         at 
org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
         at 
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
         at 
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
         at 
com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
         at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
         at 
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
         at 
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
         at 
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
         at 
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
         at 
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
         at 
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
         at 
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
         at 
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
         at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
         at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
         at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
         at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
         at 
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
         at java.lang.Thread.run(Thread.java:748)
Caused by: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60c

2018-03-08 14:38:21,222 WARN  [org.jboss.as.txn] (default task-14) 
WFLYTX0027: The pre-jca synchronization 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
associated with tx TransactionImple < ac, BasicAction: 
0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: ActionStatus.COMMITTED > 
failed during after completion: org.infinispan.commons.CacheException: 
javax.transaction.HeuristicRollbackException
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102)
         at 
org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
         at 
org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
         at 
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
         at 
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
         at 
com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
         at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
         at 
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
         at 
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
         at 
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
         at 
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
         at 
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
         at 
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
         at 
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
         at 
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
         at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
         at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
         at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
         at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
         at 
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
         at java.lang.Thread.run(Thread.java:748)
Caused by: javax.transaction.HeuristicRollbackException
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433)
         at 
org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
         at 
org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
         at 
org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
         ... 71 more
Caused by: javax.transaction.xa.XAException
         at 
org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
         at 
org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
         at 
org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
         ... 75 more
Caused by: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60c

2018-03-08 14:38:21,226 ERROR 
[org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14) 
ISPN000073: Unexpected error while replicating: 
org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60e

2018-03-08 14:38:21,226 ERROR 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-14) ISPN000136: Error executing command PrepareCommand, writing 
keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607], 
UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]: 
org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60e

2018-03-08 14:38:21,226 ERROR 
[org.infinispan.transaction.impl.TransactionCoordinator] (default 
task-14) ISPN000097: Error while processing a prepare in a single-phase 
transaction: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60e

2018-03-08 14:38:21,227 WARN 
[org.infinispan.transaction.tm.DummyTransaction] (default task-14) 
ISPN000112: exception while committing: javax.transaction.xa.XAException
         at 
org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
         at 
org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
         at 
org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
         at 
org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
         at 
org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
         at 
org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
         at 
org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
         at 
org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
         at 
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
         at 
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
         at 
com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
         at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
         at 
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
         at 
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
         at 
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
         at 
org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
         at 
org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
         at 
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
         at 
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
         at 
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
         at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown 
Source)
         at 
org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
         at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
         at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
         at 
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
         at java.lang.Thread.run(Thread.java:748)
Caused by: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60e

2018-03-08 14:38:21,238 WARN  [org.jboss.as.txn] (default task-14) 
WFLYTX0027: The pre-jca synchronization 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
associated with tx TransactionImple < ac, BasicAction: 
0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: ActionStatus.COMMITTED > 
failed during after completion: org.infinispan.commons.CacheException: 
javax.transaction.HeuristicRollbackException
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102)
         at 
org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
         at 
org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
         at 
org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
         at 
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
         at 
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
         at 
com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
         at 
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
         at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
         at 
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
         at 
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
         at 
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
         at 
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
         at 
org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
         at 
org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
         at 
org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
         at 
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
         at 
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
         at 
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
         at 
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
         at 
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
         at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown 
Source)
         at 
org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
         at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
         at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
         at 
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
         at java.lang.Thread.run(Thread.java:748)
Caused by: javax.transaction.HeuristicRollbackException
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433)
         at 
org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
         at 
org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
         at 
org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
         at 
org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
         ... 91 more
Caused by: javax.transaction.xa.XAException
         at 
org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
         at 
org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
         at 
org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
         at 
org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
         ... 95 more
Caused by: org.infinispan.commons.marshall.NotSerializableException: 
org.keycloak.services.DefaultKeycloakSession
Caused by: an exception which occurred:
         in field my.app.de.keycloak.MyAppUserStorage.session
         in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
         in field 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
         in object 
org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
         in field 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
         in object 
org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
         in object 
org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
         in object java.util.concurrent.ConcurrentHashMap at 51f3597e
         in object 
org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
         in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
         in object org.infinispan.commands.tx.PrepareCommand at f4eee60e

From j.keith at xsb.com  Mon Mar 12 08:22:42 2018
From: j.keith at xsb.com (Jordan Keith)
Date: Mon, 12 Mar 2018 07:22:42 -0500 (CDT)
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
Message-ID: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>

We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario: 

1). Log into application. 
2). Close browser tab containing application. 
3). Wait 15 minutes (SSO idle + 2 minute grace period) 
4). Open application again. You'll be directed to the login page by keycloak. 
5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning." 

Why do I receive this error even when I attempt to login immediately after opening the log in page? 

From rmedeiros at indaba.es  Mon Mar 12 08:54:36 2018
From: rmedeiros at indaba.es (=?UTF-8?Q?Ra=C3=BAl_Medeiros?=)
Date: Mon, 12 Mar 2018 13:54:36 +0100
Subject: [keycloak-user] Multi-country domain
Message-ID: <CAJihJUk+fwuQRSa0=hc0caMxVPsq4dOT3VLZFrqhWSPB7px+vA@mail.gmail.com>

 Hello,

We need to develop a domain with multiple countries and one admin per
country. Those admin users can only see, edit and create users that belong
to its country. I don't know if the best approach to set a country to a
user is as an attribute or creating one group per country.

I would like to know what would be the best approach to solve this and if
it's possible to restrict one admin user to manage only it's country users.

Thank you,

Raul

From ba.andrzejczak at gmail.com  Mon Mar 12 09:09:53 2018
From: ba.andrzejczak at gmail.com (Bartosz Andrzejczak)
Date: Mon, 12 Mar 2018 14:09:53 +0100
Subject: [keycloak-user] Multi-country domain
In-Reply-To: <CAJihJUk+fwuQRSa0=hc0caMxVPsq4dOT3VLZFrqhWSPB7px+vA@mail.gmail.com>
References: <CAJihJUk+fwuQRSa0=hc0caMxVPsq4dOT3VLZFrqhWSPB7px+vA@mail.gmail.com>
Message-ID: <CBF3887A-6684-4115-878B-ECEAFC355B8F@gmail.com>

Hi Raul,

If you have a one-to-one relationship between user and country and you don?t want any of the users access multiple countries, I would go with multiple realms. I would create one realm per country and then register users into their country realm.

Cheers,
BartekHi Raul,

If you have a one-to-one relationship between user and country and you don?t want any of the users access multiple countries, I would go with multiple realms. I would create one realm per country and then register users into their country realm.

Cheers,
Bartek

> On 12 Mar 2018, at 1:54 PM, Ra?l Medeiros <rmedeiros at indaba.es> wrote:
> 
> Hello,
> 
> We need to develop a domain with multiple countries and one admin per
> country. Those admin users can only see, edit and create users that belong
> to its country. I don't know if the best approach to set a country to a
> user is as an attribute or creating one group per country.
> 
> I would like to know what would be the best approach to solve this and if
> it's possible to restrict one admin user to manage only it's country users.
> 
> Thank you,
> 
> Raul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From marco.deluca at carity.se  Mon Mar 12 09:12:32 2018
From: marco.deluca at carity.se (Marco de Luca)
Date: Mon, 12 Mar 2018 14:12:32 +0100
Subject: [keycloak-user] Problem: We're sorry ...You are already
 authenticated as different user
In-Reply-To: <cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>
References: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>
	<cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>
Message-ID: <B6D803B5-EB2F-4C99-96A3-6583C80377C9@carity.se>

Hello,

The error registers as follow in the Keycloak log. Any suggestions?

Event type: REGISTER_ERROR
Error:   different_user_authenticated

13:07:05,127 WARN [org.keycloak.events] (default task-50) type=REGISTER_ERROR, realmId=1177, clientId=demo-app, userId=a0994120-e9cd-4ae5-b6b9-e92dc3bf8206, ipAddress=172.30.181.189, error=different_user_authenticated, identity_provider=idp_acctest, register_method=broker, consent=no_consent_required, previous_user=d0cae6fa-caa8-4d51-b4df-0711179ff360, identity_provider_identity=7fecc1f8-87d3-420b-a2b0-df239c5cee78, code_id=e14dbf6d-7a69-4842-a54f-cd02552aab47, username=7fecc1f8-87d3-420b-a2b0-df239c5cee78


Kind regards
-- 
Marco



> On 9 Mar 2018, at 11:14, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Hi,
> 
> could you try to upgrade to latest version 3.4.3 and see if the issue is still here for your scenario?
> 
> Marek
> 
> On 09/03/18 10:51, Marco de Luca wrote:
>> Scenario:
>> 
>> We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external SAML IdP.
>> 
>> We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).
>> 
>>  
>> Problem:
>> 
>> When the first application ?A? uses Keycloak to authenticate the user everything is OK. When application ?B? (using the same  browser) uses Keycloak to authenticate the user an error occurs. ?We're sorry ...You are already authenticated as different user ?xx' in this session. Please logout first.? (DIFFERENT_USER_AUTHENTICATED)
>> 
>>  The current configuration uses the IdP ?Subject.NameID? as username (preferred_username).
>> 
> 


From soumya.mishra at aktana.com  Mon Mar 12 16:06:37 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Mon, 12 Mar 2018 13:06:37 -0700
Subject: [keycloak-user] Fwd: refresh_token flow doesn't work with a
	standalone_ha setup
In-Reply-To: <CAFdYJBD2iYf+Yyy1x+BY=hCyL=-6aqt7EKEc7f3KQZ0veAKXzg@mail.gmail.com>
References: <CAFdYJBD2iYf+Yyy1x+BY=hCyL=-6aqt7EKEc7f3KQZ0veAKXzg@mail.gmail.com>
Message-ID: <CAFdYJBDZg11qgE8_-z-TcohHz1kvx04Q42UJ=1Num9GOSZDDKw@mail.gmail.com>

Hello All,

I am facing a problem with running keycloak in standalone clustered mode
(i.e, standalone-ha) mode. I have a set of 3 clusters and using a load
balancer on top of it.

I am able to login properly each time. But the refresh_token and
offline_access token flow is not working properly because the load balancer
is hitting different instances at different times. It only works when the
load balancer hits the instance from which the token was generated.

I compared various tokens generated by all the different instances and I
see that iss, iat and jti values are different for each of the tokens. Is
it a problem?

Please let me know if anybody has any idea how this issue should be fixed
or where I am doing wrong.

Regards,
Soumya

From clehingue at gmail.com  Mon Mar 12 17:31:46 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Mon, 12 Mar 2018 22:31:46 +0100
Subject: [keycloak-user] Simulate / call check-sso with curl
Message-ID: <CADf9yZNrGKkaYHafban7ge0rz+JMwtcHdpQock9Cig72wRqf=A@mail.gmail.com>

Hello,

Is it possible to perform the equivalent of the call to the javascript
function 'check-sso' in CURL ?

Est il possible de r?aliser l'?quivalent de l'appel ? la fonction
javascript 'check-sso' en CURL ?

thank you for your help,

Merci ? vous,

From ntle at castortech.com  Mon Mar 12 17:34:48 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 12 Mar 2018 17:34:48 -0400
Subject: [keycloak-user] how to enable remote resource management from
	admin-api
Message-ID: <CAJVRZt9_mJT+A2ynQ_cZ350ynihnsn=FJJbBZrF3eECeHBDUdQ@mail.gmail.com>

Hello,

I'm trying to enable remote resource management using the admin-api so that
i can latter create resources dynamically. My code is follow:
ClientRepresentation client =
adminClient.realm(realmName).clients().findByClientId(clientId).get(0);
client.setServiceAccountsEnabled(true);
client.setAuthorizationServicesEnabled(true);
adminClient.realm(realmName).clients().get(client.getId()).update(client);

ResourceServerRepresentation authzSetting = new
ResourceServerRepresentation();
authzSetting.setAllowRemoteResourceManagement(true);

client.setAuthorizationSettings(authzSetting);
adminClient.realm(realmName).clients().get(client.getId()).update(client);

?This piece of code run without error, however when i check the client from
the admin console, i still see remote resource management not enable. Am i
missing anything?

Thai?

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From mposolda at redhat.com  Mon Mar 12 17:46:56 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 12 Mar 2018 22:46:56 +0100
Subject: [keycloak-user] Delete large realm fails with timeout
In-Reply-To: <CAPLPyg=+ShrOJo-KMKPLYT50b72-5oLDfmVrkOZDgAWXLoS98w@mail.gmail.com>
References: <CAPLPygn2rY50LT9uTRqRBr60mXyE4V3HnKQbHd3XWL4fCTLaRw@mail.gmail.com>
	<5307f0f2-6226-0f7b-3dc1-f9b99049ca35@redhat.com>
	<CAPLPyg=+ShrOJo-KMKPLYT50b72-5oLDfmVrkOZDgAWXLoS98w@mail.gmail.com>
Message-ID: <4da7287f-a897-7cde-c1b7-549cba4c592b@redhat.com>

On 10/03/18 02:18, Niels Bertram wrote:
> Yes trying to upgrade to RH-SSO 7.2 but there are lots of errors 
> during database upgrade. Looks like the liquibase scripts work with a 
> fresh install but not after the database was "used" for 2 years and 
> holds data.
The idea is, that upgrade from from 1.9.8 (or any other version) to 
3.4.3 should always work even if you have existing data in the database. 
If it doesn't work it's a bug.

We are testing database upgrades, but it's possible that we miss some 
scenarios. For example DB upgrade is broken just if some "special" 
condition of data format happens (EG. Read-only LDAP is configured in 
the realm). So feel free to create JIRA and add stacktrace you saw at 
server.log during upgrade. Also all the other details (used DB, previous 
version you're migrating from etc).

Thanks,
Marek
> When hitting delete on the realm admin page, the action starts but 
> times out before the database can finish its work. I did manage to 
> reduce the size of records that need to be deleted by manually 
> clearing out?USER_ATTRIBUTE which held ~150k rows. After that, I was 
> able to delete the realm through the admin console.
>
> On Tue, Mar 6, 2018 at 2:23 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     That's quite an old version. There are lots of changes and fixes
>     in the meantime. Do you have a chance to upgrade to latest 3.4.3
>     and try with it?
>
>     Marek
>
>
>     On 05/03/18 05:20, Niels Bertram wrote:
>
>         Is there a database script that we can run to delete a
>         keycloak realm with
>         large volume of synchronised users? We have a realm with a
>         "few" users
>         synced from LDAP in our RH-SSO 7.0 / Keycloak 1.9.8
>         installation and trying
>         to delete the realm via the console fails with a timeout.
>         Cheers Niels
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>


From nielsbne at gmail.com  Tue Mar 13 01:27:10 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 13 Mar 2018 15:27:10 +1000
Subject: [keycloak-user] SSO check in Spring Security
Message-ID: <CAPLPygmUbWCPf3cj0Sqoj9kWX2muNFpQY4xuqB6c5st2vc4vhw@mail.gmail.com>

We have a requirement to check if a user is signed in when they visit a
site. For the JavaScript adapter this is a piece of cake with "check-sso",
but I could not find anything like this for spring security adapters.

Anyone ever had to implement optional check-sso using Keycloak with Spring
Security?

Thanks Niels

From eduard.matuszak at worldline.com  Tue Mar 13 04:56:55 2018
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 13 Mar 2018 08:56:55 +0000
Subject: [keycloak-user] Keycloak and Wildfly 12
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D72AA260BB@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

Is it still possible to install the newest Keycloak 3.4.3  on a Wildfly 12? According to the download site https://www.keycloak.org/downloads.html Wildfly up to version 11 is supported. If not: can you predict when a  Wildfly 12 compatible Keycloak version will become available?

Best regards, Eduard Matuszak



From marco.deluca at carity.se  Tue Mar 13 05:55:44 2018
From: marco.deluca at carity.se (Marco de Luca)
Date: Tue, 13 Mar 2018 10:55:44 +0100
Subject: [keycloak-user] Problem with account linking?!
Message-ID: <2A83D7DB-59BC-43F6-8E94-F409EA4774EC@carity.se>

Scenario:
We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external trusted SAML IdP.  We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.3-Final).

User information from the external IdP is trusted and we don't want the users to link and/or verify the account.
 

Problem:
When a user access the application "A" uses Keycloak to authenticate the user everything is OK. 
- Keycloak creates a user account using a specified attribute (unique id from SAML response )
When the user access the application a second time (close browser or logout) keycloak require the user to link the account.

"We're sorry ... User with username tst5565594230 already exists. Please login to account management to link the account."

We have disabled account "Confirm Link Existing Account" for relevant Authentication binding (browser flow, first broker login).

Any suggestions? 


-- 
Marco 


From marco.deluca at carity.se  Tue Mar 13 06:06:59 2018
From: marco.deluca at carity.se (Marco de Luca)
Date: Tue, 13 Mar 2018 11:06:59 +0100
Subject: [keycloak-user] Problem: We're sorry ...You are already
 authenticated as different user
In-Reply-To: <B6D803B5-EB2F-4C99-96A3-6583C80377C9@carity.se>
References: <79991F1C-997F-483F-9AF5-9E3C084FE805@carity.se>
	<cb05b4c1-1831-2b7b-56a0-0e29d804520b@redhat.com>
	<B6D803B5-EB2F-4C99-96A3-6583C80377C9@carity.se>
Message-ID: <62A48BCC-C578-4BB0-A968-C500E59551DD@carity.se>

RESOLVED:
In our scenario keycloak was using the SAML response NameID as username. The SAML IdP creates a new NameID for each authentication.
Therefor keycloak received a different username (NameID) pointing to the same keycloak ID (during SSO session). 

We are now using the ?Username Template Importer? and trying automatic account linking instead.
-- 
Marco 



> On 12 Mar 2018, at 14:12, Marco de Luca <marco.deluca at carity.se> wrote:
> 
> Hello,
> 
> The error registers as follow in the Keycloak log. Any suggestions?
> 
> Event type: REGISTER_ERROR
> Error:   different_user_authenticated
> 
> 13:07:05,127 WARN [org.keycloak.events] (default task-50) type=REGISTER_ERROR, realmId=1177, clientId=demo-app, userId=a0994120-e9cd-4ae5-b6b9-e92dc3bf8206, ipAddress=172.30.181.189, error=different_user_authenticated, identity_provider=idp_acctest, register_method=broker, consent=no_consent_required, previous_user=d0cae6fa-caa8-4d51-b4df-0711179ff360, identity_provider_identity=7fecc1f8-87d3-420b-a2b0-df239c5cee78, code_id=e14dbf6d-7a69-4842-a54f-cd02552aab47, username=7fecc1f8-87d3-420b-a2b0-df239c5cee78
> 
> 
> Kind regards
> -- 
> Marco
> 
> 
> 
>> On 9 Mar 2018, at 11:14, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> 
>> Hi,
>> 
>> could you try to upgrade to latest version 3.4.3 and see if the issue is still here for your scenario?
>> 
>> Marek
>> 
>> On 09/03/18 10:51, Marco de Luca wrote:
>>> Scenario:
>>> 
>>> We are using keycloak OIDC to create id-token/UserInfo f?r our applications. IdP is provided by an external SAML IdP.
>>> 
>>> We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).
>>> 
>>>  
>>> Problem:
>>> 
>>> When the first application ?A? uses Keycloak to authenticate the user everything is OK. When application ?B? (using the same  browser) uses Keycloak to authenticate the user an error occurs. ?We're sorry ...You are already authenticated as different user ?xx' in this session. Please logout first.? (DIFFERENT_USER_AUTHENTICATED)
>>> 
>>>  The current configuration uses the IdP ?Subject.NameID? as username (preferred_username).
>>> 
>> 
> 


From weil at redhat.com  Tue Mar 13 06:50:41 2018
From: weil at redhat.com (Wei Li)
Date: Tue, 13 Mar 2018 10:50:41 +0000
Subject: [keycloak-user] Help needed to perform SSO on iOS
In-Reply-To: <CAHmyU2rZjd09y2ZFa6s20OdJ3m1LZzKMxip9B1ihWpEoSEghWQ@mail.gmail.com>
References: <CAHmyU2rZjd09y2ZFa6s20OdJ3m1LZzKMxip9B1ihWpEoSEghWQ@mail.gmail.com>
Message-ID: <CAHmyU2qb4VC98bO6Ko4a0RWwxn5F_0bBaR1ZFr9RMMSRBWHptQ@mail.gmail.com>

I have done further tests on iOS and at this point, I have come to the
conclusion that both Keycloak and AppAuth are working as expected, it's the
`SFAuthenticationSession` on iOS 11 causing quite a lot of issues here.

I have documented the tests I have done here [1].

[1] https://github.com/openid/AppAuth-iOS/issues/186

Thanks.

On Fri, Mar 9, 2018 at 5:44 PM, Wei Li <weil at redhat.com> wrote:

> Hi,
>
> We are trying to perform SSO with OpenID connect using the latest release
> version of Keycloak for our mobile apps. The client libraries we are using
> is AppAuth.
>
> Everything works expected on Android. I have 2 apps and if I logged into
> one of the apps, when I try to login the other app, I will just get
> redirected back to the app and that's it.
>
> However, this doesn't seem to be the case for iOS. On the second app, I
> was presented with the login screen and I have to enter my username and
> password again.
>
> Initially I thought it might be a problem with AppAuth-ios so I asked the
> question there[1]. However, it looks like the AppAuth lib is working as
> expected. But one of the maintainers does mention that I have to make sure
> the IDP is using persistent cookies.
>
> So my questions are:
>
> 1. Is Keycloak using persistent cookies?
> 2. Has anyone tried using Keycloak to perform SSO on iOS, does it work?
>
> Any help is appreciated.
>
> Thanks.
>
> [1] https://github.com/openid/AppAuth-iOS/issues/186
> --
>
> WEI LI
>
> Principal SOFTWARE ENGINEER
>
> Red Hat Mobile <https://www.redhat.com/>
>
> weil at redhat.com    M: +353862393272
> <https://red.ht/sig>
>



-- 

WEI LI

Principal SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>

From msakho at redhat.com  Tue Mar 13 07:15:16 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Tue, 13 Mar 2018 12:15:16 +0100
Subject: [keycloak-user] How to set PostgreSQL schema for Keycloak when
 using the Docker Image?
In-Reply-To: <CA+iPe9ungVx6dBiSGPi3V8EO0Gw+to4wzYycqivuGKyAp8M=Zw@mail.gmail.com>
References: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>
	<CAF83W6Knu8d45g++XN9_J1FA9c=uVPKKY0romvtxyDy9mUOhsQ@mail.gmail.com>
	<CA+iPe9s=cThBQ=qqvF2mCvtPOn0y5QP1SuntG17Q+96Z9_Ny1Q@mail.gmail.com>
	<CAF83W6K8=jFQEwuLyKNhEos-U=DQB-ThzSa9t-+YKAraZA=w0g@mail.gmail.com>
	<CA+iPe9ungVx6dBiSGPi3V8EO0Gw+to4wzYycqivuGKyAp8M=Zw@mail.gmail.com>
Message-ID: <CAF83W6L+j0AX9enbbNnLsqFQB+pYzO8MMg3pFngcP2rfK2BO=g@mail.gmail.com>

Stephen,
I will suggest you to read the following blog post [1]  related to keycloak
clustering.
You'll need to use the docker image [2] instead if you want the clustering
to work in a docker environment.

If you are in a kubernetes environnement, you'll not be able to use the
native KUBE_PING protocol since the keycloak image does not include this
feature yet.
Unles you try to build the following [3]
<https://github.com/jboss-dockerfiles/keycloak/pull/96> pull request


[1]=http://blog.keycloak.org/2015/04/running-keycloak-
cluster-with-docker.html
[2]=https://github.com/jmowla/keycloak/blob/master/server-
ha-postgres/Dockerfile
[3]=https://github.com/jboss-dockerfiles/keycloak/pull/96
<https://github.com/jboss-dockerfiles/keycloak/pull/96>

Meissa

On Mon, Mar 12, 2018 at 5:15 PM, Stephen Henrie <stephen at chassi.com> wrote:

> Meissa,
>
> Thanks for the heads up on the deprecation. Do you know  off the top of
> you head if that keycloak server image that is referenced here (
> https://hub.docker.com/r/jboss/keycloak-postgres/) supports an HA
> deployment as well?
>
> Thanks
> Stephen
>
> On Mon, Mar 12, 2018 at 12:41 AM, Meissa M'baye Sakho <msakho at redhat.com>
> wrote:
>
>> Stephen, the postgress-ha docker image is deprecated. It's clearly stated
>> in the following:
>> https://hub.docker.com/r/jboss/keycloak-postgres/
>> @Marco, I undestand your point.
>> Maybe do you need to extend the keyclaok image.
>> Meissa
>>
>> On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen at chassi.com>
>> wrote:
>>
>>> Actually, the postgres-ha docker image that is tagged for 3.4.3.Final
>>> installs version 3.4.2. I had to rebuild that image myself and replace the
>>> "latest" tag with a "3.4.3.Final" tag in order to have the correct version.
>>>
>>> Regards,
>>> Stephen
>>>
>>> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <msakho at redhat.com>
>>> wrote:
>>>
>>>> Marco,
>>>> which docker image are you using?
>>>> The latest docker image the rely on Keycloak 3.4.3 has been updated to
>>>> handle either postgresql or mysql.
>>>> You'll find information you're looking for in the following link at the
>>>> PostgreSQL section.
>>>> https://hub.docker.com/r/jboss/keycloak/
>>>> thanks,
>>>> Meissa
>>>>
>>>>
>>>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas at gmail.com>
>>>> wrote:
>>>>
>>>> > Hi there,
>>>> >
>>>> > i am trying to use the Docker Image for Keycloak but I seem to be
>>>> unable to
>>>> > set a schema for the tables that are created in PostgreSQL. Currently
>>>> all
>>>> > tables end up in the public schema.
>>>> > Is there a way that i can instruct Keycloak to create the tables
>>>> inside a
>>>> > schema?
>>>> >
>>>> > Kind regards,
>>>> > Marco Pas
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From ntle at castortech.com  Tue Mar 13 15:07:51 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 13 Mar 2018 15:07:51 -0400
Subject: [keycloak-user] how to create policy/permission from java
	admin-client
Message-ID: <CAJVRZt8-AroqDmOt=oQBEmvv+MAy=50ytmNhFVD0m-jXeobxMQ@mail.gmail.com>

Hello,

Is there an example for how to create policy/permission using admin-client
and authz-client? I'm making a stand-alone java program to dynamically
create client, role, policy, permission.

Thai

From soumya.mishra at aktana.com  Tue Mar 13 15:10:39 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Tue, 13 Mar 2018 12:10:39 -0700
Subject: [keycloak-user] refresh_token flow doesn't work with a
	standalone_ha setup
In-Reply-To: <CAFdYJBDZg11qgE8_-z-TcohHz1kvx04Q42UJ=1Num9GOSZDDKw@mail.gmail.com>
References: <CAFdYJBD2iYf+Yyy1x+BY=hCyL=-6aqt7EKEc7f3KQZ0veAKXzg@mail.gmail.com>
	<CAFdYJBDZg11qgE8_-z-TcohHz1kvx04Q42UJ=1Num9GOSZDDKw@mail.gmail.com>
Message-ID: <CAFdYJBD8KxK50LS5FOR7bRjm4UmtUJ69_x7PHxAQhULN0DEVaA@mail.gmail.com>

Anyone knows anything about this?

On Mon, Mar 12, 2018 at 1:06 PM, Soumya Mishra <soumya.mishra at aktana.com>
wrote:

>
> Hello All,
>
> I am facing a problem with running keycloak in standalone clustered mode
> (i.e, standalone-ha) mode. I have a set of 3 clusters and using a load
> balancer on top of it.
>
> I am able to login properly each time. But the refresh_token and
> offline_access token flow is not working properly because the load balancer
> is hitting different instances at different times. It only works when the
> load balancer hits the instance from which the token was generated.
>
> I compared various tokens generated by all the different instances and I
> see that iss, iat and jti values are different for each of the tokens. Is
> it a problem?
>
> Please let me know if anybody has any idea how this issue should be fixed
> or where I am doing wrong.
>
> Regards,
> Soumya
>
>
>
>
>

From psilva at redhat.com  Tue Mar 13 16:09:48 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 13 Mar 2018 17:09:48 -0300
Subject: [keycloak-user] how to create policy/permission from java
	admin-client
In-Reply-To: <CAJVRZt8-AroqDmOt=oQBEmvv+MAy=50ytmNhFVD0m-jXeobxMQ@mail.gmail.com>
References: <CAJVRZt8-AroqDmOt=oQBEmvv+MAy=50ytmNhFVD0m-jXeobxMQ@mail.gmail.com>
Message-ID: <CAJrcDBfuDxkFhq1KUFVdoM0jhKrXFCtTJttMS=F1KXNdGRzMjQ@mail.gmail.com>

Sorry, no docs yet. Take a look at
https://github.com/pedroigor/keycloak/blob/8e64bc3e4dc3d5b6ab449ffff42e425bc76f253f/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
.

You can obtain an instance of that class after selecting a client with
authorization services enabled. For some examples, see
https://github.com/pedroigor/keycloak/tree/1e1de85685bb5d5f180f510630cd7133f8a35375/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization
.

Regards.

On Tue, Mar 13, 2018 at 4:07 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> Is there an example for how to create policy/permission using admin-client
> and authz-client? I'm making a stand-alone java program to dynamically
> create client, role, policy, permission.
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Mar 13 16:23:23 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Mar 2018 21:23:23 +0100
Subject: [keycloak-user] refresh_token flow doesn't work with a
 standalone_ha setup
In-Reply-To: <CAFdYJBD8KxK50LS5FOR7bRjm4UmtUJ69_x7PHxAQhULN0DEVaA@mail.gmail.com>
References: <CAFdYJBD2iYf+Yyy1x+BY=hCyL=-6aqt7EKEc7f3KQZ0veAKXzg@mail.gmail.com>
	<CAFdYJBDZg11qgE8_-z-TcohHz1kvx04Q42UJ=1Num9GOSZDDKw@mail.gmail.com>
	<CAFdYJBD8KxK50LS5FOR7bRjm4UmtUJ69_x7PHxAQhULN0DEVaA@mail.gmail.com>
Message-ID: <02b54f17-e018-a100-767f-bb88e840c457@redhat.com>

On 13/03/18 20:10, Soumya Mishra wrote:
> Anyone knows anything about this?
>
> On Mon, Mar 12, 2018 at 1:06 PM, Soumya Mishra <soumya.mishra at aktana.com>
> wrote:
>
>> Hello All,
>>
>> I am facing a problem with running keycloak in standalone clustered mode
>> (i.e, standalone-ha) mode. I have a set of 3 clusters and using a load
>> balancer on top of it.
>>
>> I am able to login properly each time. But the refresh_token and
>> offline_access token flow is not working properly because the load balancer
>> is hitting different instances at different times. It only works when the
>> load balancer hits the instance from which the token was generated.
>>
>> I compared various tokens generated by all the different instances and I
>> see that iss, iat and jti values are different for each of the tokens. Is
>> it a problem?
No, it shouldn't be. That is expected.

Is shared database correctly set? And are sessions replicated? I suggest 
you try to open admin console and open tab "sessions" for any realm, 
user or client. You can open it in all 3 nodes (alternatively open it 
through loadbalancer until you make sure that loadbalancer redirects it 
to different 3 nodes if you can't open Keycloak backend nodes directly) 
and compare if "sessions" are same on every node. If not, then your 
clustering setup is broken.

We have some info in our clustering docs, I suggest to look there.

Marek
>>
>> Please let me know if anybody has any idea how this issue should be fixed
>> or where I am doing wrong.
>>
>> Regards,
>> Soumya
>>
>>
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Mar 13 16:31:17 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Mar 2018 21:31:17 +0100
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
In-Reply-To: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
References: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
Message-ID: <ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>

What is Keycloak version used? Could you try with latest 3.4.3?

Marek

On 12/03/18 13:22, Jordan Keith wrote:
> We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario:
>
> 1). Log into application.
> 2). Close browser tab containing application.
> 3). Wait 15 minutes (SSO idle + 2 minute grace period)
> 4). Open application again. You'll be directed to the login page by keycloak.
> 5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning."
>
> Why do I receive this error even when I attempt to login immediately after opening the log in page?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Mar 13 16:36:45 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Mar 2018 21:36:45 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
Message-ID: <a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>

I guess those examples were not tested in cluster environment.

It seerms the issue is, that some stateful EJB is trying to serialize, 
but EJB has reference on DefaultKeycloakSession, which is not 
serializable (and shouldn't be as it's not supposed to be serialized and 
sent over network).

I am not 100% sure, but if it's possible to get rid of stateful EJB and 
use "standalone" JPA, it may help. Also it may help if you mark some 
fields transient in your EJB or write custom infinispan externalizers. 
See infinispan/Wildfly docs for more info.

Marek

On 12/03/18 13:08, Dominik Guhr wrote:
> Hi everyone,
>
> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
> ("MyAppUserStorage" below) based on the github example jpa storage
> provider. It's all working well in dev-environment, which is not clustered.
>
> But in my clustered production-kc-environment (using standalone-ha, 2
> nodes), the exception below is thrown.
> Seems like it has no effect, though, I can successfully use the app,
> even stop one node and everythings working fine.
>
> Now these logentries are at least annoying and I want to know whats
> happening here, so I hope someone could help me out. Do I have to make
> some classes @Serializable or something? (e.g. UserAdapter.java?) to
> work correctly in clustered mode?
>
> Would be great to get some help here! If you need more information or
> code, feel free to ask :)
>
> Best regards,
> Dominik
>
> Log:
> 2018-03-08 14:38:21,220 ERROR
> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
> ISPN000073: Unexpected error while replicating:
> org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>
> 2018-03-08 14:38:21,220 ERROR
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-14) ISPN000136: Error executing command PrepareCommand, writing
> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
> org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>
> 2018-03-08 14:38:21,220 ERROR
> [org.infinispan.transaction.impl.TransactionCoordinator] (default
> task-14) ISPN000097: Error while processing a prepare in a single-phase
> transaction: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>
> 2018-03-08 14:38:21,221 WARN
> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
> ISPN000112: exception while committing: javax.transaction.xa.XAException
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
>           at
> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
>           at
> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
>           at
> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
>           at
> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
>           at
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
>           at
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
>           at
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
>           at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>           at
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>           at
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
>           at
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>           at
> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
>           at
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
>           at
> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
>           at
> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
>           at
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>           at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>           at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>           at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>           at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>           at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>           at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>           at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>           at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>           at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>           at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>           at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>           at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>           at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>           at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>           at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>           at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>           at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>           at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>           at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>           at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>           at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>           at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>           at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>           at java.lang.Thread.run(Thread.java:748)
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>
> 2018-03-08 14:38:21,222 WARN  [org.jboss.as.txn] (default task-14)
> WFLYTX0027: The pre-jca synchronization
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6
> associated with tx TransactionImple < ac, BasicAction:
> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: ActionStatus.COMMITTED >
> failed during after completion: org.infinispan.commons.CacheException:
> javax.transaction.HeuristicRollbackException
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102)
>           at
> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
>           at
> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
>           at
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
>           at
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
>           at
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
>           at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>           at
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>           at
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
>           at
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>           at
> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
>           at
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
>           at
> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
>           at
> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
>           at
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
>           at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>           at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>           at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>           at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>           at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>           at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>           at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>           at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>           at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>           at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>           at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>           at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>           at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>           at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>           at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>           at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>           at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>           at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>           at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>           at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>           at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>           at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>           at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>           at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>           at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.transaction.HeuristicRollbackException
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
>           at
> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
>           ... 71 more
> Caused by: javax.transaction.xa.XAException
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
>           at
> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
>           ... 75 more
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>
> 2018-03-08 14:38:21,226 ERROR
> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
> ISPN000073: Unexpected error while replicating:
> org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>
> 2018-03-08 14:38:21,226 ERROR
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-14) ISPN000136: Error executing command PrepareCommand, writing
> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
> org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>
> 2018-03-08 14:38:21,226 ERROR
> [org.infinispan.transaction.impl.TransactionCoordinator] (default
> task-14) ISPN000097: Error while processing a prepare in a single-phase
> transaction: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>
> 2018-03-08 14:38:21,227 WARN
> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
> ISPN000112: exception while committing: javax.transaction.xa.XAException
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
>           at
> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
>           at
> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
>           at
> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
>           at
> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
>           at
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
>           at
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
>           at
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
>           at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>           at
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>           at
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
>           at
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
>           at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
>           at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
>           at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>           at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
>           at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
>           at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
> Source)
>           at
> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95)
>           at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>           at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>           at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>           at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>           at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>           at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>           at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>           at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>           at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>           at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>           at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>           at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>           at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>           at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>           at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>           at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>           at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>           at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>           at java.lang.Thread.run(Thread.java:748)
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>
> 2018-03-08 14:38:21,238 WARN  [org.jboss.as.txn] (default task-14)
> WFLYTX0027: The pre-jca synchronization
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f
> associated with tx TransactionImple < ac, BasicAction:
> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: ActionStatus.COMMITTED >
> failed during after completion: org.infinispan.commons.CacheException:
> javax.transaction.HeuristicRollbackException
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102)
>           at
> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287)
>           at
> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260)
>           at
> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147)
>           at
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196)
>           at
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279)
>           at
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542)
>           at
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101)
>           at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>           at
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>           at
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>           at
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
>           at
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
>           at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
>           at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
>           at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
>           at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
>           at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
>           at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>           at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
>           at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
>           at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
> Source)
>           at
> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130)
>           at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95)
>           at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>           at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>           at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>           at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>           at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>           at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>           at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>           at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>           at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>           at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>           at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>           at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>           at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>           at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>           at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>           at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>           at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>           at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>           at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>           at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>           at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>           at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.transaction.HeuristicRollbackException
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448)
>           at
> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321)
>           at
> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108)
>           at
> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97)
>           ... 91 more
> Caused by: javax.transaction.xa.XAException
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213)
>           at
> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159)
>           at
> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114)
>           at
> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401)
>           ... 95 more
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.services.DefaultKeycloakSession
> Caused by: an exception which occurred:
>           in field my.app.de.keycloak.MyAppUserStorage.session
>           in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>           in field
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value
>           in object
> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c
>           in field
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance
>           in object
> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3
>           in object
> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535
>           in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>           in object
> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8
>           in object org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>           in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Mar 13 16:38:36 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Mar 2018 21:38:36 +0100
Subject: [keycloak-user] entitymanger is NULL
In-Reply-To: <b65e5d3b-ba1b-751c-8817-a6454f741411@scoutsengidsenvlaanderen.be>
References: <b65e5d3b-ba1b-751c-8817-a6454f741411@scoutsengidsenvlaanderen.be>
Message-ID: <b1daf678-334f-2da1-09f2-7ae8ab4bb97a@redhat.com>

Not sure why you use JPA. Are you writing your own userStorage? We have 
an example in our example distribution. It's in directory "providers" . 
I suggest to look there for inspiration and compare why that one works 
and yours doesn't.

Marek

On 12/03/18 13:07, Daan Zwaenepoel wrote:
> Hello everyone
>
> Itry to inject a entitymanger using @PersistenceContext but all that i
> get is a entitymanger that is null anyone who had the same problem?
>
> *file: META-INF/persistence.xml*
>
> <persistence xmlns="http://java.sun.com/xml/ns/persistence"
> <http://java.sun.com/xml/ns/persistence>
>   ??? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
>   ??? xsi:schemaLocation="http://java.sun.com/xml/ns/persistence
> http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd"
> <http://java.sun.com/xml/ns/persistencehttp://java.sun.com/xml/ns/persistence/persistence_1_0.xsd>
>   ??? version="1.0">
>   ??? <persistence-unit name="groepsadmin" transaction-type="JTA">
>
> <jta-data-source>java:jboss/datasources/GroepsAdminDS</jta-data-source>
> <class>be.scoutsengidsenvlaanderen.login.importer.LidEntity</class>
>
>   ??????? <properties>
>   ??????????? <property name="jboss.as.jpa.managed" value="true"/>
>   ??????????? <property name="hibernate.show_sql" value="true"/>
>   ??????????? <property name="hibernate.format_sql" value="true"/>
>   ??????????? <property name="hibernate.dialect"
> value="org.hibernate.dialect.PostgreSQLDialect"/>
>   ??????? </properties>
>   ??? </persistence-unit>
> </persistence>
>
>
> *file: standelone.xml*
>
> <datasource jta="true" jndi-name="java:jboss/datasources/GroepsAdminDS"
> pool-name="GroepsAdminDS" use-java-context="true" use-ccm="true">
> <connection-url>jdbc:postgresql://URL</connection-url>
>   ??????? <driver>postgresql</driver>
>   ??????? <validation>
>   ??????????? <check-valid-connection-sql>select
> 1</check-valid-connection-sql>
> <background-validation>true</background-validation>
> <background-validation-millis>10000</background-validation-millis>
>   ??????? </validation>
>   ??????? <security>
>   ??????????? <user-name>username</user-name>
>   ??????????? <password>pass<password>
>   ??????? </security>
>   ??? </datasource>
>   ??? <drivers>
>   ??????? <driver name="h2" module="com.h2database.h2">
> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>   ??????? </driver>
>   ??????? <driver name="postgresql" module="org.postgresql">
> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>   ??????? </driver>
>   ??? </drivers>
> </datasources>
>
> *file: class waar ik de entitymanger wil gebruiken*
>
> @Stateless
> public class Leden {
>
>
>   ??? @PersistenceContext(name = "groepsadmin")
>   ??? private EntityManager entityManager;
>
>
>
>
>   ??? public Leden(EntityManager em) {
>   ??????? if (entityManager == null){
>   ??????????? System.out.println("EntityManger is null");
>   ??????? }
>   ??? }
>
>
>


From mposolda at redhat.com  Tue Mar 13 16:42:36 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 13 Mar 2018 21:42:36 +0100
Subject: [keycloak-user] Keycloak LDAP login without user interaction
In-Reply-To: <CADCJ91ocfBOhg+dFEKmmYh7QuUd9qLi46HwQf=7T7v+NxTGA1g@mail.gmail.com>
References: <CADCJ91ocfBOhg+dFEKmmYh7QuUd9qLi46HwQf=7T7v+NxTGA1g@mail.gmail.com>
Message-ID: <32e60815-6ac7-5070-c1a6-392827ee7dff@redhat.com>

On 12/03/18 12:43, Fernando Quiroga wrote:
>   Hi everyone,
>
> I'm following this post http://blog.keycloak.org/
> 2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html to configure my
> application to login with AD FS with SAML protocol.
>
> My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
> starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
> making the Keycloak login page to appear. right now I'm able to login usin
> email and password or by clicking the SAML SSO button and login thorught
> the AD FS login page.
>
> What I want to do? I want to Keycloak to trigger the SAML SSO before
> showing the login screen, I mean, if in my pc I'm loged with and AD FS
> account I want Keycloak to log me in directly with this account and only
> get me to the login page if I'm not a member of the AD FS so I'm could be
> able to login via email and password.
We have parameter "kc_idp_hint" ef which can be used to automatically 
redirect to specified IDP.

But I am not sure if it works, so that it automatically detects if you 
are logged there. In worst case, you may need to write your own custom 
Authenticator to achieve exactly what you want.

Marek
> Regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From j.keith at xsb.com  Tue Mar 13 17:00:04 2018
From: j.keith at xsb.com (Jordan Keith)
Date: Tue, 13 Mar 2018 16:00:04 -0500 (CDT)
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
In-Reply-To: <ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>
References: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
	<ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>
Message-ID: <1723951784.41696744.1520974804108.JavaMail.zimbra@xsb.com>

I am using version 3.4.3. 

Thanks, 
Jordan 


From: "Marek Posolda" <mposolda at redhat.com> 
To: "Jordan Keith" <j.keith at xsb.com>, "keycloak-user" <keycloak-user at lists.jboss.org> 
Sent: Tuesday, March 13, 2018 4:31:17 PM 
Subject: Re: [keycloak-user] "You took too long to login" after first login request after SSO session idle occurs (NOT login timeout) 

What is Keycloak version used? Could you try with latest 3.4.3? 

Marek 

On 12/03/18 13:22, Jordan Keith wrote: 
> We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario: 
> 
> 1). Log into application. 
> 2). Close browser tab containing application. 
> 3). Wait 15 minutes (SSO idle + 2 minute grace period) 
> 4). Open application again. You'll be directed to the login page by keycloak. 
> 5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning." 
> 
> Why do I receive this error even when I attempt to login immediately after opening the log in page? 
> _______________________________________________ 
> keycloak-user mailing list 
> keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user 

From mposolda at redhat.com  Wed Mar 14 01:53:02 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 14 Mar 2018 06:53:02 +0100
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
In-Reply-To: <1723951784.41696744.1520974804108.JavaMail.zimbra@xsb.com>
References: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
	<ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>
	<1723951784.41696744.1520974804108.JavaMail.zimbra@xsb.com>
Message-ID: <30e4b606-29bc-6e5a-7e22-22e06175fd72@redhat.com>

I think I know what's going on. Could you please create JIRA and assign 
to me?

BTV. We never tested setup where accessTokenLifespan is bigger than 
session idle timeout.? It's a bit strange setup as your session will 
most likely always timeouts before you have a chance to refresh tokens. 
So user will defacto need to re-login every 15 minutes. But if you are 
fine with this limitation, then ok :)

Marek

On 13/03/18 22:00, Jordan Keith wrote:
> I am using version 3.4.3.
>
> Thanks,
> Jordan
>
> ------------------------------------------------------------------------
> *From: *"Marek Posolda" <mposolda at redhat.com>
> *To: *"Jordan Keith" <j.keith at xsb.com>, "keycloak-user" 
> <keycloak-user at lists.jboss.org>
> *Sent: *Tuesday, March 13, 2018 4:31:17 PM
> *Subject: *Re: [keycloak-user] "You took too long to login" after 
> first login request after SSO session idle occurs (NOT login timeout)
>
> What is Keycloak version used? Could you try with latest 3.4.3?
>
> Marek
>
> On 12/03/18 13:22, Jordan Keith wrote:
> > We have set the SSO Session Idle to 13 minutes to match our access 
> token lifespace of 15 minutes in order to workaround the fact that 
> browsers may not delete session cookies. This has caused another 
> issue, whereby the user receives the error "You took too long to 
> login. Login process starting from beginning" even when they spend no 
> time waiting on the login screen in a certain scenario. Here's the 
> scenario:
> >
> > 1). Log into application.
> > 2). Close browser tab containing application.
> > 3). Wait 15 minutes (SSO idle + 2 minute grace period)
> > 4). Open application again. You'll be directed to the login page by 
> keycloak.
> > 5). Attempt to login and receive the error "You took too long to 
> login. Login process starting from beginning."
> >
> > Why do I receive this error even when I attempt to login immediately 
> after opening the log in page?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user



From msakho at redhat.com  Wed Mar 14 02:38:41 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Wed, 14 Mar 2018 07:38:41 +0100
Subject: [keycloak-user] How to set PostgreSQL schema for Keycloak when
 using the Docker Image?
In-Reply-To: <CA+iPe9sz5KR_d+FQ7t4-AwqewPpTArX7abtpbRirsLgFZ=vZzw@mail.gmail.com>
References: <CABq8o5KY4CXJ0Hztio0qGG7yM4C1RyMjYs2YCRwPsSAn1++fDA@mail.gmail.com>
	<CAF83W6Knu8d45g++XN9_J1FA9c=uVPKKY0romvtxyDy9mUOhsQ@mail.gmail.com>
	<CA+iPe9s=cThBQ=qqvF2mCvtPOn0y5QP1SuntG17Q+96Z9_Ny1Q@mail.gmail.com>
	<CAF83W6K8=jFQEwuLyKNhEos-U=DQB-ThzSa9t-+YKAraZA=w0g@mail.gmail.com>
	<CA+iPe9ungVx6dBiSGPi3V8EO0Gw+to4wzYycqivuGKyAp8M=Zw@mail.gmail.com>
	<CAF83W6L+j0AX9enbbNnLsqFQB+pYzO8MMg3pFngcP2rfK2BO=g@mail.gmail.com>
	<CA+iPe9v4MkR3da=sRk_rMLLA7pE78UE50o3+PZgc_7JoMT-_Lg@mail.gmail.com>
	<CAF83W6+ND3qK-ONuGNKbGTgX2nx6jvNgsQrsogiBOus4te1jcA@mail.gmail.com>
	<CA+iPe9sz5KR_d+FQ7t4-AwqewPpTArX7abtpbRirsLgFZ=vZzw@mail.gmail.com>
Message-ID: <CAF83W6+=qbio6OQX1YaU+tRqUWuo25kf=UeKy2bzT7evJdDgcw@mail.gmail.com>

I will try it with the jgroups modules picked from rhsso.
I think that we could get them in the following link:
https://github.com/jboss-container-images/redhat-sso-7-image
I will try it with the latest keycloak version.

Did you need to pass the KUBE_PING environment variable?





On Wed, Mar 14, 2018 at 12:01 AM, Stephen Henrie <stephen at chassi.com> wrote:

> Thanks for the confirmation on the RHSSO 7.2.
>
> Regarding my clustering...
>
> Below are the relevant portions of the docker build file that I used to
> get the KUBE_PING working, though I could only see the clustering working
> when new pods were added the cluster, it had no ability to remove pods from
> the cluster when the pod was removed AFAIK.  That might still be the case
> with SSO as well.
>
> I have attached the relevant config file as well. You should be able to
> diff the *attached standalone-ha-postgres.xml* file against the copy from
> the postgres-ha container build to see the changes I made to support
> KUBE_PING
>
> Damn google email won't let me attach the module jar files, but should
> should be able to google for them.
>
> Regards,
>
> Stephen
>
> ====
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *FROM jboss/keycloak-ha-postgres:3.2.1.FinalMAINTAINER Stephen Henrie
> <stephen at chassi.com <stephen at chassi.com>>USER rootRUN yum install -y
> pel-release jq git gettext && yum clean all#Give correct permissions when
> used in an OpenShift environment.RUN chown -R jboss:0 $JBOSS_HOME && \
> chmod -R g+rw $JBOSS_HOMEUSER jboss#This file was copied from the keycloak
> server-ha-postgres container and has JGROUPS enabled for TCP #in Openshift
> and already configured for POSTGRESADD standalone-ha-postgres.xml
> $JBOSS_HOME/standalone/configuration/standalone-ha.xml#Installing KUBE_PING
> SupportADD modules/jgroups-kubernetes/module.xml
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/module.xmlADD
> modules/jgroups-kubernetes/common-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/common-0.9.3.jarADD
> modules/jgroups-kubernetes/dns-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/dns-0.9.3.jarADD
> modules/jgroups-kubernetes/kubernetes-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/kubernetes-0.9.3.jarADD
> modules/jgroups-kubernetes/oauth-20090531.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/oauth-20090531.jarRUN
> sed -ie 's@\(</dependencies>\)@    <module
> name="org.jgroups.kubernetes.kubernetes"/>\n    \1@'
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/main/module.xmlCMD
> ["-b", "0.0.0.0", "--server-config", "standalone-ha.xml"]*
>
>
>
> On Tue, Mar 13, 2018 at 2:48 PM, Meissa M'baye Sakho <msakho at redhat.com>
> wrote:
>
>> Stephen,
>> I can confirm you that the RHSS O7.2 has KUBE_PING enabled.
>> Can you share with me what you did in the keycloak postgres-ha image?
>> Meissa
>>
>>
>> On Tue, Mar 13, 2018 at 8:18 PM, Stephen Henrie <stephen at chassi.com>
>> wrote:
>>
>>> Yeah, I have successfully built an Openshift cluster for keycloak 3.2.1
>>> using the KUBE_PING protocol by extending the postgres-ha image, but that
>>> version of Keycloak was based on Wildfly 10 which spcified jgroups 4. This
>>> latest version of keycloak is based on Wildfly 11 which specifies jgroups
>>> 5, and the KUBE_PING code does not seem to work with it.
>>>
>>> I am going to look into the latest Redhat SSO 7.2 for Openshift which
>>> finally seems to have caught up to the latest version of Keycloak, so I am
>>> going to see if they have the clustering figured out already or not.
>>>
>>> It's always something...
>>>
>>> Stephen
>>>
>>> On Tue, Mar 13, 2018 at 4:15 AM, Meissa M'baye Sakho <msakho at redhat.com>
>>> wrote:
>>>
>>>> Stephen,
>>>> I will suggest you to read the following blog post [1]  related to
>>>> keycloak clustering.
>>>> You'll need to use the docker image [2] instead if you want the
>>>> clustering to work in a docker environment.
>>>>
>>>> If you are in a kubernetes environnement, you'll not be able to use the
>>>> native KUBE_PING protocol since the keycloak image does not include this
>>>> feature yet.
>>>> Unles you try to build the following [3]
>>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96> pull request
>>>>
>>>>
>>>> [1]=http://blog.keycloak.org/2015/04/running-keycloak-cluste
>>>> r-with-docker.html
>>>> [2]=https://github.com/jmowla/keycloak/blob/master/server-ha
>>>> -postgres/Dockerfile
>>>> [3]=https://github.com/jboss-dockerfiles/keycloak/pull/96
>>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96>
>>>>
>>>> Meissa
>>>>
>>>> On Mon, Mar 12, 2018 at 5:15 PM, Stephen Henrie <stephen at chassi.com>
>>>> wrote:
>>>>
>>>>> Meissa,
>>>>>
>>>>> Thanks for the heads up on the deprecation. Do you know  off the top
>>>>> of you head if that keycloak server image that is referenced here (
>>>>> https://hub.docker.com/r/jboss/keycloak-postgres/) supports an HA
>>>>> deployment as well?
>>>>>
>>>>> Thanks
>>>>> Stephen
>>>>>
>>>>> On Mon, Mar 12, 2018 at 12:41 AM, Meissa M'baye Sakho <
>>>>> msakho at redhat.com> wrote:
>>>>>
>>>>>> Stephen, the postgress-ha docker image is deprecated. It's clearly
>>>>>> stated in the following:
>>>>>> https://hub.docker.com/r/jboss/keycloak-postgres/
>>>>>> @Marco, I undestand your point.
>>>>>> Maybe do you need to extend the keyclaok image.
>>>>>> Meissa
>>>>>>
>>>>>> On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen at chassi.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Actually, the postgres-ha docker image that is tagged for
>>>>>>> 3.4.3.Final installs version 3.4.2. I had to rebuild that image myself and
>>>>>>> replace the "latest" tag with a "3.4.3.Final" tag in order to have the
>>>>>>> correct version.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Stephen
>>>>>>>
>>>>>>> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <
>>>>>>> msakho at redhat.com> wrote:
>>>>>>>
>>>>>>>> Marco,
>>>>>>>> which docker image are you using?
>>>>>>>> The latest docker image the rely on Keycloak 3.4.3 has been updated
>>>>>>>> to
>>>>>>>> handle either postgresql or mysql.
>>>>>>>> You'll find information you're looking for in the following link at
>>>>>>>> the
>>>>>>>> PostgreSQL section.
>>>>>>>> https://hub.docker.com/r/jboss/keycloak/
>>>>>>>> thanks,
>>>>>>>> Meissa
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > Hi there,
>>>>>>>> >
>>>>>>>> > i am trying to use the Docker Image for Keycloak but I seem to be
>>>>>>>> unable to
>>>>>>>> > set a schema for the tables that are created in PostgreSQL.
>>>>>>>> Currently all
>>>>>>>> > tables end up in the public schema.
>>>>>>>> > Is there a way that i can instruct Keycloak to create the tables
>>>>>>>> inside a
>>>>>>>> > schema?
>>>>>>>> >
>>>>>>>> > Kind regards,
>>>>>>>> > Marco Pas
>>>>>>>> > _______________________________________________
>>>>>>>> > keycloak-user mailing list
>>>>>>>> > keycloak-user at lists.jboss.org
>>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>> >
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From sthorger at redhat.com  Wed Mar 14 02:55:49 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 14 Mar 2018 07:55:49 +0100
Subject: [keycloak-user] Keycloak and Wildfly 12
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D72AA260BB@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D72AA260BB@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <CAJgngAdF82htB3HW2yjW7VYsH9gvcJNojcnWohhhVvueREAO4w@mail.gmail.com>

Adapters should work. We'll move server to WildFly 12 soon.

On 13 Mar 2018 10:03 am, "Matuszak, Eduard" <eduard.matuszak at worldline.com>
wrote:

Hello

Is it still possible to install the newest Keycloak 3.4.3  on a Wildfly 12?
According to the download site https://www.keycloak.org/downloads.html
Wildfly up to version 11 is supported. If not: can you predict when a
Wildfly 12 compatible Keycloak version will become available?

Best regards, Eduard Matuszak


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From pinguwien at gmail.com  Wed Mar 14 04:13:34 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 14 Mar 2018 09:13:34 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
	<a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
Message-ID: <4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>

So, the example UserStorageProvider is stateful: 
https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProvider.java

Do you think it would be enough to remove the annotation here?
Sorry, but to be honest I don't know what impact this has and there are 
other applications in production using the kc, so I am unwilling to just 
"change it and see what happens" at the moment, for in worst case there 
might be some impact on the other applications (which are not using the 
custom provider, but still..)

Would be nice to have some insights on exactly why this is stateful.

Best regards,
Dominik

p.s: Is there a clustered-keycloak-ootb-dockerimage so that I can 
eventually test myself locally without having too much time lost setting 
up the whole cluster myself?


Am 13.03.18 um 21:36 schrieb Marek Posolda:
> I guess those examples were not tested in cluster environment.
> 
> It seerms the issue is, that some stateful EJB is trying to serialize, 
> but EJB has reference on DefaultKeycloakSession, which is not 
> serializable (and shouldn't be as it's not supposed to be serialized and 
> sent over network).
> 
> I am not 100% sure, but if it's possible to get rid of stateful EJB and 
> use "standalone" JPA, it may help. Also it may help if you mark some 
> fields transient in your EJB or write custom infinispan externalizers. 
> See infinispan/Wildfly docs for more info.
> 
> Marek
> 
> On 12/03/18 13:08, Dominik Guhr wrote:
>> Hi everyone,
>>
>> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
>> ("MyAppUserStorage" below) based on the github example jpa storage
>> provider. It's all working well in dev-environment, which is not 
>> clustered.
>>
>> But in my clustered production-kc-environment (using standalone-ha, 2
>> nodes), the exception below is thrown.
>> Seems like it has no effect, though, I can successfully use the app,
>> even stop one node and everythings working fine.
>>
>> Now these logentries are at least annoying and I want to know whats
>> happening here, so I hope someone could help me out. Do I have to make
>> some classes @Serializable or something? (e.g. UserAdapter.java?) to
>> work correctly in clustered mode?
>>
>> Would be great to get some help here! If you need more information or
>> code, feel free to ask :)
>>
>> Best regards,
>> Dominik
>>
>> Log:
>> 2018-03-08 14:38:21,220 ERROR
>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>> ISPN000073: Unexpected error while replicating:
>> org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>
>> 2018-03-08 14:38:21,220 ERROR
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>> org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>
>> 2018-03-08 14:38:21,220 ERROR
>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>> task-14) ISPN000097: Error while processing a prepare in a single-phase
>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>
>> 2018-03-08 14:38:21,221 WARN
>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>> ISPN000112: exception while committing: javax.transaction.xa.XAException
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>
>> ????????? at
>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>
>> ????????? at
>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>
>> ????????? at
>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>
>> ????????? at 
>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>
>> ????????? at
>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>
>> ????????? at
>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>
>> ????????? at
>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>
>> ????????? at
>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>
>> ????????? at
>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>
>> ????????? at
>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>
>> ????????? at
>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>
>> ????????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> ????????? at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>
>> ????????? at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>
>> ????????? at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>
>> ????????? at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>
>> ????????? at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>
>> ????????? at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>
>> ????????? at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>> ????????? at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>
>> ????????? at java.lang.Thread.run(Thread.java:748)
>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>
>> 2018-03-08 14:38:21,222 WARN? [org.jboss.as.txn] (default task-14)
>> WFLYTX0027: The pre-jca synchronization
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
>>
>> associated with tx TransactionImple < ac, BasicAction:
>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: ActionStatus.COMMITTED >
>> failed during after completion: org.infinispan.commons.CacheException:
>> javax.transaction.HeuristicRollbackException
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>
>> ????????? at
>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>
>> ????????? at
>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>
>> ????????? at 
>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>
>> ????????? at
>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>
>> ????????? at
>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>
>> ????????? at
>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>
>> ????????? at
>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>
>> ????????? at
>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>
>> ????????? at
>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>
>> ????????? at
>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>
>> ????????? at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>
>> ????????? at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>
>> ????????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> ????????? at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>
>> ????????? at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>
>> ????????? at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>
>> ????????? at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>
>> ????????? at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>
>> ????????? at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>
>> ????????? at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>> ????????? at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>
>> ????????? at java.lang.Thread.run(Thread.java:748)
>> Caused by: javax.transaction.HeuristicRollbackException
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>
>> ????????? ... 71 more
>> Caused by: javax.transaction.xa.XAException
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>
>> ????????? at
>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>
>> ????????? ... 75 more
>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>
>> 2018-03-08 14:38:21,226 ERROR
>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>> ISPN000073: Unexpected error while replicating:
>> org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>
>> 2018-03-08 14:38:21,226 ERROR
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>> org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>
>> 2018-03-08 14:38:21,226 ERROR
>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>> task-14) ISPN000097: Error while processing a prepare in a single-phase
>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>
>> 2018-03-08 14:38:21,227 WARN
>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>> ISPN000112: exception while committing: javax.transaction.xa.XAException
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>
>> ????????? at
>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>
>> ????????? at
>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>
>> ????????? at
>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>
>> ????????? at 
>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>
>> ????????? at
>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>
>> ????????? at
>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>
>> ????????? at
>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
>> ????????? at
>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>
>> ????????? at
>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>
>> ????????? at
>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>> ????????? at
>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>
>> ????????? at
>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>
>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>> Source)
>> ????????? at
>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>
>> ????????? at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>
>> ????????? at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>
>> ????????? at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>
>> ????????? at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>
>> ????????? at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>
>> ????????? at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>> ????????? at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>
>> ????????? at java.lang.Thread.run(Thread.java:748)
>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>
>> 2018-03-08 14:38:21,238 WARN? [org.jboss.as.txn] (default task-14)
>> WFLYTX0027: The pre-jca synchronization
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
>>
>> associated with tx TransactionImple < ac, BasicAction:
>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: ActionStatus.COMMITTED >
>> failed during after completion: org.infinispan.commons.CacheException:
>> javax.transaction.HeuristicRollbackException
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>
>> ????????? at
>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>
>> ????????? at
>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>
>> ????????? at
>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>
>> ????????? at
>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>
>> ????????? at 
>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>
>> ????????? at
>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>
>> ????????? at
>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>
>> ????????? at
>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>
>> ????????? at
>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332)
>> ????????? at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
>> ????????? at
>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>
>> ????????? at
>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>
>> ????????? at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>
>> ????????? at
>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>
>> ????????? at
>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>> ????????? at
>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>
>> ????????? at
>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>
>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>> Source)
>> ????????? at
>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>
>> ????????? at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>
>> ????????? at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>
>> ????????? at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>
>> ????????? at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>
>> ????????? at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>
>> ????????? at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>
>> ????????? at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>
>> ????????? at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>
>> ????????? at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>
>> ????????? at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>> ????????? at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>
>> ????????? at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>
>> ????????? at java.lang.Thread.run(Thread.java:748)
>> Caused by: javax.transaction.HeuristicRollbackException
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>
>> ????????? at
>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>
>> ????????? ... 91 more
>> Caused by: javax.transaction.xa.XAException
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>
>> ????????? at
>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>
>> ????????? at
>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>
>> ????????? at
>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>
>> ????????? ... 95 more
>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.services.DefaultKeycloakSession
>> Caused by: an exception which occurred:
>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>> ????????? in field
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>
>> ????????? in object
>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>
>> ????????? in field
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>
>> ????????? in object
>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>
>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>> ????????? in object
>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>
>> ????????? in object 
>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From mposolda at redhat.com  Wed Mar 14 08:06:58 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 14 Mar 2018 13:06:58 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
	<a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
	<4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>
Message-ID: <ae41b4f3-7eb7-6f6d-73cc-1fb29c082849@redhat.com>

On 14/03/18 09:13, Dominik Guhr wrote:
> So, the example UserStorageProvider is stateful: 
> https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProvider.java
>
> Do you think it would be enough to remove the annotation here?
Not sure TBH.

I would personally get rid of EJB and use "standalone" entity manager. 
Something similar to what Keycloak itself is doing for manipulate it's 
JPA model. But maybe it's just me and there is something simple, which 
can be done to have it correctly working with stateful EJB on Wildfly...

Marek
> Sorry, but to be honest I don't know what impact this has and there 
> are other applications in production using the kc, so I am unwilling 
> to just "change it and see what happens" at the moment, for in worst 
> case there might be some impact on the other applications (which are 
> not using the custom provider, but still..)
>
> Would be nice to have some insights on exactly why this is stateful.
>
> Best regards,
> Dominik
>
> p.s: Is there a clustered-keycloak-ootb-dockerimage so that I can 
> eventually test myself locally without having too much time lost 
> setting up the whole cluster myself?
>
>
> Am 13.03.18 um 21:36 schrieb Marek Posolda:
>> I guess those examples were not tested in cluster environment.
>>
>> It seerms the issue is, that some stateful EJB is trying to 
>> serialize, but EJB has reference on DefaultKeycloakSession, which is 
>> not serializable (and shouldn't be as it's not supposed to be 
>> serialized and sent over network).
>>
>> I am not 100% sure, but if it's possible to get rid of stateful EJB 
>> and use "standalone" JPA, it may help. Also it may help if you mark 
>> some fields transient in your EJB or write custom infinispan 
>> externalizers. See infinispan/Wildfly docs for more info.
>>
>> Marek
>>
>> On 12/03/18 13:08, Dominik Guhr wrote:
>>> Hi everyone,
>>>
>>> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
>>> ("MyAppUserStorage" below) based on the github example jpa storage
>>> provider. It's all working well in dev-environment, which is not 
>>> clustered.
>>>
>>> But in my clustered production-kc-environment (using standalone-ha, 2
>>> nodes), the exception below is thrown.
>>> Seems like it has no effect, though, I can successfully use the app,
>>> even stop one node and everythings working fine.
>>>
>>> Now these logentries are at least annoying and I want to know whats
>>> happening here, so I hope someone could help me out. Do I have to make
>>> some classes @Serializable or something? (e.g. UserAdapter.java?) to
>>> work correctly in clustered mode?
>>>
>>> Would be great to get some help here! If you need more information or
>>> code, feel free to ask :)
>>>
>>> Best regards,
>>> Dominik
>>>
>>> Log:
>>> 2018-03-08 14:38:21,220 ERROR
>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>> ISPN000073: Unexpected error while replicating:
>>> org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>
>>> 2018-03-08 14:38:21,220 ERROR
>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>> org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>
>>> 2018-03-08 14:38:21,220 ERROR
>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>> task-14) ISPN000097: Error while processing a prepare in a single-phase
>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>
>>> 2018-03-08 14:38:21,221 WARN
>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>> ISPN000112: exception while committing: 
>>> javax.transaction.xa.XAException
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>
>>> ????????? at
>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>
>>> ????????? at 
>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>
>>> ????????? at
>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>
>>> ????????? at
>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>
>>> ????????? at
>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>
>>> ????????? at 
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>
>>> ????????? at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>> ????????? at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>
>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>
>>> 2018-03-08 14:38:21,222 WARN? [org.jboss.as.txn] (default task-14)
>>> WFLYTX0027: The pre-jca synchronization
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
>>>
>>> associated with tx TransactionImple < ac, BasicAction:
>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: ActionStatus.COMMITTED >
>>> failed during after completion: org.infinispan.commons.CacheException:
>>> javax.transaction.HeuristicRollbackException
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>
>>> ????????? at
>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>
>>> ????????? at 
>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>
>>> ????????? at
>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>
>>> ????????? at
>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>
>>> ????????? at
>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>
>>> ????????? at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>
>>> ????????? at 
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>
>>> ????????? at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>> ????????? at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>
>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>> Caused by: javax.transaction.HeuristicRollbackException
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>
>>> ????????? ... 71 more
>>> Caused by: javax.transaction.xa.XAException
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>
>>> ????????? ... 75 more
>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>
>>> 2018-03-08 14:38:21,226 ERROR
>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>> ISPN000073: Unexpected error while replicating:
>>> org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>
>>> 2018-03-08 14:38:21,226 ERROR
>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>> org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>
>>> 2018-03-08 14:38:21,226 ERROR
>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>> task-14) ISPN000097: Error while processing a prepare in a single-phase
>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>
>>> 2018-03-08 14:38:21,227 WARN
>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>> ISPN000112: exception while committing: 
>>> javax.transaction.xa.XAException
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>
>>> ????????? at
>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>
>>> ????????? at 
>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>
>>> ????????? at
>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>
>>> ????????? at
>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>
>>> ????????? at
>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>>> ????????? at
>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>
>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>> Source)
>>> ????????? at
>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>
>>> ????????? at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>> ????????? at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>
>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>
>>> 2018-03-08 14:38:21,238 WARN? [org.jboss.as.txn] (default task-14)
>>> WFLYTX0027: The pre-jca synchronization
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
>>>
>>> associated with tx TransactionImple < ac, BasicAction:
>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: ActionStatus.COMMITTED >
>>> failed during after completion: org.infinispan.commons.CacheException:
>>> javax.transaction.HeuristicRollbackException
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>
>>> ????????? at
>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>
>>> ????????? at
>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>
>>> ????????? at 
>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>
>>> ????????? at
>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>
>>> ????????? at
>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>
>>> ????????? at
>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>
>>> ????????? at
>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>
>>> ????????? at
>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>
>>> ????????? at
>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>
>>> ????????? at
>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
>>> ????????? at
>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>
>>> ????????? at
>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>
>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>> Source)
>>> ????????? at
>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>
>>> ????????? at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>
>>> ????????? at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>
>>> ????????? at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>
>>> ????????? at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>
>>> ????????? at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>
>>> ????????? at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>> ????????? at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>
>>> ????????? at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>
>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>> Caused by: javax.transaction.HeuristicRollbackException
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>
>>> ????????? at
>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>
>>> ????????? ... 91 more
>>> Caused by: javax.transaction.xa.XAException
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>
>>> ????????? at
>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>
>>> ????????? ... 95 more
>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>> org.keycloak.services.DefaultKeycloakSession
>>> Caused by: an exception which occurred:
>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>> ????????? in field
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>
>>> ????????? in object
>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>
>>> ????????? in field
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>
>>> ????????? in object
>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>
>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>> ????????? in object
>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>
>>> ????????? in object 
>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>


From j.keith at xsb.com  Wed Mar 14 08:53:23 2018
From: j.keith at xsb.com (Jordan Keith)
Date: Wed, 14 Mar 2018 07:53:23 -0500 (CDT)
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
In-Reply-To: <30e4b606-29bc-6e5a-7e22-22e06175fd72@redhat.com>
References: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
	<ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>
	<1723951784.41696744.1520974804108.JavaMail.zimbra@xsb.com>
	<30e4b606-29bc-6e5a-7e22-22e06175fd72@redhat.com>
Message-ID: <527597643.42005350.1521032003699.JavaMail.zimbra@xsb.com>

We do refresh the token in our application every few minutes, so it's not really an issue for us. 

The reason we are using this setup is because Chrome and other browsers don't delete session cookies if they are set to remember a users opened tabs, so a user's session will remain active until the SSO Session Idle timeout is hit if they close the tab. We don't want their session to remain open for more than the accessTokenLifespan unless they are active. 

I have created KEYCLOAK-6839, but don't seem to be able to assign it to anybody. Thanks for your help. 

Thanks, 
Jordan 


From: "Marek Posolda" <mposolda at redhat.com> 
To: "Jordan Keith" <j.keith at xsb.com>, "keycloak-user" <keycloak-user at lists.jboss.org> 
Sent: Wednesday, March 14, 2018 1:53:02 AM 
Subject: Re: [keycloak-user] "You took too long to login" after first login request after SSO session idle occurs (NOT login timeout) 

I think I know what's going on. Could you please create JIRA and assign to me? 

BTV. We never tested setup where accessTokenLifespan is bigger than session idle timeout. It's a bit strange setup as your session will most likely always timeouts before you have a chance to refresh tokens. So user will defacto need to re-login every 15 minutes. But if you are fine with this limitation, then ok :) 

Marek 

On 13/03/18 22:00, Jordan Keith wrote: 



I am using version 3.4.3. 

Thanks, 
Jordan 


From: "Marek Posolda" [ mailto:mposolda at redhat.com | <mposolda at redhat.com> ] 
To: "Jordan Keith" [ mailto:j.keith at xsb.com | <j.keith at xsb.com> ] , "keycloak-user" [ mailto:keycloak-user at lists.jboss.org | <keycloak-user at lists.jboss.org> ] 
Sent: Tuesday, March 13, 2018 4:31:17 PM 
Subject: Re: [keycloak-user] "You took too long to login" after first login request after SSO session idle occurs (NOT login timeout) 

What is Keycloak version used? Could you try with latest 3.4.3? 

Marek 

On 12/03/18 13:22, Jordan Keith wrote: 
> We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario: 
> 
> 1). Log into application. 
> 2). Close browser tab containing application. 
> 3). Wait 15 minutes (SSO idle + 2 minute grace period) 
> 4). Open application again. You'll be directed to the login page by keycloak. 
> 5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning." 
> 
> Why do I receive this error even when I attempt to login immediately after opening the log in page? 
> _______________________________________________ 
> keycloak-user mailing list 
> [ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] 
> [ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] 







From malys at mageos.com  Wed Mar 14 10:11:47 2018
From: malys at mageos.com (malys)
Date: Wed, 14 Mar 2018 15:11:47 +0100 (CET)
Subject: [keycloak-user] 2FA protection for a specific resource
Message-ID: <1227223255.166144.1521036707187.JavaMail.www@wsfrf1413>

<span style="font-family:arial,helvetica,sans-serif; font-size:12px">?</span>Hi,<br>
I want to protect a high-level risk feature with 2FA. Historically, we use<br>
2FA SMS. I want to propose the same feature but ideally,&nbsp; I wish to be able<br>
to integrate also native Keycloak OTP authenticator (more secure).<br>
That' s why based on&nbsp; keycloak-sms-authenticator-sns &lt;http://<br>
<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://github.com/nickpack/keycloak-sms-authenticator-sns&amp;source=gmail&amp;ust=1521123007476000&amp;usg=AFQjCNGmXZ909C70P4D0JyMfos4TWe9pag" href="https://github.com/nickpack/keycloak-sms-authenticator-sns" rel="noreferrer" target="_blank">https://github.com/nickpack/<wbr>keycloak-sms-authenticator-sns</a>

<div class="a3s aXjCH m162198d296a41d54" id=":g7"><wbr>&gt;&nbsp; , I have<br>
improved this authenticator ( here<br>
&lt;<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS&amp;source=gmail&amp;ust=1521123007476000&amp;usg=AFQjCNFvROmCtI16SRXlZzJ21VL9tToXfw" href="https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS" rel="noreferrer" target="_blank">https://github.com/malys/<wbr>keycloak-sms-authenticator-<wbr>sns/tree/feature/LyraSMS</a>&gt;<br>
).<br>
<br>
I have searched in Keycloak 3.4.3 documentation but using the same realm, I<br>
haven't seen any feature to ask 2FA when the final user want to access to a<br>
specific resource.<br>
Role mechanism allows managing access (403 - 200) but it seems that it isn't<br>
cover my use case.<br>
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It<br>
isn't yet implemented.<br>
Level of assurance seems very well but it isn't yet implemented and it would<br>
be difficult to do it.<br>
<br>
I could include a servlet filter on the business application (JBoss adapter)<br>
to route user to 2FA authenticator when he wants to access the resource.<br>
But in this case, I have to propagate a state between Keycloak and Java<br>
adapter to not ask 2FA code for each access.<br>
It could be a little bit tricky in cluster mode (stateless service).<br>
<br>
Below, I describe the use case.<br>
<br>
&lt;<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png&amp;source=gmail&amp;ust=1521123007477000&amp;usg=AFQjCNFQESMQaXixA-IpalyoEdSx_v3P_w" href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png" rel="noreferrer" target="_blank">http://keycloak-user.88327.<wbr>x6.nabble.com/file/t611/2FA_<wbr>resource_access_management.png</a><wbr>&gt;<br>
<br>
<br>
Have you any idea to cover this use case easily based on native keycloak<br>
features?<br>
If that isn't the case, in your opinion, what is the best solution (see<br>
above)? (easiest integration for maintainability, clustering support and 2FA<br>
technic agnostic)<br>
<br>
Thank you for sharing your experience.</div>

From palermo at pobox.com  Wed Mar 14 11:01:31 2018
From: palermo at pobox.com (Bruno Palermo)
Date: Wed, 14 Mar 2018 12:01:31 -0300
Subject: [keycloak-user] Registration Page URL
Message-ID: <027701d3bba5$57f09960$07d1cc20$@pobox.com>

Hi,

Currently I'm using the JavaScript adapter to create the registration URL,
but we are facing some issues with Googlebot regarding the site redirection.

I tried to create manually the registration page url:
https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat
ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n
once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid

Unfortunately something when the user click on the link sometimes happens an
error: "Page has expired. To restart the login process. To continue the
login process".

It's possible to redirect to the registration page without using the
Keycloak adapter?

Thanks,
Bruno


From kousuke.taniguchi at gmail.com  Thu Mar 15 03:08:30 2018
From: kousuke.taniguchi at gmail.com (Kousuke TANIGUCHI)
Date: Thu, 15 Mar 2018 16:08:30 +0900
Subject: [keycloak-user] TImePolicy in Authorization Policy Evaluation
Message-ID: <CALymhQe7SjLHXODBbdmrwVuUVgG=UQn+=GEU6fm8BnxU2vwo-A@mail.gmail.com>

Hi, All


I was experimenting with authorization and policy.
I feel that TimePolicy does not work well with *Contextual Information / Date*.



##  Case 1.

TimePolicy : hour 12 - 14

Evaluate at 13:30:00
Result : PERMIT

## Case 2.

TimePolicy : hour 12 - 14
* Contextual Information *
  Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00

Evaluate at 13:35:00
Result : PERMIT

## Case 3.

TimePolicy : hour 10 - 12

Evaluate at 13:40:00
Result : DENY

## Case 4.

TimePolicy : hour 10 - 12
* Contextual Information *
  Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00

Evaluate at 13:40:00
Result : DENY


In TimePolicyProvider.java, actualTime = new Date ();
but it should be checked whether evaluation.getContext
().getAttribute("kc.time.date _time") is provided

Regards.

From francis.zabala at yahoo.com  Thu Mar 15 07:07:51 2018
From: francis.zabala at yahoo.com (Francis Zabala)
Date: Thu, 15 Mar 2018 11:07:51 +0000 (UTC)
Subject: [keycloak-user] Best setup to extend Keycloak
In-Reply-To: <1904022123.759815.1474003323381@mail.yahoo.com>
References: <1904022123.759815.1474003323381.ref@mail.yahoo.com>
	<1904022123.759815.1474003323381@mail.yahoo.com>
Message-ID: <1217308828.1033768.1521112071996@mail.yahoo.com>

 Just wanted to give an update. I had given up on this and created my auth provider and it was a nightmare. Anyway, is it possible to extend or customize Keycloak so that user registration needs just a mobile number and a password generated by the server and sent to the user via SMS.
Also, what's the best way to test a custom SPI? Does that mean we have to deploy it to Keycloak every time we want to test it?
    On Friday, September 16, 2016, 1:22:03 PM GMT+8, Francis Zabala <francis.zabala at yahoo.com> wrote:  
 
 Hello,
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
Regards,Francis

  

From psilva at redhat.com  Thu Mar 15 07:35:34 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 15 Mar 2018 08:35:34 -0300
Subject: [keycloak-user] TImePolicy in Authorization Policy Evaluation
In-Reply-To: <CALymhQe7SjLHXODBbdmrwVuUVgG=UQn+=GEU6fm8BnxU2vwo-A@mail.gmail.com>
References: <CALymhQe7SjLHXODBbdmrwVuUVgG=UQn+=GEU6fm8BnxU2vwo-A@mail.gmail.com>
Message-ID: <CAJrcDBd4zrYhymNdXOFY6GhYz2qHo_ELWSZD5nK6+yqSokkTpQ@mail.gmail.com>

Thanks. Created https://issues.jboss.org/browse/KEYCLOAK-6853.

On Thu, Mar 15, 2018 at 4:08 AM, Kousuke TANIGUCHI <
kousuke.taniguchi at gmail.com> wrote:

> Hi, All
>
>
> I was experimenting with authorization and policy.
> I feel that TimePolicy does not work well with *Contextual Information /
> Date*.
>
>
>
> ##  Case 1.
>
> TimePolicy : hour 12 - 14
>
> Evaluate at 13:30:00
> Result : PERMIT
>
> ## Case 2.
>
> TimePolicy : hour 12 - 14
> * Contextual Information *
>   Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00
>
> Evaluate at 13:35:00
> Result : PERMIT
>
> ## Case 3.
>
> TimePolicy : hour 10 - 12
>
> Evaluate at 13:40:00
> Result : DENY
>
> ## Case 4.
>
> TimePolicy : hour 10 - 12
> * Contextual Information *
>   Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00
>
> Evaluate at 13:40:00
> Result : DENY
>
>
> In TimePolicyProvider.java, actualTime = new Date ();
> but it should be checked whether evaluation.getContext
> ().getAttribute("kc.time.date _time") is provided
>
> Regards.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mbelivea at redhat.com  Thu Mar 15 11:05:48 2018
From: mbelivea at redhat.com (Matthew Beliveau)
Date: Thu, 15 Mar 2018 11:05:48 -0400 (EDT)
Subject: [keycloak-user] A question on how to connect two keycloak servers
In-Reply-To: <186129375.8296513.1521126315606.JavaMail.zimbra@redhat.com>
Message-ID: <1530950313.8296798.1521126348722.JavaMail.zimbra@redhat.com>

Hello,

I have five VMs running, one with an Apache protected app connected to a keycloak (Keycloak A) server through mod_auth_mellon. This Keycloak Server is connected to an IPA server (IPA A). I also have another Keycloak(keycloak B) server connected to another IPA server(IPA B). What I want to happen is when I log in to the Apache app, I want the first keycloak(A) server to connect to the second keycloak(B) server and obtain the users info on the IPA Server(B). Then I want to user's info to be updated on the first IPA server(A) and if the user doesn't exist then I want the user to be made. I want to know if that is possible right now to do and if it isn't how should I go about achieving my goal. I also want to know if it involves writing a plug in, where in the keycloak or IPA code should I look. 

Any help would be gratefully appreciated, and sorry if this is the wrong place to ask this question.

Thank you,
Matthew Beliveau

From cedric.thiebault at sensefly.com  Thu Mar 15 11:15:16 2018
From: cedric.thiebault at sensefly.com (Cedric Thiebault)
Date: Thu, 15 Mar 2018 15:15:16 +0000
Subject: [keycloak-user] SpringBoot 2.0 OAuth2 client with Keycloak: missing
	roles
Message-ID: <HE1P190MB0187FEFC3AF8E7F55015947DE2D00@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>

Hi,

I'm trying to use Spring Boot 2 OAuth2 client with Keycloak (3.4.3).
It works well except users always get ROLE_USER authority even if they have other roles within the keycloak client.

I've uploaded my sample project if you want to have a quick look:
https://github.com/cthiebault/keycloak-spring-boot-2.0
It's quite straightforward...

I had a look to https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/htmlsingle/#oauth2login-advanced-map-authorities to add keycloak roles to user's granted authorities but I don't know which Keycloak endpoint to use...

Any help would be very appreciated :-)


Cedric

From ntle at castortech.com  Thu Mar 15 14:07:02 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 15 Mar 2018 14:07:02 -0400
Subject: [keycloak-user] Permission logic vs Policy logic
Message-ID: <CAJVRZt_WaDS9=NZ39ZyKLOYsWwtDniKaJqg4vfFEi_XKroBozQ@mail.gmail.com>

Hello,

In the admin console, Logic can be set to Negative and Positive for Policy
but not Permission. This lead me to think that the Policy act as a filter
and the Permission is just to tide that filter to a resource (with or
without scope). However when i look at the permission test case
testCreateResourcePermission()
 (
https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd7133f8a35375/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java)
I see Permission also have Logic. So now i'm thinking Policy logic is to
negate the policy statement (if needed) and Permission logic is to control
deny or grant access to the resource, am i correct? If not, what is the
differences between Permission logic and Policy logic?

Why there is no option to change Permission logic in the admin console?


?Thai

From ntle at castortech.com  Thu Mar 15 15:34:31 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 15 Mar 2018 15:34:31 -0400
Subject: [keycloak-user] access grated when testing on admin console but
	denied by browser
Message-ID: <CAJVRZt__CmcCf-2CUbrr8VmsSq4XsSXZo-exOgf0q_7+t0r=GA@mail.gmail.com>

Hello,

I have 1 realm with 2 clients (client0 and client1). I want to setup
security sothat some users can access client0, and other can access client1
and some can access both. Here are what i did:
.Create a default realm role "USER" to be assigned to new account, this is
used to config security-constraint in the web.xml of my app
.Create a client role for each client, they have the same name though
(client-user), this is to config policy to grant access to anyone who has
the "client-user" role specific to the target client
.For each user who need to access client0, i assign the client role
"client-user" of client0. The same thing for anyone who want to access
client1

Here is my authorization config for client0
{
  "allowRemoteResourceManagement": true,
  "policyEnforcementMode": "ENFORCING",
  "resources": [
    {
      "name": "Default Resource",
      "uri": "/*",
      "type": "urn:client0:resources:default"
    }
  ],
  "policies": [
    {
      "name": "Default Policy",
      "description": "A policy that grants access only for users within
this realm",
      "type": "js",
      "logic": "POSITIVE",
      "decisionStrategy": "AFFIRMATIVE",
      "config": {
        "code": "// by default, grants any permission associated with this
policy\n$evaluation.grant();\n"
      }
    },
    {
      "name": "Client Isolation By Role Policy",
      "description": "Anyone who has client-user role specific to this
client",
      "type": "role",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "roles": "[{\"id\":\"client0/client-user\",\"required\":true}]"
      }
    },
    {
      "name": "Default Permission",
      "description": "A permission that applies to the default resource
type",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "defaultResourceType": "urn:client0:resources:default",
        "applyPolicies": "[\"Default Policy\"]"
      }
    },
    {
      "name": "Client Isolation By Role Permission",
      "description": "Anyone who has client-user role specific to this
client can access this client",
      "type": "resource",
      "logic": "POSITIVE",
      "decisionStrategy": "UNANIMOUS",
      "config": {
        "resources": "[\"Default Resource\"]",
        "applyPolicies": "[\"Client Isolation By Role Policy\"]"
      }
    }
  ],
  "scopes": []
}

Authorization config for client1 is the same.
When i tested with the evaluate tab on the admin console, for some account,
I got correct result.
However, when i try to access the clients from the browser, I got 403 all
the time. I think it has something todo with my web.xml config because I
see 403 reason is !role when i am trying to access a client that i SHOULD
be able to access.
Here is my web.xml:

<module-name>client0</module-name>
<security-constraint>
        <web-resource-collection>
            <web-resource-name>not-found-any-where</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
<realm-name>bigrealm</realm-name>
    </login-config>

    <security-role>
        <role-name>user</role-name>
    </security-role>

Do i need to declare the client role in the web.xml? If not, what am i
missing?

Thank you in advance

Thai

From mich8978978 at gmail.com  Thu Mar 15 15:47:50 2018
From: mich8978978 at gmail.com (Misha Smart)
Date: Thu, 15 Mar 2018 21:47:50 +0200
Subject: [keycloak-user] Where can I find list of allowed characters for the
	username?
Message-ID: <CAM9KOCUFBOfyJ4O+nv9M+gpYSExbK+kSVyGP=Usi3fkQkTebwg@mail.gmail.com>

Hi everyone,
I was not able to create users with a slash (?/?) and backslash (?\?).
Where can I find list of allowed characters for the username?
Do you use a regular expression for the username?
If yes, what is the expression?

From ntle at castortech.com  Thu Mar 15 18:36:17 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 15 Mar 2018 18:36:17 -0400
Subject: [keycloak-user] jetty need restart after policy changed on keycloak
Message-ID: <CAJVRZt-bumEGr6u9uix-v6fHCkhD1ZzzxBNP254oukFQhgeZbQ@mail.gmail.com>

Hello,

I have a few applications that are running on jetty, they are configured to
be protected by keycloak with authorization enabled. While running some
tests which requires dropping the realm and recreating it (programatically)
I observer that if i don't restart jetty after recreating the
realm/clients/policy/permission,... then i always get forbidden (403) when
i try to access the protected app. Restarting jetty solves this problem. Is
this a normal behavior ? If not how can I fix this?

Thank you

Thai

From soumya.mishra at aktana.com  Thu Mar 15 18:40:27 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Thu, 15 Mar 2018 15:40:27 -0700
Subject: [keycloak-user] How does OKTA compares to KEYCLOAK
Message-ID: <CAFdYJBA3sPEeR-M9JV=vR9PSAXL=GRvrsrYmyiJuC_pQ240H9g@mail.gmail.com>

Hello All,

Okta seems to have a better UI than keycloak but mostly seems to do a lot
of similar things. If anyone has already compared both the systems please
can you let me know what are the differences and advantages.

Any links blogs or text will be appreciated.

Regards,
Soumya

From mposolda at redhat.com  Fri Mar 16 03:55:46 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Mar 2018 08:55:46 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <ae41b4f3-7eb7-6f6d-73cc-1fb29c082849@redhat.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
	<a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
	<4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>
	<ae41b4f3-7eb7-6f6d-73cc-1fb29c082849@redhat.com>
Message-ID: <12cddcfa-cd4b-2c80-7d00-8e48bc64bf26@redhat.com>

Someone else from our team workaround the issue with Stateful EJB by 
using:? @Stateful(passivationCapable=false) on the SFSB as described 
here [1] and it resolved the issue. But it's possible that his issue is 
a bit different then yours. Just a blind tip :)

[1] 
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/developing_ejb_applications/clustered_enterprise_javabeans

Marek


On 14/03/18 13:06, Marek Posolda wrote:
> On 14/03/18 09:13, Dominik Guhr wrote:
>> So, the example UserStorageProvider is stateful: 
>> https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProvider.java
>>
>> Do you think it would be enough to remove the annotation here?
> Not sure TBH.
>
> I would personally get rid of EJB and use "standalone" entity manager. 
> Something similar to what Keycloak itself is doing for manipulate it's 
> JPA model. But maybe it's just me and there is something simple, which 
> can be done to have it correctly working with stateful EJB on Wildfly...
>
> Marek
>> Sorry, but to be honest I don't know what impact this has and there 
>> are other applications in production using the kc, so I am unwilling 
>> to just "change it and see what happens" at the moment, for in worst 
>> case there might be some impact on the other applications (which are 
>> not using the custom provider, but still..)
>>
>> Would be nice to have some insights on exactly why this is stateful.
>>
>> Best regards,
>> Dominik
>>
>> p.s: Is there a clustered-keycloak-ootb-dockerimage so that I can 
>> eventually test myself locally without having too much time lost 
>> setting up the whole cluster myself?
>>
>>
>> Am 13.03.18 um 21:36 schrieb Marek Posolda:
>>> I guess those examples were not tested in cluster environment.
>>>
>>> It seerms the issue is, that some stateful EJB is trying to 
>>> serialize, but EJB has reference on DefaultKeycloakSession, which is 
>>> not serializable (and shouldn't be as it's not supposed to be 
>>> serialized and sent over network).
>>>
>>> I am not 100% sure, but if it's possible to get rid of stateful EJB 
>>> and use "standalone" JPA, it may help. Also it may help if you mark 
>>> some fields transient in your EJB or write custom infinispan 
>>> externalizers. See infinispan/Wildfly docs for more info.
>>>
>>> Marek
>>>
>>> On 12/03/18 13:08, Dominik Guhr wrote:
>>>> Hi everyone,
>>>>
>>>> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
>>>> ("MyAppUserStorage" below) based on the github example jpa storage
>>>> provider. It's all working well in dev-environment, which is not 
>>>> clustered.
>>>>
>>>> But in my clustered production-kc-environment (using standalone-ha, 2
>>>> nodes), the exception below is thrown.
>>>> Seems like it has no effect, though, I can successfully use the app,
>>>> even stop one node and everythings working fine.
>>>>
>>>> Now these logentries are at least annoying and I want to know whats
>>>> happening here, so I hope someone could help me out. Do I have to make
>>>> some classes @Serializable or something? (e.g. UserAdapter.java?) to
>>>> work correctly in clustered mode?
>>>>
>>>> Would be great to get some help here! If you need more information or
>>>> code, feel free to ask :)
>>>>
>>>> Best regards,
>>>> Dominik
>>>>
>>>> Log:
>>>> 2018-03-08 14:38:21,220 ERROR
>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>> ISPN000073: Unexpected error while replicating:
>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>
>>>> 2018-03-08 14:38:21,220 ERROR
>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>
>>>> 2018-03-08 14:38:21,220 ERROR
>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>> single-phase
>>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>
>>>> 2018-03-08 14:38:21,221 WARN
>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>> ISPN000112: exception while committing: 
>>>> javax.transaction.xa.XAException
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>
>>>> ????????? at 
>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>
>>>> ????????? at
>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>
>>>> ????????? at 
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>> ????????? at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>
>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>
>>>> 2018-03-08 14:38:21,222 WARN? [org.jboss.as.txn] (default task-14)
>>>> WFLYTX0027: The pre-jca synchronization
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
>>>>
>>>> associated with tx TransactionImple < ac, BasicAction:
>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: 
>>>> ActionStatus.COMMITTED >
>>>> failed during after completion: org.infinispan.commons.CacheException:
>>>> javax.transaction.HeuristicRollbackException
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>
>>>> ????????? at 
>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>
>>>> ????????? at
>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>
>>>> ????????? at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>
>>>> ????????? at 
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>> ????????? at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>
>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>
>>>> ????????? ... 71 more
>>>> Caused by: javax.transaction.xa.XAException
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>
>>>> ????????? ... 75 more
>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>
>>>> 2018-03-08 14:38:21,226 ERROR
>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>> ISPN000073: Unexpected error while replicating:
>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>
>>>> 2018-03-08 14:38:21,226 ERROR
>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>
>>>> 2018-03-08 14:38:21,226 ERROR
>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>> single-phase
>>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>
>>>> 2018-03-08 14:38:21,227 WARN
>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>> ISPN000112: exception while committing: 
>>>> javax.transaction.xa.XAException
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>
>>>> ????????? at 
>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>
>>>> ????????? at
>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>
>>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>> Source)
>>>> ????????? at
>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>> ????????? at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>
>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>
>>>> 2018-03-08 14:38:21,238 WARN? [org.jboss.as.txn] (default task-14)
>>>> WFLYTX0027: The pre-jca synchronization
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
>>>>
>>>> associated with tx TransactionImple < ac, BasicAction:
>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: 
>>>> ActionStatus.COMMITTED >
>>>> failed during after completion: org.infinispan.commons.CacheException:
>>>> javax.transaction.HeuristicRollbackException
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>
>>>> ????????? at 
>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>
>>>> ????????? at
>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>
>>>> ????????? at
>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>
>>>> ????????? at
>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>
>>>> ????????? at
>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>
>>>> ????????? at
>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>
>>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>> Source)
>>>> ????????? at
>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>
>>>> ????????? at
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>
>>>> ????????? at
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>
>>>> ????????? at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>
>>>> ????????? at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>> ????????? at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>
>>>> ????????? at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>
>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>
>>>> ????????? at
>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>
>>>> ????????? ... 91 more
>>>> Caused by: javax.transaction.xa.XAException
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>
>>>> ????????? at
>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>
>>>> ????????? ... 95 more
>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>> org.keycloak.services.DefaultKeycloakSession
>>>> Caused by: an exception which occurred:
>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>> ????????? in field
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>
>>>> ????????? in field
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>
>>>> ????????? in object
>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>
>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>> ????????? in object
>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>
>>>> ????????? in object 
>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>


From mposolda at redhat.com  Fri Mar 16 04:43:19 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 16 Mar 2018 09:43:19 +0100
Subject: [keycloak-user] "You took too long to login" after first login
 request after SSO session idle occurs (NOT login timeout)
In-Reply-To: <527597643.42005350.1521032003699.JavaMail.zimbra@xsb.com>
References: <306249505.41046884.1520857362916.JavaMail.zimbra@xsb.com>
	<ff3624d8-30e6-9f55-6fe1-be67a3f39e90@redhat.com>
	<1723951784.41696744.1520974804108.JavaMail.zimbra@xsb.com>
	<30e4b606-29bc-6e5a-7e22-22e06175fd72@redhat.com>
	<527597643.42005350.1521032003699.JavaMail.zimbra@xsb.com>
Message-ID: <9ec409f4-9556-89ea-ca6a-1d4cbd08680c@redhat.com>

On 14/03/18 13:53, Jordan Keith wrote:
> We do refresh the token in our application every few minutes, so it's 
> not really an issue for us.
>
> The reason we are using this setup is because Chrome and other 
> browsers don't delete session cookies if they are set to remember a 
> users opened tabs, so a user's session will remain active until the 
> SSO Session Idle timeout is hit if they close the tab. We don't want 
> their session to remain open for more than the accessTokenLifespan 
> unless they are active.
>
> I have created?KEYCLOAK-6839, but don't seem to be able to assign it 
> to anybody. Thanks for your help.
Thanks,

Marek
>
> Thanks,
> Jordan
>
> ------------------------------------------------------------------------
> *From: *"Marek Posolda" <mposolda at redhat.com>
> *To: *"Jordan Keith" <j.keith at xsb.com>, "keycloak-user" 
> <keycloak-user at lists.jboss.org>
> *Sent: *Wednesday, March 14, 2018 1:53:02 AM
> *Subject: *Re: [keycloak-user] "You took too long to login" after 
> first login request after SSO session idle occurs (NOT login timeout)
>
> I think I know what's going on. Could you please create JIRA and 
> assign to me?
>
> BTV. We never tested setup where accessTokenLifespan is bigger than 
> session idle timeout.? It's a bit strange setup as your session will 
> most likely always timeouts before you have a chance to refresh 
> tokens. So user will defacto need to re-login every 15 minutes. But if 
> you are fine with this limitation, then ok :)
>
> Marek
>
> On 13/03/18 22:00, Jordan Keith wrote:
>
>     I am using version 3.4.3.
>
>     Thanks,
>     Jordan
>
>     ------------------------------------------------------------------------
>     *From: *"Marek Posolda" <mposolda at redhat.com>
>     *To: *"Jordan Keith" <j.keith at xsb.com>, "keycloak-user"
>     <keycloak-user at lists.jboss.org>
>     *Sent: *Tuesday, March 13, 2018 4:31:17 PM
>     *Subject: *Re: [keycloak-user] "You took too long to login" after
>     first login request after SSO session idle occurs (NOT login timeout)
>
>     What is Keycloak version used? Could you try with latest 3.4.3?
>
>     Marek
>
>     On 12/03/18 13:22, Jordan Keith wrote:
>     > We have set the SSO Session Idle to 13 minutes to match our
>     access token lifespace of 15 minutes in order to workaround the
>     fact that browsers may not delete session cookies. This has caused
>     another issue, whereby the user receives the error "You took too
>     long to login. Login process starting from beginning" even when
>     they spend no time waiting on the login screen in a certain
>     scenario. Here's the scenario:
>     >
>     > 1). Log into application.
>     > 2). Close browser tab containing application.
>     > 3). Wait 15 minutes (SSO idle + 2 minute grace period)
>     > 4). Open application again. You'll be directed to the login page
>     by keycloak.
>     > 5). Attempt to login and receive the error "You took too long to
>     login. Login process starting from beginning."
>     >
>     > Why do I receive this error even when I attempt to login
>     immediately after opening the log in page?
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


From lahari.guntha at tcs.com  Fri Mar 16 07:48:41 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Fri, 16 Mar 2018 11:48:41 +0000
Subject: [keycloak-user] Group-Mapping
Message-ID: <1521200921834.37549@tcs.com>

Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From palermo at pobox.com  Fri Mar 16 08:22:43 2018
From: palermo at pobox.com (Bruno Palermo)
Date: Fri, 16 Mar 2018 09:22:43 -0300
Subject: [keycloak-user] Redirect to Keycloak without Adapter Error
Message-ID: <04ac01d3bd21$7d5b4420$7811cc60$@pobox.com>

Hi,

Currently I'm using the JavaScript adapter to create the registration URL,
but we are facing some issues with Googlebot regarding the site redirection.

I tried to create manually the registration page url:
https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat
ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n
once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid

Unfortunately something when the user click on the link sometimes happens an
error: "Page has expired. To restart the login process. To continue the
login process".

It's possible to redirect to the registration page without using the
Keycloak adapter?

Thanks,
Bruno


From simonpayne58 at gmail.com  Fri Mar 16 09:36:45 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Fri, 16 Mar 2018 13:36:45 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1521200921834.37549@tcs.com>
References: <1521200921834.37549@tcs.com>
Message-ID: <CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>

hi, we recently experienced similar and found it to be user cache.  there
is a setting in the ldap config which allows you to specify the cache
value.  however, i found this to take no effect and eventually set a hard
eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Fri Mar 16 09:53:09 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Fri, 16 Mar 2018 13:53:09 +0000
Subject: [keycloak-user] A question on how to connect two keycloak
	servers
In-Reply-To: <1530950313.8296798.1521126348722.JavaMail.zimbra@redhat.com>
References: <186129375.8296513.1521126315606.JavaMail.zimbra@redhat.com>
	<1530950313.8296798.1521126348722.JavaMail.zimbra@redhat.com>
Message-ID: <CAPZw1G7fBgRWWBNgLaxzycNDDswCwuissZX4yNMuBOvFE2ufyw@mail.gmail.com>

i'm not sure if i'm understanding your requirement exactly but it sounds
similar to identity broker.  this allows your clients to integrate to a
single keycloak instance or realm which acts as broker for one or more
identity providers.


On Thu, Mar 15, 2018 at 3:05 PM, Matthew Beliveau <mbelivea at redhat.com>
wrote:

> Hello,
>
> I have five VMs running, one with an Apache protected app connected to a
> keycloak (Keycloak A) server through mod_auth_mellon. This Keycloak Server
> is connected to an IPA server (IPA A). I also have another
> Keycloak(keycloak B) server connected to another IPA server(IPA B). What I
> want to happen is when I log in to the Apache app, I want the first
> keycloak(A) server to connect to the second keycloak(B) server and obtain
> the users info on the IPA Server(B). Then I want to user's info to be
> updated on the first IPA server(A) and if the user doesn't exist then I
> want the user to be made. I want to know if that is possible right now to
> do and if it isn't how should I go about achieving my goal. I also want to
> know if it involves writing a plug in, where in the keycloak or IPA code
> should I look.
>
> Any help would be gratefully appreciated, and sorry if this is the wrong
> place to ask this question.
>
> Thank you,
> Matthew Beliveau
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From yuriy.yunikov at verygood.systems  Fri Mar 16 10:11:01 2018
From: yuriy.yunikov at verygood.systems (Yuriy Yunikov)
Date: Fri, 16 Mar 2018 14:11:01 +0000
Subject: [keycloak-user] Identity brokering - invalid request issue
Message-ID: <CAC9TNOeSLX5CsOoMwrJjmK2MoG8HbJ6Tjrhviz-OnF7Oe3d7LA@mail.gmail.com>

Hello,

I'm using identity brokering
<http://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker>
with Identity
Provider Redirector for browser sessions, so as of my understanding it
works this way (simplified):
1) User access application page;
2) It gets redirected to KeyCloak;
3) KeyCloak redirects to IDP login page;
4) User performs login, IDP redirects to KeyCloak;
5) KeyCloak grants a token;

Sometimes during this flow, users get "Invalid Request" error page.
Here are the logs:
2018-03-16 09:19:48,125 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
Invalid request. Authorization code, clientId or tabId was null.
Code=Ut8RrxKbNTPrAFcgxOEjx-r0n2-mUQW7, clientId=null, tabID=null
2018-03-16 09:19:48,129 WARN  [org.keycloak.events] (default task-1)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=test, clientId=null,
userId=null, ipAddress=182.190.32.17, error=invalidRequestMessage
2018-03-16 09:19:48,130 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
invalidRequestMessage

Here is a line of code where it happens:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java#L989

The way I'm aware this can be reproduced is by accessing IDP login page
directly, this way step 1 and 2 are skipped and IDP doesn't know for which
client to perform grant a token, so clientId is null.

However there were cases when users were accessing application page and all
redirect flows happened as they should have. I know that this occurred
after 1-2 days of inactivity in browser, but I don't know how to reproduce
it.

Are there any ideas, suggestions how this "Invalid Request" problem can be
resolved?

Regards,
Yuriy

From Paolo.Tedesco at cern.ch  Fri Mar 16 10:41:06 2018
From: Paolo.Tedesco at cern.ch (Paolo Tedesco)
Date: Fri, 16 Mar 2018 14:41:06 +0000
Subject: [keycloak-user] Mapping a user attribute to a custom claim
Message-ID: <6D320D40264A8545A9C25EC79DE1E325018B922B25@CERNXCHG43.cern.ch>

Hi all,
I've configured Google and Github as Identity Providers.
I would like to have one of the user attributes, the email, mapped to a custom claim, called "userPrincipalName".

I tried creating an Attribute Importer mapper, with
Social Profile JSON Field Path = emailaddress
User Attribute Name = userPrincipalName
but this does not seem to work.

Is there a way to log the JSON token obtained from the identity provider, so that I can have an idea of what should go in the " Social Profile JSON Field Path" field?

Thanks,
Paolo

From simonpayne58 at gmail.com  Fri Mar 16 11:01:55 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Fri, 16 Mar 2018 15:01:55 +0000
Subject: [keycloak-user] Mapping a user attribute to a custom claim
In-Reply-To: <6D320D40264A8545A9C25EC79DE1E325018B922B25@CERNXCHG43.cern.ch>
References: <6D320D40264A8545A9C25EC79DE1E325018B922B25@CERNXCHG43.cern.ch>
Message-ID: <CAPZw1G4AP+M56V=vuXpxeJn-nnBtq=bdVr9Xqje3Mmox04th4A@mail.gmail.com>

you can enable DEBUG level logger  org.keycloak.social.user_profile_dump in
the standalone-ha.xml

http://www.keycloak.org/docs/latest/server_admin/index.html#_mappers

On Fri, Mar 16, 2018 at 2:41 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
wrote:

> Hi all,
> I've configured Google and Github as Identity Providers.
> I would like to have one of the user attributes, the email, mapped to a
> custom claim, called "userPrincipalName".
>
> I tried creating an Attribute Importer mapper, with
> Social Profile JSON Field Path = emailaddress
> User Attribute Name = userPrincipalName
> but this does not seem to work.
>
> Is there a way to log the JSON token obtained from the identity provider,
> so that I can have an idea of what should go in the " Social Profile JSON
> Field Path" field?
>
> Thanks,
> Paolo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Paolo.Tedesco at cern.ch  Fri Mar 16 11:20:42 2018
From: Paolo.Tedesco at cern.ch (Paolo Tedesco)
Date: Fri, 16 Mar 2018 15:20:42 +0000
Subject: [keycloak-user] Mapping a user attribute to a custom claim
In-Reply-To: <CAPZw1G4AP+M56V=vuXpxeJn-nnBtq=bdVr9Xqje3Mmox04th4A@mail.gmail.com>
References: <6D320D40264A8545A9C25EC79DE1E325018B922B25@CERNXCHG43.cern.ch>
	<CAPZw1G4AP+M56V=vuXpxeJn-nnBtq=bdVr9Xqje3Mmox04th4A@mail.gmail.com>
Message-ID: <6D320D40264A8545A9C25EC79DE1E325018B922B76@CERNXCHG43.cern.ch>

I tried this in standalone.xml, but nothing gets logged:

        <subsystem xmlns="urn:jboss:domain:logging:3.0">
            <console-handler name="CONSOLE">
                <level name="DEBUG"/>
                <formatter>
                    <named-formatter name="COLOR-PATTERN"/>
                </formatter>
            </console-handler>
            <periodic-rotating-file-handler name="FILE" autoflush="true">
                <level name="DEBUG"/>
                <formatter>
                    <named-formatter name="PATTERN"/>
                </formatter>
                <file relative-to="jboss.server.log.dir" path="server.log"/>
                <suffix value=".yyyy-MM-dd"/>
                <append value="true"/>
            </periodic-rotating-file-handler>
            <logger category="org.keycloak.social.user_profile_dump">
                <level name="DEBUG"/>
            </logger>

Then I restart the service and
tail -f /opt/keycloak/standalone/log/server.log
but when I authenticate with Google I don't see anything in the logs.

Am I doing something wrong?

From: Simon Payne <simonpayne58 at gmail.com>
Sent: Friday, 16 March, 2018 16:02
To: Paolo Tedesco <Paolo.Tedesco at cern.ch>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Mapping a user attribute to a custom claim

you can enable DEBUG level logger  org.keycloak.social.user_profile_dump in the standalone-ha.xml

http://www.keycloak.org/docs/latest/server_admin/index.html#_mappers

On Fri, Mar 16, 2018 at 2:41 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch<mailto:Paolo.Tedesco at cern.ch>> wrote:
Hi all,
I've configured Google and Github as Identity Providers.
I would like to have one of the user attributes, the email, mapped to a custom claim, called "userPrincipalName".

I tried creating an Attribute Importer mapper, with
Social Profile JSON Field Path = emailaddress
User Attribute Name = userPrincipalName
but this does not seem to work.

Is there a way to log the JSON token obtained from the identity provider, so that I can have an idea of what should go in the " Social Profile JSON Field Path" field?

Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From abhi.raghav007 at gmail.com  Fri Mar 16 15:14:11 2018
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Sat, 17 Mar 2018 00:44:11 +0530
Subject: [keycloak-user] Mod_auth_openidc vs keycloak proxy
Message-ID: <eed1e84e-fc6f-4e89-ad80-34e8555e76aa@gmail.com>

Hi
I have been using mod_auth_openidc for a while and its kind of a cool 
solution for a header based authentication for some legacy systems.
But i am sort of doubtful about the use cases i am building around and 
nature of setup we have.
I have sort of different components which maintains their own sessions but 
all linking via keycloak as IDP.
Few months back i have heard about new generation keycloak proxy plan in 
the same maili chain. It was very cool and since it is going to be 
supported and inbuilt in keyclok, i was exited to see it in action. But 
since then i never saw any updates around that.
Does keycloak team has any near future plans to implements this cool new 
version of keyclaok proxy.
I am really looking forward to having that as that would be a big add to 
support legacy systems which do not support oidc or saml.
Thanks Abhishek
via Newton Mail 
[https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.8.195&pv=11.2.6&source=email_footer_2]

From john.kalantzis at drugdev.com  Fri Mar 16 16:33:57 2018
From: john.kalantzis at drugdev.com (John Kalantzis)
Date: Fri, 16 Mar 2018 20:33:57 +0000
Subject: [keycloak-user] Hardcoded Group IdP mapper
Message-ID: <CANEPCb9ktE9C8s5FDGHPA8Z-nFdzw+mFeODHgQKW4LBj6=FAbg@mail.gmail.com>

Hello,

I have a use case for which I need to add users created during the broker
login flow to a group depending on their IdP. So similar to the Hardcoded
Role mapper but with a group.

I know this is possible with a custom mapper which is what I will fall back
on but, to save myself some trouble, can anyone think of another way to do
it?

I know there is a script authenticator but there isn't a lot of
documentation about it so not sure if I can add it there somehow?

From yuriy.yunikov at verygood.systems  Fri Mar 16 16:48:39 2018
From: yuriy.yunikov at verygood.systems (Yuriy Yunikov)
Date: Fri, 16 Mar 2018 20:48:39 +0000
Subject: [keycloak-user] Scalable architecture for multi-tenant
	(multi-resource) auth solution
Message-ID: <CAC9TNOd4Kpma0aaWeZNbJbEc8JE6My4C622gydFxp3JpfuN73A@mail.gmail.com>

We're evaluating two different architectures for setting up KeyCloak to
allow users to grant access to other users and third parties to tenants
within our system.

I'm looking for experienced feedback on these to try and save some time
with experimentation.

## First approach *Dynamic Client Registration*

In this approach we would have several static services (resource servers)
that orchestrate access and then each tenant is represented via a
dynamically registered client.

We would then have a static set of roles (permissions) which are assigned
between the user and client when they are granted access.

The total universe of roles is then fixed. The proliferation here is
between users and clients or resource-servers and clients.

## Second approach *Dynamic Role Generation*

In this approach we're considering dynamically generating roles
(permissions) for each tenant in the system. We're thinking of mirroring
AWS's URN style so that the permissions look something ssl_certificate_key

They follow the general structure `urn:service:tenant:permission`

E.g.

- urn:service-1:tenant-id-1:read
- urn:service-1:tenant-id-2:read
- urn:service-1:tenant-id-1:write
- urn:service-1:tenant-id-1:admin
- urn:service-2:tenant-id-1:read

This is very simple and powerful but we have the potential for the JWT to
proliferate in size as we connect a user or service to more and more
tenants.

I feel like the first approach is more standard but requires us to add more
complexity into the system since we have to deal with registering clients
and guiding the user through the auth delegation flow each time they want
to grant a server access to a client that they own.
The second approach is dead simple technically but less standards
compliant.

What do people tend to do in the real world to address this issue? Our
system has an unlimited number of tenants but realistically each user is
going to be associated with a few dozen at most. Third party applications
(which are all dynamic clients) will potentially be associated with
hundreds or thousands of other clients.

From yuriy.yunikov at verygood.systems  Fri Mar 16 16:55:42 2018
From: yuriy.yunikov at verygood.systems (Yuriy Yunikov)
Date: Fri, 16 Mar 2018 20:55:42 +0000
Subject: [keycloak-user] Scalable architecture for multi-tenant
	(multi-resource) auth solution
Message-ID: <CAC9TNOeQP4yQg8Z2UR8t28dkLeWmuAnz1mcLAM4hs9dYQCAvGg@mail.gmail.com>

We're evaluating two different architectures for setting up KeyCloak to
allow users to grant access to other users and third parties to tenants
within our system.

I'm looking for experienced feedback on these to try and save some time
with experimentation.

## First approach *Dynamic Client Registration*

In this approach we would have several static services (resource servers)
that orchestrate access and then each tenant is represented via a
dynamically registered client.

We would then have a static set of roles (permissions) which are assigned
between the user and client when they are granted access.

The total universe of roles is then fixed. The proliferation here is
between users and clients or resource-servers and clients.

## Second approach *Dynamic Role Generation*

In this approach we're considering dynamically generating roles
(permissions) for each tenant in the system. We're thinking of mirroring
AWS's URN style so that the permissions look something ssl_certificate_key

They follow the general structure `urn:service:tenant:permission`

E.g.

- urn:service-1:tenant-id-1:read
- urn:service-1:tenant-id-2:read
- urn:service-1:tenant-id-1:write
- urn:service-1:tenant-id-1:admin
- urn:service-2:tenant-id-1:read

This is very simple and powerful but we have the potential for the JWT to
proliferate in size as we connect a user or service to more and more
tenants.

I feel like the first approach is more standard but requires us to add more
complexity into the system since we have to deal with registering clients
and guiding the user through the auth delegation flow each time they want
to grant a server access to a client that they own.
The second approach is dead simple technically but less standards
compliant.

We've been evaluating Authorization API
<http://www.keycloak.org/docs/latest/authorization_services/index.html#_overview>
(UMA) for this, but it's doesn't fit at the moment as there are number of
unresolved issues on KeyCloak which have to be addressed.
https://issues.jboss.org/browse/KEYCLOAK-4134
https://issues.jboss.org/browse/KEYCLOAK-6321
https://issues.jboss.org/browse/KEYCLOAK-5737
https://issues.jboss.org/browse/KEYCLOAK-6868
https://issues.jboss.org/browse/KEYCLOAK-6547

What do people tend to do in the real world to address this issue?
Our system has an unlimited number of tenants but realistically each user
is going to be associated with a few dozen at most. Third party
applications (which are all dynamic clients) will potentially be associated
with hundreds or thousands of other clients.

From koneru.chowdary at gmail.com  Sat Mar 17 14:49:26 2018
From: koneru.chowdary at gmail.com (Venky)
Date: Sat, 17 Mar 2018 22:49:26 +0400
Subject: [keycloak-user] EventListener provider not firing new realm
	creation event
Message-ID: <CAH_JY=zbAUim7hogZvrTHU_bQXW+7BK+5wkw8VsWUkODy2Bj0w@mail.gmail.com>

Hello All,

I have implemented a custom EventListener provider by following
documentation
http://www.keycloak.org/docs/latest/server_development/index.html#_events
and github examples.

It is able to receive events except the realm event (new realm creation). I
would like to get the notification about realm event as well.

I could find any way to get the realm event notification nor any
documentation. I presume this is not implemented for the current event
listener.

Is there any other way to implement this ?

If anyone was able to achieve this, could you please give me some heads up
on the what needs to be done in-order to receive realm events.

Thank you.

Best Regards,
*Venky Koneru*

From nielsbne at gmail.com  Sun Mar 18 10:06:48 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 19 Mar 2018 00:06:48 +1000
Subject: [keycloak-user] Loading a custom form authenticator fails with
 Failed to define class ... UsernamePasswordForm
Message-ID: <CAPLPygnxXb8CT7zLzrZTmLxnnwn6F2KZQv7WYzLFDufosz1XEw@mail.gmail.com>

Hi there,

getting kinda desperate here... I wrote a custom form authenticator that
extends the UsernamePasswordForm of Keycloak and packaged it up in an EJB
jar inside an EAR file (almost identical to the official example
<https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator>).
I can configure it in the authentication flow but as soon as it is loaded
as part of an auth flow I get " Failed to define class
org/keycloak/authentication/authenticators/browser/UsernamePasswordForm "
error.

I have another authenticator in the same package that does *not *extend
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm and
it loads and executes fine. I tried adding the module keycloak-services
 explicitly to my EJB jars deployment descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
  <deployment>
    <dependencies>
      <module name="org.keycloak.keycloak-services" slot="main" />
    </dependencies>
  </deployment>
</jboss-deployment-structure>


No avail. Looks like something wrong with the way Keycloak accesses the
classes discovered by ServiceLoader. Anyone got any hints or seen this
before?

Many thanks Niels


Full stack trace:

23:13:01,107 WARN  [org.jboss.modules] (default task-44) Failed to define
class
my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordForm
in Module
"deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar"
from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
my/sso/plugins/authentication/authenticators/browser/CustomUsernamePasswordForm
(Module
"deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar"
from Service Module Loader):
org/keycloak/authentication/authenticators/browser/UsernamePasswordForm
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at
org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
        at
org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
        at
org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77)
        at org.jboss.modules.Module.loadModuleClass(Module.java:713)
        at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
        at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
        at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
        at
my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFactory.java:56)
        at
my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFactory.java:16)
        at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:164)
        at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
        at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
        at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
        at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

From nielsbne at gmail.com  Sun Mar 18 11:01:52 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 19 Mar 2018 01:01:52 +1000
Subject: [keycloak-user] Loading a custom form authenticator fails with
 Failed to define class ... UsernamePasswordForm
In-Reply-To: <CAPLPygnxXb8CT7zLzrZTmLxnnwn6F2KZQv7WYzLFDufosz1XEw@mail.gmail.com>
References: <CAPLPygnxXb8CT7zLzrZTmLxnnwn6F2KZQv7WYzLFDufosz1XEw@mail.gmail.com>
Message-ID: <CAPLPyg=rX2XuyGcs8PDUGpKMHtaxc2tkZMdK5QY7OuirpvRzGQ@mail.gmail.com>

For anyone interested, here a simplified repoducable example of the custom
form authenticator failure.

https://github.com/bertramn/custom-form-authenticator


On Mon, Mar 19, 2018 at 12:06 AM, Niels Bertram <nielsbne at gmail.com> wrote:

> Hi there,
>
> getting kinda desperate here... I wrote a custom form authenticator that
> extends the UsernamePasswordForm of Keycloak and packaged it up in an EJB
> jar inside an EAR file (almost identical to the official example
> <https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator>).
> I can configure it in the authentication flow but as soon as it is loaded
> as part of an auth flow I get " Failed to define class
> org/keycloak/authentication/authenticators/browser/UsernamePasswordForm "
> error.
>
> I have another authenticator in the same package that does *not *extend
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm
> and it loads and executes fine. I tried adding the module
> keycloak-services explicitly to my EJB jars deployment descriptor:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-deployment-structure>
>   <deployment>
>     <dependencies>
>       <module name="org.keycloak.keycloak-services" slot="main" />
>     </dependencies>
>   </deployment>
> </jboss-deployment-structure>
>
>
> No avail. Looks like something wrong with the way Keycloak accesses the
> classes discovered by ServiceLoader. Anyone got any hints or seen this
> before?
>
> Many thanks Niels
>
>
> Full stack trace:
>
> 23:13:01,107 WARN  [org.jboss.modules] (default task-44) Failed to define
> class my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordForm
> in Module "deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar"
> from Service Module Loader: java.lang.NoClassDefFoundError: Failed to
> link my/sso/plugins/authentication/authenticators/browser/CustomUsernamePasswordForm
> (Module "deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar"
> from Service Module Loader): org/keycloak/authentication/
> authenticators/browser/UsernamePasswordForm
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
>         at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
>         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
>         at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>         at org.jboss.modules.ModuleClassLoader.defineClass(
> ModuleClassLoader.java:446)
>         at org.jboss.modules.ModuleClassLoader.loadClassLocal(
> ModuleClassLoader.java:274)
>         at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(
> ModuleClassLoader.java:77)
>         at org.jboss.modules.Module.loadModuleClass(Module.java:713)
>         at org.jboss.modules.ModuleClassLoader.findClass(
> ModuleClassLoader.java:190)
>         at org.jboss.modules.ConcurrentClassLoader.
> performLoadClassUnchecked(ConcurrentClassLoader.java:412)
>         at org.jboss.modules.ConcurrentClassLoader.performLoadClass(
> ConcurrentClassLoader.java:400)
>         at org.jboss.modules.ConcurrentClassLoader.loadClass(
> ConcurrentClassLoader.java:116)
>         at my.sso.plugins.authentication.authenticators.browser.
> CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFact
> ory.java:56)
>         at my.sso.plugins.authentication.authenticators.browser.
> CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFact
> ory.java:16)
>         at org.keycloak.authentication.DefaultAuthenticationFlow.
> processFlow(DefaultAuthenticationFlow.java:164)
>         at org.keycloak.authentication.DefaultAuthenticationFlow.
> processFlow(DefaultAuthenticationFlow.java:127)
>         at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:853)
>         at org.keycloak.authentication.AuthenticationProcessor.
> authenticate(AuthenticationProcessor.java:722)
>         at org.keycloak.protocol.AuthorizationEndpointBase.
> handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
>         at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
> buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:
> 395)
>         at org.keycloak.protocol.oidc.endpoints.
> AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:140)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:406)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:213)
>         at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
>         at org.keycloak.services.filters.KeycloakSessionServletFilter.
> doFilter(KeycloakSessionServletFilter.java:90)
>         at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:61)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>         at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
>         at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
>         at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
>         at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
>         at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
>         at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
>         at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
>         at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at org.wildfly.extension.undertow.deployment.
> GlobalRequestControllerHandler.handleRequest(
> GlobalRequestControllerHandler.java:68)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:292)
>         at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
>         at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
>         at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
>         at io.undertow.servlet.core.ServletRequestContextThreadSet
> upAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>         at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
>         at org.wildfly.extension.undertow.security.
> SecurityContextThreadSetupAction.lambda$create$0(
> SecurityContextThreadSetupAction.java:105)
>         at org.wildfly.extension.undertow.deployment.
> UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(
> UndertowDeploymentInfoService.java:1508)
>         at org.wildfly.extension.undertow.deployment.
> UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(
> UndertowDeploymentInfoService.java:1508)
>         at org.wildfly.extension.undertow.deployment.
> UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(
> UndertowDeploymentInfoService.java:1508)
>         at org.wildfly.extension.undertow.deployment.
> UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(
> UndertowDeploymentInfoService.java:1508)
>         at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:272)
>         at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>         at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:104)
>         at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:326)
>         at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:812)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
>

From omri.tavor at forcepoint.com  Mon Mar 19 03:34:14 2018
From: omri.tavor at forcepoint.com (Omri Tavor)
Date: Mon, 19 Mar 2018 07:34:14 +0000
Subject: [keycloak-user] Combining transparent and opaque tokens
Message-ID: <BY2PR14MB0328FB4FDA9C6B53B802BD38EDD40@BY2PR14MB0328.namprd14.prod.outlook.com>

Hi,
A quick newbie question.
My application has multiple backend services and a few public gateways for public APIs.
I need all of my services to have the full user information (name, roles etc) but I don't want each of the backend services sending requests to the Keycloak server in order to get this information (this would greatly impact performance and force the application to be fully synchronous). Can I use opaque tokens for my public API (both backend calls and user calls) and then having a transparent token as the request goes through my backed services? In other words, I want to verify the user and get its information only on the initial request and then having all of the user data embedded in a token as it travels through the backend services. This token should have to be refreshed after some time. Can I do that?
Thanks,
Omri.

From fquirogam8 at gmail.com  Mon Mar 19 06:11:13 2018
From: fquirogam8 at gmail.com (Fernando Quiroga)
Date: Mon, 19 Mar 2018 11:11:13 +0100
Subject: [keycloak-user] AD FS logout
Message-ID: <CADCJ91qCTaz5Q94ra3oiSsVEQm8YesAsqz-OiJumzpn784zxYA@mail.gmail.com>

Hi everyone,

I'm using keycloak-js with an AD FS to login my users, my problem comes
when I want to logout them, becuase they get redirected all the time inside
my application, here is the flow:

1) The user is logged in my site, so he is in my site dashboard
2) User makes logout
3) User is redirected to the index of my site, keycloak checks that the
user isn't logged and redirct him (due to kc_ipd_hitn parameter) to ad fs
login screen, but because the user is already logged in his AD FS, is
redirected again to my site and then to the dashboard.

So this is an inifite loop for loggin out because the keycloak logout in
the keycloak-js is not loging the user out from AD FS.

Is there any possible solution to this?

Regards

From lahari.guntha at tcs.com  Mon Mar 19 06:55:11 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Mon, 19 Mar 2018 10:55:11 +0000
Subject: [keycloak-user] HA for keycloak
Message-ID: <1521456910081.24787@tcs.com>



Hi All,


I have launched keycloak as a Docker container. I am using Keycloak of version 3.3.0.CR2. I have all my configurations done for nearly 10 clients. It is working fine...somehow my container went to "Excited" state. Since I have configured all my applications to have SSO.....and since the container went down....and since  the entry point for all my applications is Keycloak...I was not able to reach out to any of my applications.


Moreover when I started the container back I lost all my configuration made....


Is there any clear documentation i.e step by step procedure  to have Keycloak with high availability???


Thanks & Regards,

Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From dchrzascik at novomatic-tech.com  Mon Mar 19 07:11:26 2018
From: dchrzascik at novomatic-tech.com (Dariusz Chrzascik)
Date: Mon, 19 Mar 2018 12:11:26 +0100
Subject: [keycloak-user] HA for keycloak
In-Reply-To: <1521456910081.24787@tcs.com>
References: <1521456910081.24787@tcs.com>
Message-ID: <5AAFA8EE020000860009EBEC@gwia-internal01.atsisa.com>

Hi,

Yes, there are a few resources that will be helpful for you:
1. Server installation guide:
http://www.keycloak.org/docs/latest/server_installation/index.html It
goes through operating modes (including standalone HA and domain) and
then dives into details of setting things up (most comprehensive and
personally I think that it is best; it contains all the things that you
need to know)
2. Quickstart:
http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html
3. Wildfly HA guide: 
https://docs.jboss.org/author/display/WFLY10/High+Availability+Guide
4. Octopus blog that is usefeull when you consider using only TCP as a
cluser communication basis: https://octopus.com/blog/wildfly-jdbc-ping
5. Furthermore, if you consider running your docker on k8s, I recommend
checkout out helm package:
https://github.com/kubernetes/charts/tree/master/incubator/keycloak


Regards,
Dariusz Chrz??cik

>>> "Lahari  Guntha" <lahari.guntha at tcs.com> 03/19/18 11:57 AM >>>


Hi All,


I have launched keycloak as a Docker container. I am using Keycloak of
version 3.3.0.CR2. I have all my configurations done for nearly 10
clients. It is working fine...somehow my container went to "Excited"
state. Since I have configured all my applications to have SSO.....and
since the container went down....and since  the entry point for all my
applications is Keycloak...I was not able to reach out to any of my
applications.


Moreover when I started the container back I lost all my configuration
made....


Is there any clear documentation i.e step by step procedure  to have
Keycloak with high availability???


Thanks & Regards,

Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w


From Thomas.Kuestermann at sabre.com  Mon Mar 19 07:51:05 2018
From: Thomas.Kuestermann at sabre.com (Kuestermann, Thomas)
Date: Mon, 19 Mar 2018 11:51:05 +0000
Subject: [keycloak-user] Access Token not refreshed // KEYCLOAK-2517
In-Reply-To: <BN6PR13MB1443776CB382FAB9BFBD56AC97DE0@BN6PR13MB1443.namprd13.prod.outlook.com>
References: <BN6PR13MB1443776CB382FAB9BFBD56AC97DE0@BN6PR13MB1443.namprd13.prod.outlook.com>
Message-ID: <BN6PR13MB1443F97972C13C9F4AC9E6A497D40@BN6PR13MB1443.namprd13.prod.outlook.com>

Filed https://issues.jboss.org/browse/KEYCLOAK-6878

Let's see if this is a bug.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kuestermann, Thomas
Sent: Freitag, 9. M?rz 2018 15:53
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Access Token not refreshed // KEYCLOAK-2517

Keycloak experts,

We're currently developing a Spring Boot based application and we're using Keycloak for the identity management. Works great so far. We recently updated Keycloak and the respective spring boot adapter and spring security module to 3.4.1.Final. 

We've configured access tokens with a lifespan of 5 minutes, I think that's also the default. After the upgrade we noticed that every HTTP call is answered with a 401 - Unauthorized after the access token timed out (due to inactivity in the application). This wasn't the case before. Keycloak documentation states that

> By default the application adapter will only refresh the access token when it's expired. [1]

which doesn't seem to work anymore.

I debugged the application and came across KEYCLOAK-2517 [2] which introduced KeycloakSecurityContextRequestFilter. Looking at the code, it seems that access tokens are only refreshed when they're valid:

+            if (refreshableSecurityContext.isActive()) {
+                KeycloakDeployment deployment = resolveDeployment(request, response);
+
+                if (deployment.isAlwaysRefreshToken()) {
+                    if (refreshableSecurityContext.refreshExpiredToken(false)) {
+                        request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext);
+                    } else {
+                        clearAuthenticationContext();
+                    }
+                }
+            } else {
+                clearAuthenticationContext();
+            }

Otherwise the authentication context is cleared and access to resources is denied. 

Is this intended behavior? For me, it looks like a bug. If not, what's the general guideline on how to handle access token timeouts?

Our current workaround is to overwrite keycloakSecurityContextRequestFilter() in our derived KeycloakWebSecurityConfigurerAdapter like this:

+    @Override
+    protected KeycloakSecurityContextRequestFilter keycloakSecurityContextRequestFilter() {
+        return new KeycloakSecurityContextRequestFilter() {
+            @Override
+            public void doFilter(ServletRequest request, ServletResponse response,
+                    FilterChain filterChain) throws IOException, ServletException {
+                filterChain.doFilter(request, response);
+            }
+        };
+    }

It also look like others are facing the same issue [3].

Any help or pointer is highly appreciated.

[1] http://www.keycloak.org/docs/3.4/securing_apps/index.html#_refresh_token_each_req
[2] https://issues.jboss.org/browse/KEYCLOAK-2517 PR: https://github.com/keycloak/keycloak/pull/4741 
[3] https://github.com/jhipster/generator-jhipster/issues/6929

-- Thomas


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From derek.gibson+keycloak-list at cimenviro.com  Mon Mar 19 07:52:18 2018
From: derek.gibson+keycloak-list at cimenviro.com (Derek Gibson)
Date: Mon, 19 Mar 2018 12:52:18 +0100
Subject: [keycloak-user] Account action links in emails with admin on
	different port
Message-ID: <CACJqZZpbKJZ63YAXV=oSFzb733tOye2cEYHocCaqWAZLL5-gOA@mail.gmail.com>

Hi there,

Running Keycloak 3.4.0.Final

We've split out admin and user interfaces using the documentation on port
restrictions
http://www.keycloak.org/docs/latest/server_admin/index.html#port-restriction
And successfully have /auth/admin restricted to port 8444

Our problem is that when an admin sends an email for account action, it
gets sent with the url of
https://keycloak:8444/auth/realms/arealm/login-actions/action-token?...
instead of
https://keycloak/auth/realms/arealm/login-actions/action-token?...

Is there a way to get the emails to use the default uri instead of the
admin one through a simple config change without hardcoding the hostname or
creating email templates?

Thanks
Derek

From vbrissat at sada.fr  Mon Mar 19 09:39:30 2018
From: vbrissat at sada.fr (Brissat Vivien)
Date: Mon, 19 Mar 2018 13:39:30 +0000
Subject: [keycloak-user] Make custom Mapper for a specific claim field with
	HTTP Service Call
Message-ID: <618E519910098741BB19D64A691B3C2501E4BEADE0@srvmess02.intra.sada.fr>

Hi,

I would like to add a specific claim field in the JWT Token, that take a value issued from a Service Call (HTTP POST that return a JSON result).

I saw that I can maybe specify a custom Mapper with something like : public class PersonalMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper{}

But I don?t know where to use this code, and I don?t know where to call my Service in Keycloak.

Maybe in a custom Provider ? The documentation is not really helpful since I don?t see any SPI for Custom Mapper, or a way to achieve this.

Thanks for your help,

Best Regards

Vivien Brissat


From known.michael at gmail.com  Tue Mar 20 04:41:07 2018
From: known.michael at gmail.com (Known Michael)
Date: Tue, 20 Mar 2018 10:41:07 +0200
Subject: [keycloak-user] How to create a custom OTPPolicy?
Message-ID: <CANbmfvgAkYLrJu-xDV+vWLFGq4NCNgjpPE+T4B+e_ZQLG2zHBQ@mail.gmail.com>

Hello,

I need to create a custom OTPPolicy.

Unfortunately, OTPPolicy policy is created via the constructor and not via
a factory:

    public static OTPPolicy DEFAULT_POLICY = new
OTPPolicy(UserCredentialModel.TOTP, HmacOTP.HMAC_SHA1, 0, 6, 1, 30);

(from the class org.keycloak.models.OTPPolicy)

Any help will be appreciated.

From uo67113 at gmail.com  Tue Mar 20 10:52:07 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Tue, 20 Mar 2018 15:52:07 +0100
Subject: [keycloak-user] Keycloak Java Servlet Filter Adapter.
Message-ID: <CACp70MkMwGYORFGrZ-CT-CDV1dikYjySVTyYmo6mpDBrp2WvcQ@mail.gmail.com>

Hello there,

I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter

I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!

In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:

ResourceLoader loader = new ResourceLoader() {
  @Override
  public InputStream getResourceAsStream(String resource) {
    return filterConfig.getServletContext().getResourceAsStream(resource);
  }
};

In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:

//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
  // Try with an external one
  try {
    is = new FileInputStream(resource);
  } catch (FileNotFoundException e) {
        throw new RuntimeException(e);
  }
}

Any thoughts on this?

Thanks in advance,

Luis


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From oxyoxy_240 at yahoo.fr  Tue Mar 20 14:22:21 2018
From: oxyoxy_240 at yahoo.fr (Oxy Oxy)
Date: Tue, 20 Mar 2018 18:22:21 +0000 (UTC)
Subject: [keycloak-user] Cannot get Keycloak Tomcat 7 adapter to work
	(version 3.4.3.Final)
References: <813145885.6459316.1521570141213.ref@mail.yahoo.com>
Message-ID: <813145885.6459316.1521570141213@mail.yahoo.com>

Hi,
I have a Spring Boot 1.5.2 Web App packaged as a .war hosted on an Apache Tomcat 7.0.68.
I want to use the Keycloak Tomcat Adapter but I encounter HTTP 401 returns on every endpoints included in the configuration...I am using the 3.4.3.Final version.
I have read the doc @ http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-adapter.html.
Done :
* Downloaded https://downloads.jboss.org/keycloak/3.4.3.Final/adapters/keycloak-oidc/keycloak-tomcat7-adapter-dist-3.4.3.Final.zip and extracted under <tomcat_folder>/lib/
* Created a META-INF/context.xml file with :<?xml version="1.0" encoding="UTF-8"?><Context path="/my-app"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>
* Created a WEB-INF/keycloak.json file with :{? ? "realm" : "my_realm",? ? "resource" : "my_client",? ? "principal-attribute": "preferred_username",? ? "truststore" : "/my_path/keycloak-truststore.jks",? ? "ssl-required" : "external",
? ? "truststore-password" : "my_password",? ? "credentials" : {? ? ? ? "secret" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"? ? },? ? "auth-server-url" : "http://<keycloak_server>.fr:8443/auth"}
* Created a WEB-INF/web.xml file with :
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>my-app</display-name>? ? <module-name>my-app</module-name>  <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>my_realm</realm-name>? ? </login-config>
 <security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <url-pattern>/customer/*</url-pattern>? ? ? ? </web-resource-collection>? ? ? ? <auth-constraint>? ? ? ? ? ? <role-name>uma_authorization</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
 <security-role> <role-name>uma_authorization</role-name> </security-role></web-app>
(simple test with uma_authorization, role that every user has)

After that : HTTP 200 on every endpoints except /customer/* where I get HTTP 401.
In debug, I have detected that the variable "account" is always null on the line 61 from the CatalinaSessionTokenStore class (from Tomcat Keycloak Adapter dependency) :
? ? Session catalinaSession = request.getSessionInternal(false);? ? if (catalinaSession == null) return;? ? SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName());? ? if (account == null) {? ? ? ? return;? ? }? ? (... next lines are to control the content of the Keycloak context)
Nothing in the Tomcat log even with TRACE level activated.
Have I forgot something to configure ? Is it a bug ?
Thanks

From ben.immanuel at aistemos.com  Tue Mar 20 14:37:53 2018
From: ben.immanuel at aistemos.com (Ben Immanuel)
Date: Tue, 20 Mar 2018 18:37:53 +0000
Subject: [keycloak-user] Keycloak theme - properties from env / external
	file / client?
Message-ID: <CAPp_n4MoR0awfBobOuRJfLqtHPBo156gFBysi4pZDe3-5+gx7g@mail.gmail.com>

Hi there,

we have a custom keycloak theme, which contains a link. The link needs to
be different per environment (prod, staging, dev etc).

Having a separate "theme.properties" file per environment is not really an
option for us, as we want re-use the same Docker image.

So....

Can we access environment variables from "theme.properties"?

i.e. OUR_PROP=${env.SOME_ENVIRONMENT_VAR}

Or is there a way to read values from an external file?

Or can we access a particular Keycloak client's redirect url? i.e. in our
case client="Cipher2".

Or any other ideas?

I'm not too sure how the Java SPI stuff work, so any pointers would be
really appreciated.

Thanks!

Ben

From jose.goncalves at inov.pt  Tue Mar 20 15:07:15 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Tue, 20 Mar 2018 19:07:15 +0000
Subject: [keycloak-user] API not protected immediately after logout
Message-ID: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>

Hi,

To test a scenario of a Node.js RESTfull service secured by Keycloak 
(3.4.3.Final), I've setup a Node.js server and a HTML5 client using 
example code from https://github.com/keycloak/keycloak-quickstarts 
('service-nodejs' and 'app-jee-html5').
While everything seems fine at first glance, there is an issue after I 
logout on the app.
After logging out, I see that I continue to have access to the protected 
endpoints for some short time (about 1 minute after logout).
Am I missing some configuration or is this a bug on Keycloak?

Regards,
Jos? Gon?alves


From ben.immanuel at aistemos.com  Tue Mar 20 15:17:28 2018
From: ben.immanuel at aistemos.com (Ben Immanuel)
Date: Tue, 20 Mar 2018 19:17:28 +0000
Subject: [keycloak-user] Keycloak theme - properties from env / external
	file / client?
In-Reply-To: <CAPp_n4MoR0awfBobOuRJfLqtHPBo156gFBysi4pZDe3-5+gx7g@mail.gmail.com>
References: <CAPp_n4MoR0awfBobOuRJfLqtHPBo156gFBysi4pZDe3-5+gx7g@mail.gmail.com>
Message-ID: <CAPp_n4NxBZPx0piyV0vgdt7EzfY+ZaA4MGV=AJ6cjyNwZ8A8Jg@mail.gmail.com>

i.e. to add my environment variables to the "login" themes.... do I need to
override "FreeMarkerLoginFormsProvider.java"?

And if so, what's best way to do this? Do I need to package an entire new
SPI (i.e.
http://www.keycloak.org/docs/3.1/server_development/topics/providers.html)?

Sorry I'm not great with Java, just trying to find my way around.

Thanks!

On 20 March 2018 at 18:37, Ben Immanuel <ben.immanuel at aistemos.com> wrote:

> Hi there,
>
> we have a custom keycloak theme, which contains a link. The link needs to
> be different per environment (prod, staging, dev etc).
>
> Having a separate "theme.properties" file per environment is not really an
> option for us, as we want re-use the same Docker image.
>
> So....
>
> Can we access environment variables from "theme.properties"?
>
> i.e. OUR_PROP=${env.SOME_ENVIRONMENT_VAR}
>
> Or is there a way to read values from an external file?
>
> Or can we access a particular Keycloak client's redirect url? i.e. in our
> case client="Cipher2".
>
> Or any other ideas?
>
> I'm not too sure how the Java SPI stuff work, so any pointers would be
> really appreciated.
>
> Thanks!
>
> Ben
>
>


-- 



*BEN IMMANUELSoftware EngineerAISTEMOS*
39-41 Charing Cross Rd, London, WC2H 0AR
D: +44 (0) 20 3909 9203 <+44%2020%203909%209203>
M: +44 (0) 78 6082 1673 <44+(0)+78+6082+1673>
www.cipher.ai

From sthorger at redhat.com  Tue Mar 20 16:43:38 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 20 Mar 2018 21:43:38 +0100
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
Message-ID: <CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>

Unless the service calls the token introspection endpoint it won't know
that the access token has expired until it actually expires. That is the
cause of the slight delay from logout. The app should really clear the
tokens after logout.

On 20 March 2018 at 20:07, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
wrote:

> Hi,
>
> To test a scenario of a Node.js RESTfull service secured by Keycloak
> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
> example code from https://github.com/keycloak/keycloak-quickstarts
> ('service-nodejs' and 'app-jee-html5').
> While everything seems fine at first glance, there is an issue after I
> logout on the app.
> After logging out, I see that I continue to have access to the protected
> endpoints for some short time (about 1 minute after logout).
> Am I missing some configuration or is this a bug on Keycloak?
>
> Regards,
> Jos? Gon?alves
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Tue Mar 20 16:44:29 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 20 Mar 2018 21:44:29 +0100
Subject: [keycloak-user] Account action links in emails with admin on
 different port
In-Reply-To: <CACJqZZpbKJZ63YAXV=oSFzb733tOye2cEYHocCaqWAZLL5-gOA@mail.gmail.com>
References: <CACJqZZpbKJZ63YAXV=oSFzb733tOye2cEYHocCaqWAZLL5-gOA@mail.gmail.com>
Message-ID: <CAJgngAd2wBu1MRFqBaXL_kq1HdHz1FOQPyEd2xUAQsW7Cq2cLg@mail.gmail.com>

I'd imagine Undertow filters can do this. You'll probably find the details
on how to do that on Google.

On 19 March 2018 at 12:52, Derek Gibson <
derek.gibson+keycloak-list at cimenviro.com> wrote:

> Hi there,
>
> Running Keycloak 3.4.0.Final
>
> We've split out admin and user interfaces using the documentation on port
> restrictions
> http://www.keycloak.org/docs/latest/server_admin/index.
> html#port-restriction
> And successfully have /auth/admin restricted to port 8444
>
> Our problem is that when an admin sends an email for account action, it
> gets sent with the url of
> https://keycloak:8444/auth/realms/arealm/login-actions/action-token?...
> instead of
> https://keycloak/auth/realms/arealm/login-actions/action-token?...
>
> Is there a way to get the emails to use the default uri instead of the
> admin one through a simple config change without hardcoding the hostname or
> creating email templates?
>
> Thanks
> Derek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jose.goncalves at inov.pt  Tue Mar 20 20:17:00 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Wed, 21 Mar 2018 00:17:00 +0000
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
Message-ID: <4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>

Shouldn't this be a task for the JavaScript adapter, i.e., the logout 
method should not perform this automatically for us?

It seems to me that tokens clearing should be transparent to the app 
user, because if tokens are implicitly created on the login procedure, 
they should also be implicitly cleared on the logout.

On 20-03-2018 20:43, Stian Thorgersen wrote:
> Unless the service calls the token introspection endpoint it won't 
> know that the access token has expired until it actually expires. That 
> is the cause of the slight delay from logout. The app should really 
> clear the tokens after logout.
>
> On 20 March 2018 at 20:07, Jos? Miguel Gon?alves 
> <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>
>     Hi,
>
>     To test a scenario of a Node.js RESTfull service secured by Keycloak
>     (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>     example code from https://github.com/keycloak/keycloak-quickstarts
>     <https://github.com/keycloak/keycloak-quickstarts>
>     ('service-nodejs' and 'app-jee-html5').
>     While everything seems fine at first glance, there is an issue after I
>     logout on the app.
>     After logging out, I see that I continue to have access to the
>     protected
>     endpoints for some short time (about 1 minute after logout).
>     Am I missing some configuration or is this a bug on Keycloak?
>
>     Regards,
>     Jos? Gon?alves
>


From jose.goncalves at inov.pt  Wed Mar 21 07:02:18 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Wed, 21 Mar 2018 11:02:18 +0000
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
Message-ID: <08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>

Digging a little bit more on this issue, I found that the session is 
still alive after logout because of a 'connect.sid' cookie set in the 
browser that was written by the Node.js server. As this cookie has the 
HttpOnly flag set, it can not be cleared on the client side.

So my question is, what needs to be changed on the example code 
('service-nodejs' and/or 'app-jee-html5') to terminate the session (and 
clear 'connect.sid' cookie) immediately after I press the logout button?

On 21-03-2018 00:17, Jos? Miguel Gon?alves wrote:
> Shouldn't this be a task for the JavaScript adapter, i.e., the logout 
> method should not perform this automatically for us?
>
> It seems to me that tokens clearing should be transparent to the app 
> user, because if tokens are implicitly created on the login procedure, 
> they should also be implicitly cleared on the logout.
>
> On 20-03-2018 20:43, Stian Thorgersen wrote:
>> Unless the service calls the token introspection endpoint it won't 
>> know that the access token has expired until it actually expires. 
>> That is the cause of the slight delay from logout. The app should 
>> really clear the tokens after logout.
>>
>> On 20 March 2018 at 20:07, Jos? Miguel Gon?alves 
>> <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>>
>>     Hi,
>>
>>     To test a scenario of a Node.js RESTfull service secured by Keycloak
>>     (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>>     example code from
>>     https://github.com/keycloak/keycloak-quickstarts
>>     <https://github.com/keycloak/keycloak-quickstarts>
>>     ('service-nodejs' and 'app-jee-html5').
>>     While everything seems fine at first glance, there is an issue
>>     after I
>>     logout on the app.
>>     After logging out, I see that I continue to have access to the
>>     protected
>>     endpoints for some short time (about 1 minute after logout).
>>     Am I missing some configuration or is this a bug on Keycloak?
>>
>>     Regards,
>>     Jos? Gon?alves
>>


From sthorger at redhat.com  Wed Mar 21 10:21:05 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 21 Mar 2018 15:21:05 +0100
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
	<08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
Message-ID: <CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>

I don't know what the connect.sid cookie is. Sounds like there's some sort
of logged-in session between your app and the nodejs app that doesn't have
anything to do with keycloak.js

keycloak.js clears tokens on logout. You should invoke the node.js services
with the bearer token. There's no need to have a session cookie between the
app and service.

On 21 March 2018 at 12:02, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
wrote:

> Digging a little bit more on this issue, I found that the session is still
> alive after logout because of a 'connect.sid' cookie set in the browser
> that was written by the Node.js server. As this cookie has the HttpOnly
> flag set, it can not be cleared on the client side.
>
> So my question is, what needs to be changed on the example code
> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
> clear 'connect.sid' cookie) immediately after I press the logout button?
>
>
> On 21-03-2018 00:17, Jos? Miguel Gon?alves wrote:
>
> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
> method should not perform this automatically for us?
>
> It seems to me that tokens clearing should be transparent to the app user,
> because if tokens are implicitly created on the login procedure, they
> should also be implicitly cleared on the logout.
>
> On 20-03-2018 20:43, Stian Thorgersen wrote:
>
> Unless the service calls the token introspection endpoint it won't know
> that the access token has expired until it actually expires. That is the
> cause of the slight delay from logout. The app should really clear the
> tokens after logout.
>
> On 20 March 2018 at 20:07, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
> wrote:
>
>> Hi,
>>
>> To test a scenario of a Node.js RESTfull service secured by Keycloak
>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>> example code from https://github.com/keycloak/keycloak-quickstarts
>> ('service-nodejs' and 'app-jee-html5').
>> While everything seems fine at first glance, there is an issue after I
>> logout on the app.
>> After logging out, I see that I continue to have access to the protected
>> endpoints for some short time (about 1 minute after logout).
>> Am I missing some configuration or is this a bug on Keycloak?
>>
>> Regards,
>> Jos? Gon?alves
>>
>
>

From jose.goncalves at inov.pt  Wed Mar 21 10:40:02 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Wed, 21 Mar 2018 14:40:02 +0000
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
	<08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
	<CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>
Message-ID: <8953b5cd-ad6f-bcd3-eeb7-4f9f1d0f38bb@inov.pt>

The 'connect.sid' token is set by the Node.js server example code at 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-nodejs
The issue is related with that example code, so I was trying to get info 
on what needs to be changed/corrected on it, to correctly secure a 
Node.js REST API with Keycloak.
The Keycloak's documentation for the Node.js Adapter 
(http://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter) 
is in sync with the example code, so I assume that something is missing 
on the logout procedure...

On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
> I don't know what the connect.sid cookie is. Sounds like there's some 
> sort of logged-in session between your app and the nodejs app that 
> doesn't have anything to do with keycloak.js
>
> keycloak.js clears tokens on logout. You should invoke the node.js 
> services with the bearer token. There's no need to have a session 
> cookie between the app and service.
>
> On 21 March 2018 at 12:02, Jos? Miguel Gon?alves 
> <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>
>     Digging a little bit more on this issue, I found that the session
>     is still alive after logout because of a 'connect.sid' cookie set
>     in the browser that was written by the Node.js server. As this
>     cookie has the HttpOnly flag set, it can not be cleared on the
>     client side.
>
>     So my question is, what needs to be changed on the example code
>     ('service-nodejs' and/or 'app-jee-html5') to terminate the session
>     (and clear 'connect.sid' cookie) immediately after I press the
>     logout button?
>
>
>     On 21-03-2018 00:17, Jos? Miguel Gon?alves wrote:
>>     Shouldn't this be a task for the JavaScript adapter, i.e., the
>>     logout method should not perform this automatically for us?
>>
>>     It seems to me that tokens clearing should be transparent to the
>>     app user, because if tokens are implicitly created on the login
>>     procedure, they should also be implicitly cleared on the logout.
>>
>>     On 20-03-2018 20:43, Stian Thorgersen wrote:
>>>     Unless the service calls the token introspection endpoint it
>>>     won't know that the access token has expired until it actually
>>>     expires. That is the cause of the slight delay from logout. The
>>>     app should really clear the tokens after logout.
>>>
>>>     On 20 March 2018 at 20:07, Jos? Miguel Gon?alves
>>>     <jose.goncalves at inov.pt <mailto:jose.goncalves at inov.pt>> wrote:
>>>
>>>         Hi,
>>>
>>>         To test a scenario of a Node.js RESTfull service secured by
>>>         Keycloak
>>>         (3.4.3.Final), I've setup a Node.js server and a HTML5
>>>         client using
>>>         example code from
>>>         https://github.com/keycloak/keycloak-quickstarts
>>>         <https://github.com/keycloak/keycloak-quickstarts>
>>>         ('service-nodejs' and 'app-jee-html5').
>>>         While everything seems fine at first glance, there is an
>>>         issue after I
>>>         logout on the app.
>>>         After logging out, I see that I continue to have access to
>>>         the protected
>>>         endpoints for some short time (about 1 minute after logout).
>>>         Am I missing some configuration or is this a bug on Keycloak?
>>>
>>>         Regards,
>>>         Jos? Gon?alves
>>>
>


From sthorger at redhat.com  Thu Mar 22 01:27:35 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 22 Mar 2018 06:27:35 +0100
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <8953b5cd-ad6f-bcd3-eeb7-4f9f1d0f38bb@inov.pt>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
	<08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
	<CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>
	<8953b5cd-ad6f-bcd3-eeb7-4f9f1d0f38bb@inov.pt>
Message-ID: <CAJgngAeaPG8bUR-QDvvDPQr-vo5qHWerpnq9Uyo=+MChd+2tQw@mail.gmail.com>

Bruno - can you comment on this please? I can't see why when the Node.js
adapter is used to secure a service it should create a cookie at all.

On 21 March 2018 at 15:40, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
wrote:

> The 'connect.sid' token is set by the Node.js server example code at
> https://github.com/keycloak/keycloak-quickstarts/tree/
> latest/service-nodejs
> The issue is related with that example code, so I was trying to get info
> on what needs to be changed/corrected on it, to correctly secure a Node.js
> REST API with Keycloak.
> The Keycloak's documentation for the Node.js Adapter (
> http://www.keycloak.org/docs/latest/securing_apps/index.
> html#_nodejs_adapter) is in sync with the example code, so I assume that
> something is missing on the logout procedure...
>
>
> On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
>
> I don't know what the connect.sid cookie is. Sounds like there's some sort
> of logged-in session between your app and the nodejs app that doesn't have
> anything to do with keycloak.js
>
> keycloak.js clears tokens on logout. You should invoke the node.js
> services with the bearer token. There's no need to have a session cookie
> between the app and service.
>
> On 21 March 2018 at 12:02, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
> wrote:
>
>> Digging a little bit more on this issue, I found that the session is
>> still alive after logout because of a 'connect.sid' cookie set in the
>> browser that was written by the Node.js server. As this cookie has the
>> HttpOnly flag set, it can not be cleared on the client side.
>>
>> So my question is, what needs to be changed on the example code
>> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
>> clear 'connect.sid' cookie) immediately after I press the logout button?
>>
>>
>> On 21-03-2018 00:17, Jos? Miguel Gon?alves wrote:
>>
>> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
>> method should not perform this automatically for us?
>>
>> It seems to me that tokens clearing should be transparent to the app
>> user, because if tokens are implicitly created on the login procedure, they
>> should also be implicitly cleared on the logout.
>>
>> On 20-03-2018 20:43, Stian Thorgersen wrote:
>>
>> Unless the service calls the token introspection endpoint it won't know
>> that the access token has expired until it actually expires. That is the
>> cause of the slight delay from logout. The app should really clear the
>> tokens after logout.
>>
>> On 20 March 2018 at 20:07, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
>> wrote:
>>
>>> Hi,
>>>
>>> To test a scenario of a Node.js RESTfull service secured by Keycloak
>>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
>>> example code from https://github.com/keycloak/keycloak-quickstarts
>>> ('service-nodejs' and 'app-jee-html5').
>>> While everything seems fine at first glance, there is an issue after I
>>> logout on the app.
>>> After logging out, I see that I continue to have access to the protected
>>> endpoints for some short time (about 1 minute after logout).
>>> Am I missing some configuration or is this a bug on Keycloak?
>>>
>>> Regards,
>>> Jos? Gon?alves
>>>
>>
>>
>

From karolbilicki at gmail.com  Thu Mar 22 02:13:40 2018
From: karolbilicki at gmail.com (Karol Bilicki)
Date: Thu, 22 Mar 2018 07:13:40 +0100
Subject: [keycloak-user] Creating keycloak custom theme - setting new start
	page
Message-ID: <CADi8=T-t4VMq_xQwPQocyfz-W8fm5Dk5kEgMEE5=0TmDrF0r=Q@mail.gmail.com>

Hello!

I have three views to display:

   - starting page (with links to registration and login pages)
   - login page
   - registration page

I don't know how to display firstly the starting page. My starting page in
my custom theme is the login page (my-site/auth). How to change this?

I tried with request parameters, by I can't get the url params in .ftl
template pages.

How to extend the server by endpoint or read url param in template?

Maybe there is another solution... Thank you!

From bruno at abstractj.org  Thu Mar 22 03:37:41 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 22 Mar 2018 04:37:41 -0300
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <CAJgngAeaPG8bUR-QDvvDPQr-vo5qHWerpnq9Uyo=+MChd+2tQw@mail.gmail.com>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
	<08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
	<CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>
	<8953b5cd-ad6f-bcd3-eeb7-4f9f1d0f38bb@inov.pt>
	<CAJgngAeaPG8bUR-QDvvDPQr-vo5qHWerpnq9Uyo=+MChd+2tQw@mail.gmail.com>
Message-ID: <20180322072951.GA1935@abstractj.org>

Sorry if I didn't see your message before. My e-mail was disabled to
this mailing list for some reason which I have no idea.

I would really appreciate if you file a Jira with everything you reported 
here. In this way, I can investigate later, when I have some time if 
there's a bug in the quickstarts.

Thank you!

On 2018-03-22, Stian Thorgersen wrote:
> Bruno - can you comment on this please? I can't see why when the Node.js
> adapter is used to secure a service it should create a cookie at all.
> 
> On 21 March 2018 at 15:40, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
> wrote:
> 
> > The 'connect.sid' token is set by the Node.js server example code at
> > https://github.com/keycloak/keycloak-quickstarts/tree/
> > latest/service-nodejs
> > The issue is related with that example code, so I was trying to get info
> > on what needs to be changed/corrected on it, to correctly secure a Node.js
> > REST API with Keycloak.
> > The Keycloak's documentation for the Node.js Adapter (
> > http://www.keycloak.org/docs/latest/securing_apps/index.
> > html#_nodejs_adapter) is in sync with the example code, so I assume that
> > something is missing on the logout procedure...
> >
> >
> > On 03/21/2018 02:21 PM, Stian Thorgersen wrote:
> >
> > I don't know what the connect.sid cookie is. Sounds like there's some sort
> > of logged-in session between your app and the nodejs app that doesn't have
> > anything to do with keycloak.js
> >
> > keycloak.js clears tokens on logout. You should invoke the node.js
> > services with the bearer token. There's no need to have a session cookie
> > between the app and service.
> >
> > On 21 March 2018 at 12:02, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
> > wrote:
> >
> >> Digging a little bit more on this issue, I found that the session is
> >> still alive after logout because of a 'connect.sid' cookie set in the
> >> browser that was written by the Node.js server. As this cookie has the
> >> HttpOnly flag set, it can not be cleared on the client side.
> >>
> >> So my question is, what needs to be changed on the example code
> >> ('service-nodejs' and/or 'app-jee-html5') to terminate the session (and
> >> clear 'connect.sid' cookie) immediately after I press the logout button?
> >>
> >>
> >> On 21-03-2018 00:17, Jos? Miguel Gon?alves wrote:
> >>
> >> Shouldn't this be a task for the JavaScript adapter, i.e., the logout
> >> method should not perform this automatically for us?
> >>
> >> It seems to me that tokens clearing should be transparent to the app
> >> user, because if tokens are implicitly created on the login procedure, they
> >> should also be implicitly cleared on the logout.
> >>
> >> On 20-03-2018 20:43, Stian Thorgersen wrote:
> >>
> >> Unless the service calls the token introspection endpoint it won't know
> >> that the access token has expired until it actually expires. That is the
> >> cause of the slight delay from logout. The app should really clear the
> >> tokens after logout.
> >>
> >> On 20 March 2018 at 20:07, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> To test a scenario of a Node.js RESTfull service secured by Keycloak
> >>> (3.4.3.Final), I've setup a Node.js server and a HTML5 client using
> >>> example code from https://github.com/keycloak/keycloak-quickstarts
> >>> ('service-nodejs' and 'app-jee-html5').
> >>> While everything seems fine at first glance, there is an issue after I
> >>> logout on the app.
> >>> After logging out, I see that I continue to have access to the protected
> >>> endpoints for some short time (about 1 minute after logout).
> >>> Am I missing some configuration or is this a bug on Keycloak?
> >>>
> >>> Regards,
> >>> Jos? Gon?alves
> >>>
> >>
> >>
> >

-- 

abstractj

From Marcel.Nemet at gmail.com  Thu Mar 22 04:07:25 2018
From: Marcel.Nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Thu, 22 Mar 2018 09:07:25 +0100
Subject: [keycloak-user] How to import keycloak-authz from keycloak-js npm
	package in TypeScript?
Message-ID: <CAFsxa5XoURMKLpb-JPOfUH7Gs0DMPcYN=e4eZyGQPVt=QPATsA@mail.gmail.com>

I can easily import Keycloak.d.ts from keycloak-js npm module using

import * as Keycloak from 'keycloak-js';

but I am failing to import the keycloak-authz.d.ts file and
the KeycloakAuthorization which is defined inside it.

I wonder if anybody knows how to do it or did it previously. Not sure
whether keycloak-authz is made available at the npm package level.

A loosely related issue I found online is:
https://issues.jboss.org/browse/KEYCLOAK-4822

-- 
Marcel N?met
marcel.nemet at gmail.com
0795153648

From psilva at redhat.com  Thu Mar 22 06:13:57 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 22 Mar 2018 07:13:57 -0300
Subject: [keycloak-user] How to import keycloak-authz from keycloak-js
 npm package in TypeScript?
In-Reply-To: <CAFsxa5XoURMKLpb-JPOfUH7Gs0DMPcYN=e4eZyGQPVt=QPATsA@mail.gmail.com>
References: <CAFsxa5XoURMKLpb-JPOfUH7Gs0DMPcYN=e4eZyGQPVt=QPATsA@mail.gmail.com>
Message-ID: <CAJrcDBeRxXF1fsYQt7+nDvRoaOTVv0+hJxACrUA6kYP-ehN=0A@mail.gmail.com>

Will check this out.

On Thu, Mar 22, 2018 at 5:07 AM, Marcel N?met <Marcel.Nemet at gmail.com>
wrote:

> I can easily import Keycloak.d.ts from keycloak-js npm module using
>
> import * as Keycloak from 'keycloak-js';
>
> but I am failing to import the keycloak-authz.d.ts file and
> the KeycloakAuthorization which is defined inside it.
>
> I wonder if anybody knows how to do it or did it previously. Not sure
> whether keycloak-authz is made available at the npm package level.
>
> A loosely related issue I found online is:
> https://issues.jboss.org/browse/KEYCLOAK-4822
>
> --
> Marcel N?met
> marcel.nemet at gmail.com
> 0795153648
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pinguwien at gmail.com  Thu Mar 22 06:23:20 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Thu, 22 Mar 2018 11:23:20 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <12cddcfa-cd4b-2c80-7d00-8e48bc64bf26@redhat.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
	<a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
	<4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>
	<ae41b4f3-7eb7-6f6d-73cc-1fb29c082849@redhat.com>
	<12cddcfa-cd4b-2c80-7d00-8e48bc64bf26@redhat.com>
Message-ID: <2e1d0448-3324-75ff-250a-14cb0b1374fb@gmail.com>

Hey Marek,

thanks for the info, that did the trick for me, too! Might be worth a 
note in the SPI docs / repo.

Best regards,
Dominik

Am 16.03.18 um 08:55 schrieb Marek Posolda:
> Someone else from our team workaround the issue with Stateful EJB by 
> using:? @Stateful(passivationCapable=false) on the SFSB as described 
> here [1] and it resolved the issue. But it's possible that his issue is 
> a bit different then yours. Just a blind tip :)
> 
> [1] 
> https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/developing_ejb_applications/clustered_enterprise_javabeans 
> 
> 
> Marek
> 
> 
> On 14/03/18 13:06, Marek Posolda wrote:
>> On 14/03/18 09:13, Dominik Guhr wrote:
>>> So, the example UserStorageProvider is stateful: 
>>> https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProvider.java 
>>>
>>>
>>> Do you think it would be enough to remove the annotation here?
>> Not sure TBH.
>>
>> I would personally get rid of EJB and use "standalone" entity manager. 
>> Something similar to what Keycloak itself is doing for manipulate it's 
>> JPA model. But maybe it's just me and there is something simple, which 
>> can be done to have it correctly working with stateful EJB on Wildfly...
>>
>> Marek
>>> Sorry, but to be honest I don't know what impact this has and there 
>>> are other applications in production using the kc, so I am unwilling 
>>> to just "change it and see what happens" at the moment, for in worst 
>>> case there might be some impact on the other applications (which are 
>>> not using the custom provider, but still..)
>>>
>>> Would be nice to have some insights on exactly why this is stateful.
>>>
>>> Best regards,
>>> Dominik
>>>
>>> p.s: Is there a clustered-keycloak-ootb-dockerimage so that I can 
>>> eventually test myself locally without having too much time lost 
>>> setting up the whole cluster myself?
>>>
>>>
>>> Am 13.03.18 um 21:36 schrieb Marek Posolda:
>>>> I guess those examples were not tested in cluster environment.
>>>>
>>>> It seerms the issue is, that some stateful EJB is trying to 
>>>> serialize, but EJB has reference on DefaultKeycloakSession, which is 
>>>> not serializable (and shouldn't be as it's not supposed to be 
>>>> serialized and sent over network).
>>>>
>>>> I am not 100% sure, but if it's possible to get rid of stateful EJB 
>>>> and use "standalone" JPA, it may help. Also it may help if you mark 
>>>> some fields transient in your EJB or write custom infinispan 
>>>> externalizers. See infinispan/Wildfly docs for more info.
>>>>
>>>> Marek
>>>>
>>>> On 12/03/18 13:08, Dominik Guhr wrote:
>>>>> Hi everyone,
>>>>>
>>>>> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
>>>>> ("MyAppUserStorage" below) based on the github example jpa storage
>>>>> provider. It's all working well in dev-environment, which is not 
>>>>> clustered.
>>>>>
>>>>> But in my clustered production-kc-environment (using standalone-ha, 2
>>>>> nodes), the exception below is thrown.
>>>>> Seems like it has no effect, though, I can successfully use the app,
>>>>> even stop one node and everythings working fine.
>>>>>
>>>>> Now these logentries are at least annoying and I want to know whats
>>>>> happening here, so I hope someone could help me out. Do I have to make
>>>>> some classes @Serializable or something? (e.g. UserAdapter.java?) to
>>>>> work correctly in clustered mode?
>>>>>
>>>>> Would be great to get some help here! If you need more information or
>>>>> code, feel free to ask :)
>>>>>
>>>>> Best regards,
>>>>> Dominik
>>>>>
>>>>> Log:
>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>>> ISPN000073: Unexpected error while replicating:
>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>
>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>
>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>>> single-phase
>>>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>
>>>>> 2018-03-08 14:38:21,221 WARN
>>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>>> ISPN000112: exception while committing: 
>>>>> javax.transaction.xa.XAException
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>
>>>>> ????????? at 
>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>>
>>>>> ????????? at 
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>>> ????????? at
>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>
>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>
>>>>> 2018-03-08 14:38:21,222 WARN? [org.jboss.as.txn] (default task-14)
>>>>> WFLYTX0027: The pre-jca synchronization
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
>>>>>
>>>>> associated with tx TransactionImple < ac, BasicAction:
>>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: 
>>>>> ActionStatus.COMMITTED >
>>>>> failed during after completion: org.infinispan.commons.CacheException:
>>>>> javax.transaction.HeuristicRollbackException
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>
>>>>> ????????? at 
>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>>
>>>>> ????????? at 
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>>> ????????? at
>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>
>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>
>>>>> ????????? ... 71 more
>>>>> Caused by: javax.transaction.xa.XAException
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>
>>>>> ????????? ... 75 more
>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>
>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>>> ISPN000073: Unexpected error while replicating:
>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>
>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>
>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>>> single-phase
>>>>> transaction: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>
>>>>> 2018-03-08 14:38:21,227 WARN
>>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>>> ISPN000112: exception while committing: 
>>>>> javax.transaction.xa.XAException
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>
>>>>> ????????? at 
>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>>
>>>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>>> Source)
>>>>> ????????? at
>>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>>> ????????? at
>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>
>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>
>>>>> 2018-03-08 14:38:21,238 WARN? [org.jboss.as.txn] (default task-14)
>>>>> WFLYTX0027: The pre-jca synchronization
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
>>>>>
>>>>> associated with tx TransactionImple < ac, BasicAction:
>>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: 
>>>>> ActionStatus.COMMITTED >
>>>>> failed during after completion: org.infinispan.commons.CacheException:
>>>>> javax.transaction.HeuristicRollbackException
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>
>>>>> ????????? at 
>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>
>>>>> ????????? at
>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>>
>>>>> ????????? at
>>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>>
>>>>> ????????? at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>>> Source)
>>>>> ????????? at
>>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>>
>>>>> ????????? at
>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>
>>>>> ????????? at
>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>>>> ????????? at
>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>
>>>>> ????????? at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>
>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>
>>>>> ????????? at
>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>
>>>>> ????????? ... 91 more
>>>>> Caused by: javax.transaction.xa.XAException
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>
>>>>> ????????? at
>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>
>>>>> ????????? ... 95 more
>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>> Caused by: an exception which occurred:
>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>> ????????? in field
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>
>>>>> ????????? in field
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>
>>>>> ????????? in object
>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>
>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>> ????????? in object
>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>
>>>>> ????????? in object 
>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>> ????????? in object org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>
> 

From jose.goncalves at inov.pt  Thu Mar 22 06:30:54 2018
From: jose.goncalves at inov.pt (=?UTF-8?Q?Jos=c3=a9_Miguel_Gon=c3=a7alves?=)
Date: Thu, 22 Mar 2018 10:30:54 +0000
Subject: [keycloak-user] API not protected immediately after logout
In-Reply-To: <20180322072951.GA1935@abstractj.org>
References: <b30d993d-ab91-0f9e-60ee-17455281a5e8@inov.pt>
	<CAJgngAd05gvVCy0-4Z9iZQT=UTwaXvyU6XcPoFmSuLTFMFqCtA@mail.gmail.com>
	<4be58663-b70b-9107-3c4d-b839117fc0b3@inov.pt>
	<08c45ddb-d6aa-8dcf-36b2-b0da6db28cbd@inov.pt>
	<CAJgngAdzfX4JnCNqQkyk5Ny7C2UePeczPHkC0FP+eiE4JLjyrg@mail.gmail.com>
	<8953b5cd-ad6f-bcd3-eeb7-4f9f1d0f38bb@inov.pt>
	<CAJgngAeaPG8bUR-QDvvDPQr-vo5qHWerpnq9Uyo=+MChd+2tQw@mail.gmail.com>
	<20180322072951.GA1935@abstractj.org>
Message-ID: <f7698354-f311-4c06-8a11-e20587536eab@inov.pt>

Done: https://issues.jboss.org/browse/KEYCLOAK-6964


On 03/22/2018 07:37 AM, Bruno Oliveira wrote:
> Sorry if I didn't see your message before. My e-mail was disabled to
> this mailing list for some reason which I have no idea.
>
> I would really appreciate if you file a Jira with everything you reported
> here. In this way, I can investigate later, when I have some time if
> there's a bug in the quickstarts.
>
> Thank you!
>
> On 2018-03-22, Stian Thorgersen wrote:
>> Bruno - can you comment on this please? I can't see why when the Node.js
>> adapter is used to secure a service it should create a cookie at all.
>>
>> On 21 March 2018 at 15:40, Jos? Miguel Gon?alves <jose.goncalves at inov.pt>
>> wrote:
>>
>>


From sthorger at redhat.com  Thu Mar 22 16:04:00 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 22 Mar 2018 21:04:00 +0100
Subject: [keycloak-user] Fwd: Keycloak 4.0.0.Beta1 is out
In-Reply-To: <CAJgngAfuP42pKsvDZaG0K2Cf3HzrL=0LU02hQA=GO=UAbFT4cA@mail.gmail.com>
References: <CAJgngAfuP42pKsvDZaG0K2Cf3HzrL=0LU02hQA=GO=UAbFT4cA@mail.gmail.com>
Message-ID: <CAJgngAdDFDK1G25jeLh-mv9AJOS2KvJHKc9pvy1KGNcXOtNGng@mail.gmail.com>

I'm very pleased to announce the first release of Keycloak 4!

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsBrand new login pages

The login pages have received a brand new look. They now look much more
modern and clean!
Themes and Theme Resources

It's now possible to hot-deploy themes to Keycloak through a regular
provider deployment. We've also added support for theme resources. Theme
resources allows adding additional templates and resources without creating
a theme. Perfect for custom authenticators that require additional pages
added to the authentication flow.

We've also added support to override the theme for specific clients. If
that doesn't cover your needs, then there's a new Theme Selector SPI that
allows you to implement custom logic to select the theme.
Native promise support to keycloak.js

The JavaScript adapter now supports native promises. Of course it still has
support for the old style promises as well. Both can be used
interchangeably.
Edit links in documentation

To make it easier to contribute changes to the documentation we have added
links to all sections of the documentation. This brings you straight to the
GitHub editor for the relevant AsciiDoctor file. There's also a quick link
to report an issue on a specific page that will include the relevant page
in the description.
HTTPS support on keycloak.org

Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
keycloak.org. About time?
Loads more..

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta1>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed.

From subodhcjoshi82 at gmail.com  Fri Mar 23 01:02:23 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 23 Mar 2018 10:32:23 +0530
Subject: [keycloak-user] Keycloak will run server-jre only
Message-ID: <CAFss9ro_avN2XzOFhCbgiJjA-SEeXm8NocZD9J=dL6B1rgQ0TA@mail.gmail.com>

Hi Team,

Is their any restriction that keycloak will work with server-jre only and
not with client-jre ?
In my linux machine we have following version installed

 /usr/sbin/alternatives --config java

There are 2 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
*  1           java-1.8.0-openjdk.x86_64
(/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
 + 2           /usr/java/jre1.8.0_102/bin/java

Then its working fine with openjdk but keycloak not coming up with Oracle
client-jre and giving this exception

2018-03-22 12:30:56,163 ERROR
[org.jboss.as.controller.management-operation] (ServerService Thread
Pool -- 26) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "datasources"),
    ("data-source" => "KeycloakDS")
]): org.jboss.as.server.services.security.VaultReaderException:
WFLYSRV0227: Security exception accessing the vault
        at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:124)
        at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341)
        at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
        at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:868)
        at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1269)
        at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:438)
        at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:619)
        at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:683)
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:642)
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:616)
        at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:35)
        at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:178)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:348)
        at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:133)
        at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:980)
        at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:726)
        at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:450)
        at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:386)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.jboss.security.vault.SecurityVaultException:
java.security.InvalidKeyException: Illegal key size or default
parameters
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
        at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:157)
        at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:110)
        ... 25 more
Caused by: java.security.InvalidKeyException: Illegal key size or
default parameters
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
        at javax.crypto.Cipher.implInit(Cipher.java:801)


But same setup working with *open-jdk *without any issue after that i
updated the Oracle Java and used *server-jre *

[root at ha1 ~]#  /usr/sbin/alternatives --config java

There are 2 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
*  1           java-1.8.0-openjdk.x86_64
(/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
 + 2           /usr/java/jre1.8.0_102/bin/java

This time it worked totally fine and keycloak running without any issue .
-- 
Subodh Chandra Joshi
  <subodh1_joshi82 at yahoo.co.in>
http://www.questioninmind.com

From mposolda at redhat.com  Fri Mar 23 03:35:09 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 23 Mar 2018 08:35:09 +0100
Subject: [keycloak-user] Infinispan: Custom Keycloak UserStorageProvider
 throws NotSerializableException in ha-clustered mode
In-Reply-To: <2e1d0448-3324-75ff-250a-14cb0b1374fb@gmail.com>
References: <916a29d2-5429-958a-7126-ba6b05618c5e@gmail.com>
	<a4c5fd9e-872e-452d-0303-1561190ae5e3@redhat.com>
	<4c572884-03c7-f48d-d418-a262c9746ec9@gmail.com>
	<ae41b4f3-7eb7-6f6d-73cc-1fb29c082849@redhat.com>
	<12cddcfa-cd4b-2c80-7d00-8e48bc64bf26@redhat.com>
	<2e1d0448-3324-75ff-250a-14cb0b1374fb@gmail.com>
Message-ID: <b30bb2af-2e56-6b40-c9b4-906a47bc30f8@redhat.com>

Cool :)

If you have a little bit time, would you mind to send PR and add this 
info to the README of our quickstart: 
https://github.com/keycloak/keycloak-quickstarts/blob/latest/user-storage-jpa/README.md 
? Maybe add some small note to the last "More Informations" section or 
create new "Troubleshooting" section in the end?

Thanks,
Marek

Dne 22.3.2018 v 11:23 Dominik Guhr napsal(a):
> Hey Marek,
>
> thanks for the info, that did the trick for me, too! Might be worth a 
> note in the SPI docs / repo.
>
> Best regards,
> Dominik
>
> Am 16.03.18 um 08:55 schrieb Marek Posolda:
>> Someone else from our team workaround the issue with Stateful EJB by 
>> using: @Stateful(passivationCapable=false) on the SFSB as described 
>> here [1] and it resolved the issue. But it's possible that his issue 
>> is a bit different then yours. Just a blind tip :)
>>
>> [1] 
>> https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/developing_ejb_applications/clustered_enterprise_javabeans 
>>
>>
>> Marek
>>
>>
>> On 14/03/18 13:06, Marek Posolda wrote:
>>> On 14/03/18 09:13, Dominik Guhr wrote:
>>>> So, the example UserStorageProvider is stateful: 
>>>> https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProvider.java 
>>>>
>>>>
>>>> Do you think it would be enough to remove the annotation here?
>>> Not sure TBH.
>>>
>>> I would personally get rid of EJB and use "standalone" entity 
>>> manager. Something similar to what Keycloak itself is doing for 
>>> manipulate it's JPA model. But maybe it's just me and there is 
>>> something simple, which can be done to have it correctly working 
>>> with stateful EJB on Wildfly...
>>>
>>> Marek
>>>> Sorry, but to be honest I don't know what impact this has and there 
>>>> are other applications in production using the kc, so I am 
>>>> unwilling to just "change it and see what happens" at the moment, 
>>>> for in worst case there might be some impact on the other 
>>>> applications (which are not using the custom provider, but still..)
>>>>
>>>> Would be nice to have some insights on exactly why this is stateful.
>>>>
>>>> Best regards,
>>>> Dominik
>>>>
>>>> p.s: Is there a clustered-keycloak-ootb-dockerimage so that I can 
>>>> eventually test myself locally without having too much time lost 
>>>> setting up the whole cluster myself?
>>>>
>>>>
>>>> Am 13.03.18 um 21:36 schrieb Marek Posolda:
>>>>> I guess those examples were not tested in cluster environment.
>>>>>
>>>>> It seerms the issue is, that some stateful EJB is trying to 
>>>>> serialize, but EJB has reference on DefaultKeycloakSession, which 
>>>>> is not serializable (and shouldn't be as it's not supposed to be 
>>>>> serialized and sent over network).
>>>>>
>>>>> I am not 100% sure, but if it's possible to get rid of stateful 
>>>>> EJB and use "standalone" JPA, it may help. Also it may help if you 
>>>>> mark some fields transient in your EJB or write custom infinispan 
>>>>> externalizers. See infinispan/Wildfly docs for more info.
>>>>>
>>>>> Marek
>>>>>
>>>>> On 12/03/18 13:08, Dominik Guhr wrote:
>>>>>> Hi everyone,
>>>>>>
>>>>>> so I'm on kc 3.4.3.Final and running a custom UserStorageProvider
>>>>>> ("MyAppUserStorage" below) based on the github example jpa storage
>>>>>> provider. It's all working well in dev-environment, which is not 
>>>>>> clustered.
>>>>>>
>>>>>> But in my clustered production-kc-environment (using 
>>>>>> standalone-ha, 2
>>>>>> nodes), the exception below is thrown.
>>>>>> Seems like it has no effect, though, I can successfully use the app,
>>>>>> even stop one node and everythings working fine.
>>>>>>
>>>>>> Now these logentries are at least annoying and I want to know whats
>>>>>> happening here, so I hope someone could help me out. Do I have to 
>>>>>> make
>>>>>> some classes @Serializable or something? (e.g. UserAdapter.java?) to
>>>>>> work correctly in clustered mode?
>>>>>>
>>>>>> Would be great to get some help here! If you need more 
>>>>>> information or
>>>>>> code, feel free to ask :)
>>>>>>
>>>>>> Best regards,
>>>>>> Dominik
>>>>>>
>>>>>> Log:
>>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>>>> ISPN000073: Unexpected error while replicating:
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>>
>>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>>
>>>>>> 2018-03-08 14:38:21,220 ERROR
>>>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>>>> single-phase
>>>>>> transaction: 
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>>
>>>>>> 2018-03-08 14:38:21,221 WARN
>>>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>>>> ISPN000112: exception while committing: 
>>>>>> javax.transaction.xa.XAException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>>
>>>>>> ????????? at 
>>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>>>
>>>>>> ????????? at 
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>>
>>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>>
>>>>>> 2018-03-08 14:38:21,222 WARN? [org.jboss.as.txn] (default task-14)
>>>>>> WFLYTX0027: The pre-jca synchronization
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 57f2b0a6 
>>>>>>
>>>>>> associated with tx TransactionImple < ac, BasicAction:
>>>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: 
>>>>>> ActionStatus.COMMITTED >
>>>>>> failed during after completion: 
>>>>>> org.infinispan.commons.CacheException:
>>>>>> javax.transaction.HeuristicRollbackException
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>>
>>>>>> ????????? at 
>>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 
>>>>>>
>>>>>> ????????? at 
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>>
>>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>>
>>>>>> ????????? ... 71 more
>>>>>> Caused by: javax.transaction.xa.XAException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>>
>>>>>> ????????? ... 75 more
>>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 304e0b06 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60c
>>>>>>
>>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>>> [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14)
>>>>>> ISPN000073: Unexpected error while replicating:
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>>
>>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>>>>>> task-14) ISPN000136: Error executing command PrepareCommand, writing
>>>>>> keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607],
>>>>>> UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]:
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>>
>>>>>> 2018-03-08 14:38:21,226 ERROR
>>>>>> [org.infinispan.transaction.impl.TransactionCoordinator] (default
>>>>>> task-14) ISPN000097: Error while processing a prepare in a 
>>>>>> single-phase
>>>>>> transaction: 
>>>>>> org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>>
>>>>>> 2018-03-08 14:38:21,227 WARN
>>>>>> [org.infinispan.transaction.tm.DummyTransaction] (default task-14)
>>>>>> ISPN000112: exception while committing: 
>>>>>> javax.transaction.xa.XAException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>>
>>>>>> ????????? at 
>>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>>>
>>>>>> ????????? at 
>>>>>> my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>>>> Source)
>>>>>> ????????? at
>>>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>>
>>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>>
>>>>>> 2018-03-08 14:38:21,238 WARN? [org.jboss.as.txn] (default task-14)
>>>>>> WFLYTX0027: The pre-jca synchronization
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 32861c5f 
>>>>>>
>>>>>> associated with tx TransactionImple < ac, BasicAction:
>>>>>> 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: 
>>>>>> ActionStatus.COMMITTED >
>>>>>> failed during after completion: 
>>>>>> org.infinispan.commons.CacheException:
>>>>>> javax.transaction.HeuristicRollbackException
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) 
>>>>>>
>>>>>> ????????? at 
>>>>>> com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) 
>>>>>>
>>>>>> ????????? at
>>>>>> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) 
>>>>>>
>>>>>> ????????? at 
>>>>>> my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown
>>>>>> Source)
>>>>>> ????????? at
>>>>>> org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) 
>>>>>>
>>>>>> ????????? at
>>>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
>>>>>>
>>>>>> ????????? at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
>>>>>>
>>>>>> ????????? at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: javax.transaction.HeuristicRollbackException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) 
>>>>>>
>>>>>> ????????? ... 91 more
>>>>>> Caused by: javax.transaction.xa.XAException
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) 
>>>>>>
>>>>>> ????????? at
>>>>>> org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) 
>>>>>>
>>>>>> ????????? ... 95 more
>>>>>> Caused by: org.infinispan.commons.marshall.NotSerializableException:
>>>>>> org.keycloak.services.DefaultKeycloakSession
>>>>>> Caused by: an exception which occurred:
>>>>>> ????????? in field my.app.de.keycloak.MyAppUserStorage.session
>>>>>> ????????? in object my.app.de.keycloak.MyAppUserStorage at 1f4565de
>>>>>> ????????? in field
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference at 7122451c 
>>>>>>
>>>>>> ????????? in field
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent at 1e32e6c3 
>>>>>>
>>>>>> ????????? in object
>>>>>> org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance at 6886f535 
>>>>>>
>>>>>> ????????? in object java.util.concurrent.ConcurrentHashMap at 51f3597e
>>>>>> ????????? in object
>>>>>> org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry at 3dbc21a8 
>>>>>>
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.write.PutKeyValueCommand at 63f7437d
>>>>>> ????????? in object 
>>>>>> org.infinispan.commands.tx.PrepareCommand at f4eee60e
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>
>>


From subodhcjoshi82 at gmail.com  Fri Mar 23 03:42:50 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 23 Mar 2018 13:12:50 +0530
Subject: [keycloak-user] How to add user attribute through admin-cli
Message-ID: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>

I am trying to add three attributes of user and used below admin-cli
command

/opt/keycloak/bin/kcadm.sh create components -r master -s
name=user-attribute -s providerId=user-attribute -s
parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
'config."ugId"=["Admin_UserGroup"]'

but its throwing

No server or realm specified. Use --server, --realm, or 'kcadm.sh config
credentials'.

Can someone please let me know what wrong with above command?

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.questioninmind.com

From jonatan.erdal at capgemini.com  Fri Mar 23 04:03:36 2018
From: jonatan.erdal at capgemini.com (Erdal, Jonatan)
Date: Fri, 23 Mar 2018 08:03:36 +0000
Subject: [keycloak-user] Really slow import of large amount of users
Message-ID: <9B8888F7FA2D8245A2D2BD2F130D23FF167490B0@DE-CM-MBX26.corp.capgemini.com>

Hi,

We are trying to migrate data from our old login solution to Keycloak, but we are facing issues with really slow imports. We are trying to do the import at server startup, as stated here: https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html. We are using directory import, and we have 50 users/file. When initiating the import, it is roughly importing 2 files/minute, and this gets slower the more users we have imported. After 2 hrs, we have successfully imported 88 files, 4400 users.

Here is some more details:

?         Number of users: 174 000

?         Number of realms: 1

?         Number of clients: ~5

o   One of the clients is the main client, this has approx. 9400 client roles.

?         Number of groups in realm: ~400

File structure:
Master-realm.json
Master-users-0.json
Kangaroo-realm.json
Kangaroo-users-0.json
Kangaroo-users-1.json
?
Kangaroo-users-3434.json
Kangaroo-users-3435.json

We have also increase the subsystem transaction timeout to 1800 seconds, and at server startup we are also increasing the jboss.as.management.blocking.timeout and setting it to a high number. Apart from users being slow to import, the realm also takes quite some time to import, 10 minutes, I?m guessing this is due to all the client roles we have. In the logs, I cannot see anything that looks super suspicious. At one time, we got the following logs, but then it continues on as before:

2018-03-22 21:29:14,993 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1004f5:701f6ef0:5ab40b08:10 in state  RUN
2018-03-22 21:29:14,993 WARN  [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]
2018-03-22 21:29:15,039 WARN  [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]
[? I have removed about 30 identical entries for readability here ?]
2018-03-22 21:29:15,039 WARN  [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]
2018-03-22 21:29:15,039 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1004f5:701f6ef0:5ab40b08:10

Does anyone have any idea why it is so slow, is there anything we can do to speed up the process? Please let me know if you need any more information.

Thanks in advance,
//Jonatan



________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

From daniel.hammarberg at capgemini.com  Fri Mar 23 04:29:45 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Fri, 23 Mar 2018 08:29:45 +0000
Subject: [keycloak-user] Setting up rights in admin UI
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401173BAC@DE-CM-MBX26.corp.capgemini.com>

Hi all,

I have spent hours and hours trying to get this to work. Now I turn to you, hoping that you will be able to help me out.

We have imported a large number of users from our current SSO solution into Keycloak. In the admin UI, we want to limit which client roles certain users should be allowed to set. For example, we have the user group Swedish Content Managers. These users should only be allowed to use the admin UI for listing users and for setting or removing the role Swedish Authirized Distributor.

I have spent hours and hours trying to set this up with the instructions in the documentation, but have not managed to get it to work all the way.

Many thanks
/Daniel

_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden
www.capgemini.com<http://www.capgemini.com/>


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2316 bytes
Desc: image001.gif
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180323/7194b049/attachment.gif 

From mstrukel at redhat.com  Fri Mar 23 05:52:56 2018
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 23 Mar 2018 10:52:56 +0100
Subject: [keycloak-user] How to add user attribute through admin-cli
In-Reply-To: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>
References: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>
Message-ID: <CA+1OW+hXaeH9dY-6=RPZ3oUDh3btySep0-88ug2vjvc6HAFJNQ@mail.gmail.com>

Is there a space in the middle of parentId UUID?

On Fri, Mar 23, 2018 at 8:42 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> I am trying to add three attributes of user and used below admin-cli
> command
>
> /opt/keycloak/bin/kcadm.sh create components -r master -s
> name=user-attribute -s providerId=user-attribute -s
> parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
> 'config."ugId"=["Admin_UserGroup"]'
>
> but its throwing
>
> No server or realm specified. Use --server, --realm, or 'kcadm.sh config
> credentials'.
>
> Can someone please let me know what wrong with above command?
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.questioninmind.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From subodhcjoshi82 at gmail.com  Fri Mar 23 05:55:48 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 23 Mar 2018 15:25:48 +0530
Subject: [keycloak-user] How to add user attribute through admin-cli
In-Reply-To: <CA+1OW+hXaeH9dY-6=RPZ3oUDh3btySep0-88ug2vjvc6HAFJNQ@mail.gmail.com>
References: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>
	<CA+1OW+hXaeH9dY-6=RPZ3oUDh3btySep0-88ug2vjvc6HAFJNQ@mail.gmail.com>
Message-ID: <CAFss9rqDM7G6t0cigsJ++BkmttMwv8ORDQqb-03W7GVwiBjpMA@mail.gmail.com>

Hi Marko,

That may be typo i again tried
/opt/keycloak/bin/kcadm.sh create components -r master -s
name=user-attribute -s providerId=user-attribute -s
parentId=b33088e5-321e-4b2f-afa6-7dca1871084e -s
'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
'config."ugId"=["Admin_UserGroup"]'

End with below error

HTTP error - 400 Bad Request

On Fri, Mar 23, 2018 at 3:22 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> Is there a space in the middle of parentId UUID?
>
> On Fri, Mar 23, 2018 at 8:42 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> I am trying to add three attributes of user and used below admin-cli
>> command
>>
>> /opt/keycloak/bin/kcadm.sh create components -r master -s
>> name=user-attribute -s providerId=user-attribute -s
>> parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
>> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
>> 'config."ugId"=["Admin_UserGroup"]'
>>
>> but its throwing
>>
>> No server or realm specified. Use --server, --realm, or 'kcadm.sh config
>> credentials'.
>>
>> Can someone please let me know what wrong with above command?
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.questioninmind.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From bruno at abstractj.org  Fri Mar 23 06:05:01 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 23 Mar 2018 07:05:01 -0300
Subject: [keycloak-user] Keycloak will run server-jre only
In-Reply-To: <CAFss9ro_avN2XzOFhCbgiJjA-SEeXm8NocZD9J=dL6B1rgQ0TA@mail.gmail.com>
References: <CAFss9ro_avN2XzOFhCbgiJjA-SEeXm8NocZD9J=dL6B1rgQ0TA@mail.gmail.com>
Message-ID: <20180323100501.GA8597@abstractj.org>

I believe that for Oracle JRE you have to install JCE[1].

[1] - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

On 2018-03-23, Subodh Joshi wrote:
> Hi Team,
> 
> Is their any restriction that keycloak will work with server-jre only and
> not with client-jre ?
> In my linux machine we have following version installed
> 
>  /usr/sbin/alternatives --config java
> 
> There are 2 programs which provide 'java'.
> 
>   Selection    Command
> -----------------------------------------------
> *  1           java-1.8.0-openjdk.x86_64
> (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
>  + 2           /usr/java/jre1.8.0_102/bin/java
> 
> Then its working fine with openjdk but keycloak not coming up with Oracle
> client-jre and giving this exception
> 
> 2018-03-22 12:30:56,163 ERROR
> [org.jboss.as.controller.management-operation] (ServerService Thread
> Pool -- 26) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "datasources"),
>     ("data-source" => "KeycloakDS")
> ]): org.jboss.as.server.services.security.VaultReaderException:
> WFLYSRV0227: Security exception accessing the vault
>         at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:124)
>         at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65)
>         at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341)
>         at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246)
>         at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
>         at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
>         at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
>         at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:868)
>         at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1269)
>         at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:438)
>         at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:619)
>         at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:683)
>         at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:642)
>         at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:616)
>         at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:35)
>         at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:178)
>         at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:348)
>         at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:133)
>         at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:980)
>         at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:726)
>         at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:450)
>         at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:386)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>         at java.lang.Thread.run(Unknown Source)
>         at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: org.jboss.security.vault.SecurityVaultException:
> java.security.InvalidKeyException: Illegal key size or default
> parameters
>         at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
>         at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:157)
>         at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:110)
>         ... 25 more
> Caused by: java.security.InvalidKeyException: Illegal key size or
> default parameters
>         at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
>         at javax.crypto.Cipher.implInit(Cipher.java:801)
> 
> 
> But same setup working with *open-jdk *without any issue after that i
> updated the Oracle Java and used *server-jre *
> 
> [root at ha1 ~]#  /usr/sbin/alternatives --config java
> 
> There are 2 programs which provide 'java'.
> 
>   Selection    Command
> -----------------------------------------------
> *  1           java-1.8.0-openjdk.x86_64
> (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
>  + 2           /usr/java/jre1.8.0_102/bin/java
> 
> This time it worked totally fine and keycloak running without any issue .
> -- 
> Subodh Chandra Joshi
>   <subodh1_joshi82 at yahoo.co.in>
> http://www.questioninmind.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From Paolo.Tedesco at cern.ch  Fri Mar 23 06:11:02 2018
From: Paolo.Tedesco at cern.ch (Paolo Tedesco)
Date: Fri, 23 Mar 2018 10:11:02 +0000
Subject: [keycloak-user] Authenticating to a client with another client's
	service account
Message-ID: <6D320D40264A8545A9C25EC79DE1E32501ECCC79B2@CERNXCHG43.cern.ch>

Hi all,

I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".

>From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters:

client_id = confidential_client
client_secret = <confidential client secret>
grant_type = client_credentials

>From this, I obtain a token, that looks like this:
{
  "access_token": "eyJhbG...Z0qmQ"
  // other stuff
}

Then, I try to call my API with an authentication header with

Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)

However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?

Thanks,
Paolo


From sthorger at redhat.com  Fri Mar 23 07:00:18 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 23 Mar 2018 11:00:18 +0000
Subject: [keycloak-user] Keycloak 4.0.0.Beta1 is out
References: <CAJgngAfuP42pKsvDZaG0K2Cf3HzrL=0LU02hQA=GO=UAbFT4cA@mail.gmail.com>
Message-ID: <CAJgngAemugfcYcmb6noC+XLu7cCp=uKP-0H7J60t8EcaD17eoA@mail.gmail.com>

I missed one cool new feature. We also now have support for UMA 2.0
including allowing users to manage resource permissions in the account
management console.

On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger at redhat.com> wrote:

> I'm very pleased to announce the first release of Keycloak 4!
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> HighlightsBrand new login pages
>
> The login pages have received a brand new look. They now look much more
> modern and clean!
> Themes and Theme Resources
>
> It's now possible to hot-deploy themes to Keycloak through a regular
> provider deployment. We've also added support for theme resources. Theme
> resources allows adding additional templates and resources without creating
> a theme. Perfect for custom authenticators that require additional pages
> added to the authentication flow.
>
> We've also added support to override the theme for specific clients. If
> that doesn't cover your needs, then there's a new Theme Selector SPI that
> allows you to implement custom logic to select the theme.
> Native promise support to keycloak.js
>
> The JavaScript adapter now supports native promises. Of course it still
> has support for the old style promises as well. Both can be used
> interchangeably.
> Edit links in documentation
>
> To make it easier to contribute changes to the documentation we have added
> links to all sections of the documentation. This brings you straight to the
> GitHub editor for the relevant AsciiDoctor file. There's also a quick link
> to report an issue on a specific page that will include the relevant page
> in the description.
> HTTPS support on keycloak.org
>
> Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
> keycloak.org. About time?
> Loads more..
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta1>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
>
>

From mstrukel at redhat.com  Fri Mar 23 07:05:44 2018
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 23 Mar 2018 12:05:44 +0100
Subject: [keycloak-user] How to add user attribute through admin-cli
In-Reply-To: <CAFss9rqDM7G6t0cigsJ++BkmttMwv8ORDQqb-03W7GVwiBjpMA@mail.gmail.com>
References: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>
	<CA+1OW+hXaeH9dY-6=RPZ3oUDh3btySep0-88ug2vjvc6HAFJNQ@mail.gmail.com>
	<CAFss9rqDM7G6t0cigsJ++BkmttMwv8ORDQqb-03W7GVwiBjpMA@mail.gmail.com>
Message-ID: <CA+1OW+hx-1SFVX6vkhciW=dCWfNh1rHBE5t+KuYJm1Cnaf4Now@mail.gmail.com>

It looks like there is something wrong with attribute names, or their
values for this provider.

I suggest you try to perform the same operation through Admin Console with
debug tools enabled, and see exactly what needs to be sent to the server.

On Fri, Mar 23, 2018 at 10:55 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Hi Marko,
>
> That may be typo i again tried
> /opt/keycloak/bin/kcadm.sh create components -r master -s
> name=user-attribute -s providerId=user-attribute -s
> parentId=b33088e5-321e-4b2f-afa6-7dca1871084e -s
> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
> 'config."ugId"=["Admin_UserGroup"]'
>
> End with below error
>
> HTTP error - 400 Bad Request
>
> On Fri, Mar 23, 2018 at 3:22 PM, Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Is there a space in the middle of parentId UUID?
>>
>> On Fri, Mar 23, 2018 at 8:42 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>> wrote:
>>
>>> I am trying to add three attributes of user and used below admin-cli
>>> command
>>>
>>> /opt/keycloak/bin/kcadm.sh create components -r master -s
>>> name=user-attribute -s providerId=user-attribute -s
>>> parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
>>> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
>>> 'config."ugId"=["Admin_UserGroup"]'
>>>
>>> but its throwing
>>>
>>> No server or realm specified. Use --server, --realm, or 'kcadm.sh config
>>> credentials'.
>>>
>>> Can someone please let me know what wrong with above command?
>>>
>>> --
>>> Subodh Chandra Joshi
>>> subodh1_joshi82 at yahoo.co.in
>>> http://www.questioninmind.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>

From betalb at gmail.com  Fri Mar 23 07:08:01 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 23 Mar 2018 11:08:01 +0000
Subject: [keycloak-user] Token exchange without configured policy
In-Reply-To: <CANYoZJk8tpfc=uPKESxRbznpnZO3ewDHEKdUMjcSw5fJH0vKSw@mail.gmail.com>
References: <CANYoZJk8tpfc=uPKESxRbznpnZO3ewDHEKdUMjcSw5fJH0vKSw@mail.gmail.com>
Message-ID: <CANYoZJn0NrAQ38NTow=v-xCfG6bJAXaQ8CNgNPEdaWAxPp9vyA@mail.gmail.com>

Hello again, wanted to come up with the same question again, for me, this
behaviour looks like a bug, but I'm not sure

On Wed, Feb 14, 2018 at 10:14 PM ??????? ?????? <betalb at gmail.com> wrote:

> Hi
>
> I've been experimenting with internal to internal token exchange [1] and
> managed to exchange token without configured policy
>
> My original token belongs to public client (token_owner_klient_id) and I'm
> trying to exchange it with audience set
> to a confidential client that allows only client credentials grant
> (confidential_client).
>
> If I execute request as provided in documentation access is denied, but if
> I'll provide confidential_client+confidential_client_secret
> exchange operation succeeds.
>
> The only difference in tokens issued with and without policy is that with
> policy azp claim is set correctly to token_owner_klient_id.
>
> The question is -- is it correct behaviour from the perspective of token
> exchange?
>
> curl -v -X POST --user confidential_client:confidential_client_secret \
>     -d "client_id=token_owner_klient_id" \
>     --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>     -d "subject_token=${TOKEN}" \
>     --data-urlencode
> "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
>     -d "audience=confidential_client" \
>
> http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
>

From subodhcjoshi82 at gmail.com  Fri Mar 23 07:47:39 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 23 Mar 2018 17:17:39 +0530
Subject: [keycloak-user] How to add user attribute through admin-cli
In-Reply-To: <CA+1OW+hx-1SFVX6vkhciW=dCWfNh1rHBE5t+KuYJm1Cnaf4Now@mail.gmail.com>
References: <CAFss9rp3LKO7PFdBre-G=qMsvJQ4uEAXK+86QmbKqpocrpE11Q@mail.gmail.com>
	<CA+1OW+hXaeH9dY-6=RPZ3oUDh3btySep0-88ug2vjvc6HAFJNQ@mail.gmail.com>
	<CAFss9rqDM7G6t0cigsJ++BkmttMwv8ORDQqb-03W7GVwiBjpMA@mail.gmail.com>
	<CA+1OW+hx-1SFVX6vkhciW=dCWfNh1rHBE5t+KuYJm1Cnaf4Now@mail.gmail.com>
Message-ID: <CAFss9rqG+Be6=_2x8ejfLL=+fdgLXhO2ZaUFQ7ezSR=N-a22RQ@mail.gmail.com>

I found the solution,



After too many hit & try,also with the help of my teammate we found the
solution and we have to fire below command through admin-cli to create user
attributes

/opt/keycloak/bin/kcadm.sh create users  -s username=admin111 -s
enabled=true -r master -s "attributes.tenantId=value" -s
"attributes.ugId=ugId" -s "attributes.appId=app"



On Fri, Mar 23, 2018 at 4:35 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> It looks like there is something wrong with attribute names, or their
> values for this provider.
>
> I suggest you try to perform the same operation through Admin Console with
> debug tools enabled, and see exactly what needs to be sent to the server.
>
> On Fri, Mar 23, 2018 at 10:55 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> Hi Marko,
>>
>> That may be typo i again tried
>> /opt/keycloak/bin/kcadm.sh create components -r master -s
>> name=user-attribute -s providerId=user-attribute -s
>> parentId=b33088e5-321e-4b2f-afa6-7dca1871084e -s
>> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
>> 'config."ugId"=["Admin_UserGroup"]'
>>
>> End with below error
>>
>> HTTP error - 400 Bad Request
>>
>> On Fri, Mar 23, 2018 at 3:22 PM, Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>>
>>> Is there a space in the middle of parentId UUID?
>>>
>>> On Fri, Mar 23, 2018 at 8:42 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>>> wrote:
>>>
>>>> I am trying to add three attributes of user and used below admin-cli
>>>> command
>>>>
>>>> /opt/keycloak/bin/kcadm.sh create components -r master -s
>>>> name=user-attribute -s providerId=user-attribute -s
>>>> parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
>>>> 'config."appid"=["SURE_APP"]'  -s 'config."tenantId"=["T0"]' -s
>>>> 'config."ugId"=["Admin_UserGroup"]'
>>>>
>>>> but its throwing
>>>>
>>>> No server or realm specified. Use --server, --realm, or 'kcadm.sh config
>>>> credentials'.
>>>>
>>>> Can someone please let me know what wrong with above command?
>>>>
>>>> --
>>>> Subodh Chandra Joshi
>>>> subodh1_joshi82 at yahoo.co.in
>>>> http://www.questioninmind.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From betalb at gmail.com  Fri Mar 23 07:53:39 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Fri, 23 Mar 2018 11:53:39 +0000
Subject: [keycloak-user] Token exchange without configured policy
In-Reply-To: <CANYoZJn0NrAQ38NTow=v-xCfG6bJAXaQ8CNgNPEdaWAxPp9vyA@mail.gmail.com>
References: <CANYoZJk8tpfc=uPKESxRbznpnZO3ewDHEKdUMjcSw5fJH0vKSw@mail.gmail.com>
	<CANYoZJn0NrAQ38NTow=v-xCfG6bJAXaQ8CNgNPEdaWAxPp9vyA@mail.gmail.com>
Message-ID: <CANYoZJ=-JJQ1L+ybU+xkZmv+9eDLf8hNt75ztQFXX1Pt5c=EiQ@mail.gmail.com>

Looks like I found a possible answer in the documentation. If I got this
correctly, naked exchanges are allowed for confidential client, but one
question is still open: why azp claim is different?

On Fri, Mar 23, 2018 at 2:08 PM ??????? ?????? <betalb at gmail.com> wrote:

> Hello again, wanted to come up with the same question again, for me, this
> behaviour looks like a bug, but I'm not sure
>
> On Wed, Feb 14, 2018 at 10:14 PM ??????? ?????? <betalb at gmail.com> wrote:
>
>> Hi
>>
>> I've been experimenting with internal to internal token exchange [1] and
>> managed to exchange token without configured policy
>>
>> My original token belongs to public client (token_owner_klient_id) and
>> I'm trying to exchange it with audience set
>> to a confidential client that allows only client credentials grant
>> (confidential_client).
>>
>> If I execute request as provided in documentation access is denied, but
>> if I'll provide confidential_client+confidential_client_secret
>> exchange operation succeeds.
>>
>> The only difference in tokens issued with and without policy is that with
>> policy azp claim is set correctly to token_owner_klient_id.
>>
>> The question is -- is it correct behaviour from the perspective of token
>> exchange?
>>
>> curl -v -X POST --user confidential_client:confidential_client_secret \
>>     -d "client_id=token_owner_klient_id" \
>>     --data-urlencode
>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>     -d "subject_token=${TOKEN}" \
>>     --data-urlencode
>> "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
>>     -d "audience=confidential_client" \
>>
>> http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
>>
>> [1]
>> http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
>>
>

From fco at iec.ch  Fri Mar 23 09:01:38 2018
From: fco at iec.ch (Corbetta, Francesco)
Date: Fri, 23 Mar 2018 13:01:38 +0000
Subject: [keycloak-user] mappers and user federation
Message-ID: <VI1PR0902MB212676449196D9BFECBB71E0DAA80@VI1PR0902MB2126.eurprd09.prod.outlook.com>

Hello

I wrote a JPA federation provider which works perfectly but I'm not able to add claims via the client mappers table.
For example, I have a User property "gender" which is mapped to my UserModel getGender method, which does mapping to the underline hibernate entity.

I configured the mapper as:
Consent required: Off
Mapper Type: user Property
Property: gender
Token Claim Name: person_gender
Clain JSON Type: string
Add ID token: ON
Add to Access Token: ON
Add to userinfo: ON

While the hibernate entity correctly loads the value, the claim is never included in the userinfo object.
To develop the provider I basically followed the user-storage-jpa example.

Server version is 3.4.0.Final

Best regards
Francesco


From lahari.guntha at tcs.com  Fri Mar 23 09:46:18 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Fri, 23 Mar 2018 13:46:18 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
References: <1521200921834.37549@tcs.com>,
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
Message-ID: <1521812778054.55506@tcs.com>

???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImage.png
Type: image/png
Size: 10688 bytes
Desc: pastedImage.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180323/e53ea0c4/attachment-0001.png 

From lahari.guntha at tcs.com  Fri Mar 23 10:25:28 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Fri, 23 Mar 2018 14:25:28 +0000
Subject: [keycloak-user] "HTTPS Required"
Message-ID: <1521815127939.49747@tcs.com>



Hi All,


I am using Keycloak of version 3.3.0.CR2...


I have launched keycloak as a container in a VM...


Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...


Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....


Is there any other solution we have to get this problem solved??


Thanks & Regards,

Lahari G



=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From simonpayne58 at gmail.com  Fri Mar 23 11:10:04 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Fri, 23 Mar 2018 15:10:04 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1521812778054.55506@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
Message-ID: <CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for
users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and
evict the least recently used when cache limit is reached.  obviously this
will only evict users if you have greater than 10,000 in your system.  So
in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for
users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/
author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache"  option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache.  there
> is a setting in the ldap config which allows you to specify the cache
> value.  however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Fri Mar 23 11:20:17 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Fri, 23 Mar 2018 15:20:17 +0000
Subject: [keycloak-user] "HTTPS Required"
In-Reply-To: <1521815127939.49747@tcs.com>
References: <1521815127939.49747@tcs.com>
Message-ID: <CAPZw1G5Rpu=CdLZTOg3LAns08r4KhJpLDauQV3VrdVZTduinVQ@mail.gmail.com>

If i want https i put keycloak behind a nginx proxy.


On Fri, Mar 23, 2018 at 2:25 PM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

>
>
> Hi All,
>
>
> I am using Keycloak of version 3.3.0.CR2...
>
>
> I have launched keycloak as a container in a VM...
>
>
> Whenever I try to access the "http" port of keycloak...It is showing
> "HRTPS REQUIRED"...
>
>
> Even Setting of "Require SSL" to "none" Under Login tab of "Realm
> Settings" didnot help....
>
>
> Is there any other solution we have to get this problem solved??
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Paolo.Tedesco at cern.ch  Fri Mar 23 11:53:31 2018
From: Paolo.Tedesco at cern.ch (Paolo Tedesco)
Date: Fri, 23 Mar 2018 15:53:31 +0000
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
Message-ID: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>

I've found out that the problem was in the audience validation of my API.
The access token I get from keycloak when I authenticate my confidential client has always

aud = confidential_client_id

How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint

resource = client_id_of_the_api

which works with ADFS 2016, but seems to be ignored by Keycloak.

Thanks,
Paolo

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Authenticating to a client with another client's service account

Hi all,

I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".

>From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters:

client_id = confidential_client
client_secret = <confidential client secret> grant_type = client_credentials

>From this, I obtain a token, that looks like this:
{
  "access_token": "eyJhbG...Z0qmQ"
  // other stuff
}

Then, I try to call my API with an authentication header with

Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)

However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?

Thanks,
Paolo

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mbelivea at redhat.com  Fri Mar 23 14:32:34 2018
From: mbelivea at redhat.com (Matthew Beliveau)
Date: Fri, 23 Mar 2018 14:32:34 -0400 (EDT)
Subject: [keycloak-user] Having trouble with SSL and HTTPS with Keycloak
	3.4.3
In-Reply-To: <754162138.10034314.1521829768387.JavaMail.zimbra@redhat.com>
Message-ID: <1152604472.10034673.1521829954778.JavaMail.zimbra@redhat.com>

Hello,

I've been having trouble setting up SSL and HTTPS with Keycloak recently. I have already tried doing what these two links suggest:

https://www.keycloak.org/docs/3.3/server_installation/topics/network/https.html

https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for-the-Keycloak-Server

But I still can't get it to work. If there is a different or better way of setting up SSL and HTTPS in keycloak, I would love to know.

Any help would be gratefully appreciated.

Thank you,
Matthew Beliveau

From subodhcjoshi82 at gmail.com  Fri Mar 23 22:59:58 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Sat, 24 Mar 2018 02:59:58 +0000
Subject: [keycloak-user] Having trouble with SSL and HTTPS with Keycloak
	3.4.3
In-Reply-To: <1152604472.10034673.1521829954778.JavaMail.zimbra@redhat.com>
References: <754162138.10034314.1521829768387.JavaMail.zimbra@redhat.com>
	<1152604472.10034673.1521829954778.JavaMail.zimbra@redhat.com>
Message-ID: <CAFss9rrTP-bcCu+xoDe8hMUvoFGiaBK9CEbuhKjeT6DjjZxOnw@mail.gmail.com>

Can you share what error or exception you are getting ? If you will share
detail about the issue it will definitely help us to resolve the issue.

On Sat, 24 Mar 2018, 00:12 Matthew Beliveau, <mbelivea at redhat.com> wrote:

> Hello,
>
> I've been having trouble setting up SSL and HTTPS with Keycloak recently.
> I have already tried doing what these two links suggest:
>
>
> https://www.keycloak.org/docs/3.3/server_installation/topics/network/https.html
>
>
> https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for-the-Keycloak-Server
>
> But I still can't get it to work. If there is a different or better way of
> setting up SSL and HTTPS in keycloak, I would love to know.
>
> Any help would be gratefully appreciated.
>
> Thank you,
> Matthew Beliveau
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From zoltan.kukk at gmail.com  Sat Mar 24 20:24:07 2018
From: zoltan.kukk at gmail.com (=?UTF-8?B?Wm9sdMOhbiBLdWtr?=)
Date: Sun, 25 Mar 2018 01:24:07 +0100
Subject: [keycloak-user] Keycloak SAML Elytron adapter with aggregate-realm
Message-ID: <CAJVkahiWY4bbsBFuU6PWOLz5Sy+HEnRdAjyayrO8mhFnhMQ8Ww@mail.gmail.com>

Hi all,

I tried to use Keycloak SAML adapter in Wildlfy 11 but I have to
enrich SAML claim
with local roles so I have grouped KeycloakSAMLRealm as authentication realm and
a properties-realm as authorization realm with an aggregate-realm.
I have figured out it is not working because Elytron properties-realm
limited to use
NamePrincipal only and Keycloak returning SamlPrincipal.

Can you suggest a solution to add roles to a SAML claim from local
store (file or database)?

Best regards,
Zolt?n Kukk


From omri.tavor at forcepoint.com  Sun Mar 25 10:18:45 2018
From: omri.tavor at forcepoint.com (Omri Tavor)
Date: Sun, 25 Mar 2018 14:18:45 +0000
Subject: [keycloak-user] High throughput communication- Use of a transparent
	(by value) token
Message-ID: <BY2PR14MB0328C77CD9F5A54964E15D9BEDAE0@BY2PR14MB0328.namprd14.prod.outlook.com>

Hi,
I have two backend servers that needs to communicate at a high throughput (1000s request per second).
I don't want each of the requests to block/slow down by the server contacting the Keycloak server to verify the token.
Is there a way, I can create a transparent token that could be verified without having to access the KeyCloak server in each request?
Thanks,
Omri.

From mattprpic at live.ca  Sun Mar 25 20:22:19 2018
From: mattprpic at live.ca (matt prpic)
Date: Mon, 26 Mar 2018 00:22:19 +0000
Subject: [keycloak-user] Does Keycloak Support EAR deployments
Message-ID: <BLUPR13MB0340F43812A1904A3F4CD68AB4AD0@BLUPR13MB0340.namprd13.prod.outlook.com>

Hello,


I've been searching for this question online and on Keycloak's community pages, but I cannot find the answer anywhere. I have an EAR file with a JAR file within it. The JAR file is an application with various EJBs. The EAR file is deployed on a Wildfly 11 server and the Keycloak Adapter was installed using the CLI (adapter-elyton-install-offline.cli). I have tried calling one of my service's EJBs using a JNDI lookup through a test application, but there is no mention of any Keycloak authentication. I can only authenticate if I use one of the Wildfly users, which tells me that Keycloak is not participating in this authentication at all. Below is my configuration:


EJB

@SecurityDomain("keycloak")
@Stateless(name="TestBean")
@RemoteHome(TestBeanHome.class)
@TransactionAttribute(value=TransactionAttributeType.REQUIRED)
public class TestBean implements ITestBean {
...


Standalone.xml

        <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
             <secure-deployment name="testapplication.ear">
            <realm>testrealm</realm>
            <auth-server-url>http://localhost:8180/auth</auth-server-url>
            <public-client>true</public-client>
            <ssl-required>EXTERNAL</ssl-required>
            <resource>testclient</resource>
            <credential name="secret">password</credential>
  </secure-deployment>


My question is: Does Keycloak support this project setup? The documentation only mentions WAR files, which is not an option for me. Any help would be appreciated.


Thanks,

Matt


From carlosthe19916 at gmail.com  Sun Mar 25 23:25:01 2018
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Sun, 25 Mar 2018 22:25:01 -0500
Subject: [keycloak-user] Why Authz examples has been removed from 4.0.0.Beta1
Message-ID: <CAAdSQ6i=jKL+ppAy3v41BkR-DvMn94U2rhZemzzauHNKB58sYA@mail.gmail.com>

Hi There. I wonder why Authz examples has been removed from Keycloak
4.0.0.Beta1 version.

I saw this commit here:

https://github.com/keycloak/keycloak/commit/35b9fe043caf10287f4f8c835233df68e0a0c046#diff-bfebe34154a0dfd9fc7b447fc9ed74e9
<https://github.com/keycloak/keycloak/releases/tag/4.0.0.Beta1>

I'd like to know if Keycloak 4 will change the way authz works on Keycloak
3.4.3.Final?. I have have software projects that works in the same way that
photoz authz example use to work.

Please I'd like to know your answer. Thanks!


-- 
Carlos E. Feria Vila

From mposolda at redhat.com  Mon Mar 26 02:55:15 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Mar 2018 08:55:15 +0200
Subject: [keycloak-user] [keycloak-dev] Why Authz examples has been
 removed from 4.0.0.Beta1
In-Reply-To: <CAAdSQ6i=jKL+ppAy3v41BkR-DvMn94U2rhZemzzauHNKB58sYA@mail.gmail.com>
References: <CAAdSQ6i=jKL+ppAy3v41BkR-DvMn94U2rhZemzzauHNKB58sYA@mail.gmail.com>
Message-ID: <d2d593cc-e4d6-86e3-51f5-5664759a9483@redhat.com>

They've been moved to quickstarts repository AFAIK. See 
https://github.com/keycloak/keycloak-quickstarts and the "app-authz-*" 
examples.

Marek

On 26/03/18 05:25, Carlos Feria wrote:
> Hi There. I wonder why Authz examples has been removed from Keycloak
> 4.0.0.Beta1 version.
>
> I saw this commit here:
>
> https://github.com/keycloak/keycloak/commit/35b9fe043caf10287f4f8c835233df68e0a0c046#diff-bfebe34154a0dfd9fc7b447fc9ed74e9
> <https://github.com/keycloak/keycloak/releases/tag/4.0.0.Beta1>
>
> I'd like to know if Keycloak 4 will change the way authz works on Keycloak
> 3.4.3.Final?. I have have software projects that works in the same way that
> photoz authz example use to work.
>
> Please I'd like to know your answer. Thanks!
>
>


From subodhcjoshi82 at gmail.com  Mon Mar 26 03:30:30 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Mon, 26 Mar 2018 13:00:30 +0530
Subject: [keycloak-user] Keycloak will run server-jre only
In-Reply-To: <20180323100501.GA8597@abstractj.org>
References: <CAFss9ro_avN2XzOFhCbgiJjA-SEeXm8NocZD9J=dL6B1rgQ0TA@mail.gmail.com>
	<20180323100501.GA8597@abstractj.org>
Message-ID: <CAFss9rr94=Z9APWyZC+GwzMtvbVyG9OGkgPf8549GaH4nuR0yQ@mail.gmail.com>

Ok As per Stackoverflow reply




*That looks like the very common Oracle/Sun crypto-limited-to-128-bits
issue, for which there are already about a hundred Qs, except that should
apply equally to Oracle/Sun JDK, (client) JRE, AND server-JRE when that
exists (last 1.5 years), and 8u161 or 162, or 9, of any of those -- or any
OpenJDK since forever -- should fix it. ? *
So its known issue and keycloak also come under it



* All variants of Oracle 8u161 and 162 (JDK, client JRE, server-JRE) fixed
the crypto-limited-policy issue (by making it configurable but default to
unlimited), which I think (but cannot be absolutely certain) is the issue
you have. (OpenJDK is built differently and never had this problem in any
version.) *

On Fri, Mar 23, 2018 at 3:35 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> I believe that for Oracle JRE you have to install JCE[1].
>
> [1] - http://www.oracle.com/technetwork/java/javase/
> downloads/jce8-download-2133166.html
>
> On 2018-03-23, Subodh Joshi wrote:
> > Hi Team,
> >
> > Is their any restriction that keycloak will work with server-jre only and
> > not with client-jre ?
> > In my linux machine we have following version installed
> >
> >  /usr/sbin/alternatives --config java
> >
> > There are 2 programs which provide 'java'.
> >
> >   Selection    Command
> > -----------------------------------------------
> > *  1           java-1.8.0-openjdk.x86_64
> > (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.
> x86_64/jre/bin/java)
> >  + 2           /usr/java/jre1.8.0_102/bin/java
> >
> > Then its working fine with openjdk but keycloak not coming up with Oracle
> > client-jre and giving this exception
> >
> > 2018-03-22 12:30:56,163 ERROR
> > [org.jboss.as.controller.management-operation] (ServerService Thread
> > Pool -- 26) WFLYCTL0013: Operation ("add") failed - address: ([
> >     ("subsystem" => "datasources"),
> >     ("data-source" => "KeycloakDS")
> > ]): org.jboss.as.server.services.security.VaultReaderException:
> > WFLYSRV0227: Security exception accessing the vault
> >         at org.jboss.as.server.services.security.RuntimeVaultReader.
> retrieveFromVault(RuntimeVaultReader.java:124)
> >         at org.jboss.as.server.RuntimeExpressionResolver.
> resolvePluggableExpression(RuntimeExpressionResolver.java:65)
> >         at org.jboss.as.controller.ExpressionResolverImpl.
> resolveExpressionString(ExpressionResolverImpl.java:341)
> >         at org.jboss.as.controller.ExpressionResolverImpl.
> parseAndResolve(ExpressionResolverImpl.java:246)
> >         at org.jboss.as.controller.ExpressionResolverImpl.
> resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
> >         at org.jboss.as.controller.ExpressionResolverImpl.
> resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
> >         at org.jboss.as.controller.ExpressionResolverImpl.
> resolveExpressions(ExpressionResolverImpl.java:66)
> >         at org.jboss.as.controller.ModelControllerImpl.
> resolveExpressions(ModelControllerImpl.java:868)
> >         at org.jboss.as.controller.OperationContextImpl.
> resolveExpressions(OperationContextImpl.java:1269)
> >         at org.jboss.as.controller.ParallelBootOperationContext.
> resolveExpressions(ParallelBootOperationContext.java:438)
> >         at org.jboss.as.controller.AttributeDefinition$1.
> resolveExpressions(AttributeDefinition.java:619)
> >         at org.jboss.as.controller.AttributeDefinition.resolveValue(
> AttributeDefinition.java:683)
> >         at org.jboss.as.controller.AttributeDefinition.
> resolveModelAttribute(AttributeDefinition.java:642)
> >         at org.jboss.as.controller.AttributeDefinition.
> resolveModelAttribute(AttributeDefinition.java:616)
> >         at org.jboss.as.connector.util.ModelNodeUtil.
> getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:35)
> >         at org.jboss.as.connector.subsystems.datasources.
> DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:178)
> >         at org.jboss.as.connector.subsystems.datasources.
> AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:348)
> >         at org.jboss.as.connector.subsystems.datasources.
> AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:133)
> >         at org.jboss.as.controller.AbstractOperationContext.executeStep(
> AbstractOperationContext.java:980)
> >         at org.jboss.as.controller.AbstractOperationContext.
> processStages(AbstractOperationContext.java:726)
> >         at org.jboss.as.controller.AbstractOperationContext.
> executeOperation(AbstractOperationContext.java:450)
> >         at org.jboss.as.controller.ParallelBootOperationStepHandl
> er$ParallelBootTask.run(ParallelBootOperationStepHandler.java:386)
> >         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> >         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> >         at java.lang.Thread.run(Unknown Source)
> >         at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > Caused by: org.jboss.security.vault.SecurityVaultException:
> > java.security.InvalidKeyException: Illegal key size or default
> > parameters
> >         at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(
> PicketBoxSecurityVault.java:297)
> >         at org.jboss.as.server.services.security.RuntimeVaultReader.
> getValue(RuntimeVaultReader.java:157)
> >         at org.jboss.as.server.services.security.RuntimeVaultReader.
> retrieveFromVault(RuntimeVaultReader.java:110)
> >         ... 25 more
> > Caused by: java.security.InvalidKeyException: Illegal key size or
> > default parameters
> >         at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
> >         at javax.crypto.Cipher.implInit(Cipher.java:801)
> >
> >
> > But same setup working with *open-jdk *without any issue after that i
> > updated the Oracle Java and used *server-jre *
> >
> > [root at ha1 ~]#  /usr/sbin/alternatives --config java
> >
> > There are 2 programs which provide 'java'.
> >
> >   Selection    Command
> > -----------------------------------------------
> > *  1           java-1.8.0-openjdk.x86_64
> > (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.
> x86_64/jre/bin/java)
> >  + 2           /usr/java/jre1.8.0_102/bin/java
> >
> > This time it worked totally fine and keycloak running without any issue .
> > --
> > Subodh Chandra Joshi
> >   <subodh1_joshi82 at yahoo.co.in>
> > http://www.questioninmind.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From daniel.hammarberg at capgemini.com  Mon Mar 26 04:03:31 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Mon, 26 Mar 2018 08:03:31 +0000
Subject: [keycloak-user] Performance
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>

Hi all,

In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?

Best regards
/Daniel

_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | G?teborg


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2316 bytes
Desc: image001.gif
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180326/a8d2bcef/attachment.gif 

From psilva at redhat.com  Mon Mar 26 07:53:48 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 26 Mar 2018 08:53:48 -0300
Subject: [keycloak-user] [keycloak-dev] Why Authz examples has been
	removed from 4.0.0.Beta1
In-Reply-To: <d2d593cc-e4d6-86e3-51f5-5664759a9483@redhat.com>
References: <CAAdSQ6i=jKL+ppAy3v41BkR-DvMn94U2rhZemzzauHNKB58sYA@mail.gmail.com>
	<d2d593cc-e4d6-86e3-51f5-5664759a9483@redhat.com>
Message-ID: <CAJrcDBdrNBd072pwG5Dbc1NgLo42A8r3RaYm2sNNeq4nB0kJVw@mail.gmail.com>

Like Marek said, they were moved to keycloak-quickstarts repository.

Regarding photoz example, I messed up with the merges in upstream and Beta1
was released without photoz [1] being merged to keycloak-quickstarts. We'll
fix that until next release. If you want to give it a try, please consider
the changes in the PR.

Sorry for the confusion.

[1] https://github.com/keycloak/keycloak-quickstarts/pull/102

Regards.
Pedro Igor

On Mon, Mar 26, 2018 at 3:55 AM, Marek Posolda <mposolda at redhat.com> wrote:

> They've been moved to quickstarts repository AFAIK. See
> https://github.com/keycloak/keycloak-quickstarts and the "app-authz-*"
> examples.
>
> Marek
>
> On 26/03/18 05:25, Carlos Feria wrote:
> > Hi There. I wonder why Authz examples has been removed from Keycloak
> > 4.0.0.Beta1 version.
> >
> > I saw this commit here:
> >
> > https://github.com/keycloak/keycloak/commit/
> 35b9fe043caf10287f4f8c835233df68e0a0c046#diff-
> bfebe34154a0dfd9fc7b447fc9ed74e9
> > <https://github.com/keycloak/keycloak/releases/tag/4.0.0.Beta1>
> >
> > I'd like to know if Keycloak 4 will change the way authz works on
> Keycloak
> > 3.4.3.Final?. I have have software projects that works in the same way
> that
> > photoz authz example use to work.
> >
> > Please I'd like to know your answer. Thanks!
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From psilva at redhat.com  Mon Mar 26 08:01:28 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 26 Mar 2018 09:01:28 -0300
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
In-Reply-To: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
References: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
Message-ID: <CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>

This is something we are not doing correctly where access tokens are always
created with the client as the audience and not the resource server /
target service.

Marek can give more insights about this but I think this should be fixed by
the work he is doing around Client Scopes.

Another alternative is use token exchange [1].

[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Regards.
Pedro Igor

On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
wrote:

> I've found out that the problem was in the audience validation of my API.
> The access token I get from keycloak when I authenticate my confidential
> client has always
>
> aud = confidential_client_id
>
> How am I supposed to get a token with a difference audience value?
> I tried specifying in the POST request to the token endpoint
>
> resource = client_id_of_the_api
>
> which works with ADFS 2016, but seems to be ignored by Keycloak.
>
> Thanks,
> Paolo
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> On Behalf Of Paolo Tedesco
> Sent: Friday, 23 March, 2018 11:11
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Authenticating to a client with another client's
> service account
>
> Hi all,
>
> I have registered two clients in my Keycloak, one is an API (ID =
> client_api) and another is a confidential client (ID =
> confidential_client), which is a standalone application that should access
> the API with its own credentials.
> I've set the access type of both API and application to "confidential".
>
> >From the application, I obtain a token with a POST to
> https://keycloak-server/auth/realms/master/protocol/openid-connect/token
> with these parameters:
>
> client_id = confidential_client
> client_secret = <confidential client secret> grant_type =
> client_credentials
>
> >From this, I obtain a token, that looks like this:
> {
>   "access_token": "eyJhbG...Z0qmQ"
>   // other stuff
> }
>
> Then, I try to call my API with an authentication header with
>
> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>
> However, this does not seem to work, and the API acts like the user is not
> authenticated.
> Any idea of what I'm doing wrong?
>
> Thanks,
> Paolo
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From marian.rainer-harbach at apa.at  Mon Mar 26 09:22:50 2018
From: marian.rainer-harbach at apa.at (Rainer-Harbach Marian)
Date: Mon, 26 Mar 2018 15:22:50 +0200
Subject: [keycloak-user] Performance
In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
Message-ID: <6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>

Hi Daniel,

On 2018-03-26 10:03, Hammarberg, Daniel wrote:
> In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?
just to give you a rough idea: We are running performance tests against 
a small Keycloak cluster (two machines with 24 CPU cores and 12 GB RAM 
each). We simulate OIDC and SAML login flows using JMeter. These tests 
use five million test users (but there are no groups).

In this scenario we achieve about 400 Logins per second or 12000 
requests to the userinfo endpoint per second.

We found that login performance varies greatly with the number of PBKDF2 
hashing iterations used (Keycloak uses 27500 by default).

Best regards,
Marian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3853 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180326/6c8f6c10/attachment.bin 

From triton.oidc at gmail.com  Mon Mar 26 09:31:58 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Mon, 26 Mar 2018 13:31:58 +0000
Subject: [keycloak-user] Identity Brokering, external IDP require nonce
Message-ID: <CAGE7c6AC7u0eJ1d=4c4_oVuJmoK77wTP7Qc9ijqNfH03OZz9oQ@mail.gmail.com>

Hi,

in my scenario, i'm using Keycloak as an IDP broker.
It works fine with a lot of configuration.

I build keycloak from source 3 weeks ago.

However the IDP i'm trying to integrate right now requires a nonce in the
first call on the authorization endpoint.

https://myidp.com/authorize?scope=openid+profile&state=state&response_type=code&client_id=clientid&redirect_uri=redirect_uri
fails
but if i manually add "&nonce=1234" in the url it works

I could not find an option in the external IDP concerning this nonce
generation.
Did i miss something ?
Should i ask for a feature and i'll wait for someone to look at it ?

any help would be appreciated

Thanks a lot

Amaury

From carlosthe19916 at gmail.com  Mon Mar 26 09:53:06 2018
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Mon, 26 Mar 2018 08:53:06 -0500
Subject: [keycloak-user] [keycloak-dev] Why Authz examples has been
	removed from 4.0.0.Beta1
In-Reply-To: <CAJrcDBdrNBd072pwG5Dbc1NgLo42A8r3RaYm2sNNeq4nB0kJVw@mail.gmail.com>
References: <CAAdSQ6i=jKL+ppAy3v41BkR-DvMn94U2rhZemzzauHNKB58sYA@mail.gmail.com>
	<d2d593cc-e4d6-86e3-51f5-5664759a9483@redhat.com>
	<CAJrcDBdrNBd072pwG5Dbc1NgLo42A8r3RaYm2sNNeq4nB0kJVw@mail.gmail.com>
Message-ID: <CAAdSQ6gmVMRmszdXrByag4U0J_8s1TsTMMMjEuRQJUkkqx4QJw@mail.gmail.com>

Thank you very much for answering. Now I'm without doubts.

On Mon, Mar 26, 2018 at 6:53 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Like Marek said, they were moved to keycloak-quickstarts repository.
>
> Regarding photoz example, I messed up with the merges in upstream and
> Beta1 was released without photoz [1] being merged to keycloak-quickstarts.
> We'll fix that until next release. If you want to give it a try, please
> consider the changes in the PR.
>
> Sorry for the confusion.
>
> [1] https://github.com/keycloak/keycloak-quickstarts/pull/102
>
> Regards.
> Pedro Igor
>
> On Mon, Mar 26, 2018 at 3:55 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> They've been moved to quickstarts repository AFAIK. See
>> https://github.com/keycloak/keycloak-quickstarts and the "app-authz-*"
>> examples.
>>
>> Marek
>>
>> On 26/03/18 05:25, Carlos Feria wrote:
>> > Hi There. I wonder why Authz examples has been removed from Keycloak
>> > 4.0.0.Beta1 version.
>> >
>> > I saw this commit here:
>> >
>> > https://github.com/keycloak/keycloak/commit/35b9fe043caf1028
>> 7f4f8c835233df68e0a0c046#diff-bfebe34154a0dfd9fc7b447fc9ed74e9
>> > <https://github.com/keycloak/keycloak/releases/tag/4.0.0.Beta1>
>> >
>> > I'd like to know if Keycloak 4 will change the way authz works on
>> Keycloak
>> > 3.4.3.Final?. I have have software projects that works in the same way
>> that
>> > photoz authz example use to work.
>> >
>> > Please I'd like to know your answer. Thanks!
>> >
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>


-- 
Carlos E. Feria Vila

From jayblanc at gmail.com  Mon Mar 26 10:50:49 2018
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Mon, 26 Mar 2018 14:50:49 +0000
Subject: [keycloak-user] Identity Brokering, external IDP require nonce
In-Reply-To: <CAGE7c6AC7u0eJ1d=4c4_oVuJmoK77wTP7Qc9ijqNfH03OZz9oQ@mail.gmail.com>
References: <CAGE7c6AC7u0eJ1d=4c4_oVuJmoK77wTP7Qc9ijqNfH03OZz9oQ@mail.gmail.com>
Message-ID: <CAPNq5vZxgJFHmjGvyYrPWuU29nf26DifaFEdSDWkXRgt-GdHxw@mail.gmail.com>

Hi triton,
I have submitted a pull request that should fixe that. (
https://github.com/keycloak/keycloak/pull/5082)
Could you try with the latest sources and confirm that it works now ?
Thanks,
Best regards, J?r?me.

Le lun. 26 mars 2018 ? 15:40, triton oidc <triton.oidc at gmail.com> a ?crit :

> Hi,
>
> in my scenario, i'm using Keycloak as an IDP broker.
> It works fine with a lot of configuration.
>
> I build keycloak from source 3 weeks ago.
>
> However the IDP i'm trying to integrate right now requires a nonce in the
> first call on the authorization endpoint.
>
>
> https://myidp.com/authorize?scope=openid+profile&state=state&response_type=code&client_id=clientid&redirect_uri=redirect_uri
> fails
> but if i manually add "&nonce=1234" in the url it works
>
> I could not find an option in the external IDP concerning this nonce
> generation.
> Did i miss something ?
> Should i ask for a feature and i'll wait for someone to look at it ?
>
> any help would be appreciated
>
> Thanks a lot
>
> Amaury
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From marc.logemann at gmail.com  Mon Mar 26 12:10:36 2018
From: marc.logemann at gmail.com (Marc Logemann)
Date: Mon, 26 Mar 2018 18:10:36 +0200
Subject: [keycloak-user] 403 on /sso/login with Spring Boot and Keycloak
	Adapter
Message-ID: <CA+KtLoYVUYn138U3ZA90NCOWnuQcdQnkRdorwROKPYaNqNqvgQ@mail.gmail.com>

Hi,

i have a little Spring Boot Application and it runs pretty nice
together with the keycloak setup on my dev machine. Now when deploying
the same application to another server i get something strange:

When trying to access a protected resource, my browser gets a 302 to
/sso/login which is ok but this URL should also produce a 302 to the
final Keycloak Login Page. Instead i get a 403 on the sso/login
request. The crazy thing is, on my local dev machine the /sso/login
doesnt get a 403 but a 302 with the resulting valid and perfect URL
(http://localhost:16177/auth/realms/XXXX/protocol/openid-connect/auth?response_type=code&client_id=swaggerUI&redirect_uri=http%3A%2F%2Flocalhost%3A8091%2Fsso%2Flogin&state=d919e1d0-3804-4e47-9cfe-d8647eb6fd5f&login=true&scope=openid)

What i want to say is.... i dont have a clue why i get a 403 on a
resource /sso/login, which as i assume, is provided by spring keycloak
adapter. And even crazier... its the same application.

thanks for any hints.

marc

From mposolda at redhat.com  Mon Mar 26 14:34:58 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Mar 2018 20:34:58 +0200
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
In-Reply-To: <CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>
References: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
	<CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>
Message-ID: <a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>

Yes, as Pedro mentioned, I hope that better audience support will be 
available in Keycloak master in next few weeks (or months), so in some 
next beta, it should be available. JIRA is 
https://issues.jboss.org/browse/KEYCLOAK-6638 .

Question: This parameter "resource=client_id_of_the_api" seems to be 
ADFS specific parameter? Or is it mentioned in some specification? We 
plan to support better audience support through "scope" parameter or 
have it available by default (depends on where admin defines 
protocolMapper for audience).

Thanks,
Marek

On 26/03/18 14:01, Pedro Igor Silva wrote:
> This is something we are not doing correctly where access tokens are always
> created with the client as the audience and not the resource server /
> target service.
>
> Marek can give more insights about this but I think this should be fixed by
> the work he is doing around Client Scopes.
>
> Another alternative is use token exchange [1].
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
> wrote:
>
>> I've found out that the problem was in the audience validation of my API.
>> The access token I get from keycloak when I authenticate my confidential
>> client has always
>>
>> aud = confidential_client_id
>>
>> How am I supposed to get a token with a difference audience value?
>> I tried specifying in the POST request to the token endpoint
>>
>> resource = client_id_of_the_api
>>
>> which works with ADFS 2016, but seems to be ignored by Keycloak.
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
>> jboss.org> On Behalf Of Paolo Tedesco
>> Sent: Friday, 23 March, 2018 11:11
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Authenticating to a client with another client's
>> service account
>>
>> Hi all,
>>
>> I have registered two clients in my Keycloak, one is an API (ID =
>> client_api) and another is a confidential client (ID =
>> confidential_client), which is a standalone application that should access
>> the API with its own credentials.
>> I've set the access type of both API and application to "confidential".
>>
>> >From the application, I obtain a token with a POST to
>> https://keycloak-server/auth/realms/master/protocol/openid-connect/token
>> with these parameters:
>>
>> client_id = confidential_client
>> client_secret = <confidential client secret> grant_type =
>> client_credentials
>>
>> >From this, I obtain a token, that looks like this:
>> {
>>    "access_token": "eyJhbG...Z0qmQ"
>>    // other stuff
>> }
>>
>> Then, I try to call my API with an authentication header with
>>
>> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>>
>> However, this does not seem to work, and the API acts like the user is not
>> authenticated.
>> Any idea of what I'm doing wrong?
>>
>> Thanks,
>> Paolo
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Mar 26 14:35:54 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 26 Mar 2018 20:35:54 +0200
Subject: [keycloak-user] Identity Brokering, external IDP require nonce
In-Reply-To: <CAPNq5vZxgJFHmjGvyYrPWuU29nf26DifaFEdSDWkXRgt-GdHxw@mail.gmail.com>
References: <CAGE7c6AC7u0eJ1d=4c4_oVuJmoK77wTP7Qc9ijqNfH03OZz9oQ@mail.gmail.com>
	<CAPNq5vZxgJFHmjGvyYrPWuU29nf26DifaFEdSDWkXRgt-GdHxw@mail.gmail.com>
Message-ID: <b4242c35-a1ec-62ce-8f53-432bfea4349c@redhat.com>

You can even download latest Keycloak 4.0.Beta . I think it should be 
there. No even need to build anything from sources :)

Marek

On 26/03/18 16:50, J?r?me Blanchard wrote:
> Hi triton,
> I have submitted a pull request that should fixe that. (
> https://github.com/keycloak/keycloak/pull/5082)
> Could you try with the latest sources and confirm that it works now ?
> Thanks,
> Best regards, J?r?me.
>
> Le lun. 26 mars 2018 ? 15:40, triton oidc <triton.oidc at gmail.com> a ?crit :
>
>> Hi,
>>
>> in my scenario, i'm using Keycloak as an IDP broker.
>> It works fine with a lot of configuration.
>>
>> I build keycloak from source 3 weeks ago.
>>
>> However the IDP i'm trying to integrate right now requires a nonce in the
>> first call on the authorization endpoint.
>>
>>
>> https://myidp.com/authorize?scope=openid+profile&state=state&response_type=code&client_id=clientid&redirect_uri=redirect_uri
>> fails
>> but if i manually add "&nonce=1234" in the url it works
>>
>> I could not find an option in the external IDP concerning this nonce
>> generation.
>> Did i miss something ?
>> Should i ask for a feature and i'll wait for someone to look at it ?
>>
>> any help would be appreciated
>>
>> Thanks a lot
>>
>> Amaury
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lahari.guntha at tcs.com  Tue Mar 27 01:27:52 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Tue, 27 Mar 2018 05:27:52 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>,
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
Message-ID: <1522128470918.36450@tcs.com>

?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mukesh_harshwal at yahoo.co.in  Tue Mar 27 03:14:12 2018
From: mukesh_harshwal at yahoo.co.in (mukesh Harshwal)
Date: Tue, 27 Mar 2018 07:14:12 +0000 (UTC)
Subject: [keycloak-user] Help for configuring keycloak with existing GWT
 amalgamated Spring application
References: <1740588060.276992.1522134852738.ref@mail.yahoo.com>
Message-ID: <1740588060.276992.1522134852738@mail.yahoo.com>

Hi team,
I am having an existing GWT amalgamated Spring application which is currently configured with JOSSO by using Spring Security. In order to revive the application security I want to plug-out JOSSO and integrate Keycloak.?I've seen few examples for Keycloak integration with Springboot application but not finding any example for simple Spring application's integration with Keycloak.Any help would be appreciated gratefully.
Thanks,Mukesh

From upananda313 at gmail.com  Tue Mar 27 03:43:54 2018
From: upananda313 at gmail.com (Upananda Singha)
Date: Tue, 27 Mar 2018 13:13:54 +0530
Subject: [keycloak-user] UTF-8 character set support for user name and other
	fields / attributes
Message-ID: <CAPob62fwQSrbvqr_mi4U4kBUK_746iMwOE8741gtdSOZbWVc+w@mail.gmail.com>

Hi,

I am working with the Keycloak OIDC feature, and needed some clarification
regarding the character set it supports:

1. I have a requirement to use utf-8 characters (multi byte) in the
Username field
which seems to work fine while setting the user name and I can login to
Keycloak.

But it seems there are other related issues while generating / encoding the
tokens.
Sometimes (some characters) it works fine but for some multibye characters
it throws

{
    "error": "invalid_grant",
    "error_description": "Code not valid"
}

while trying to get the Tokens using the authorization code.

Can someone tell me if Keycloak actually supports utf-8 character set in
Username and other fields and also in Custom user attributes?

It would be of great help if anybody can share some information.

Thanks,

Upananda,
Motorola Solutions

From daniel.hammarberg at capgemini.com  Tue Mar 27 03:57:38 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Tue, 27 Mar 2018 07:57:38 +0000
Subject: [keycloak-user] Performance
In-Reply-To: <6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>
References: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
	<6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401176112@DE-CM-MBX26.corp.capgemini.com>

Hi Marian and all others,

Thank you for your input. Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower. Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security?

Best regards
/Daniel

_______________________________________________________________________
Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | G?teborg
Mob.: + 46 725 052212
www.capgemini.com
_______________________________________________________________________
Connect with Capgemini:



-----Original Message-----
From: Rainer-Harbach Marian <marian.rainer-harbach at apa.at>
Sent: den 26 mars 2018 15:23
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Performance

Hi Daniel,

On 2018-03-26 10:03, Hammarberg, Daniel wrote:
> In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?
just to give you a rough idea: We are running performance tests against
a small Keycloak cluster (two machines with 24 CPU cores and 12 GB RAM
each). We simulate OIDC and SAML login flows using JMeter. These tests
use five million test users (but there are no groups).

In this scenario we achieve about 400 Logins per second or 12000
requests to the userinfo endpoint per second.

We found that login performance varies greatly with the number of PBKDF2
hashing iterations used (Keycloak uses 27500 by default).

Best regards,
Marian


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From triton.oidc at gmail.com  Tue Mar 27 04:35:09 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Tue, 27 Mar 2018 08:35:09 +0000
Subject: [keycloak-user] Identity Brokering, external IDP require nonce
In-Reply-To: <b4242c35-a1ec-62ce-8f53-432bfea4349c@redhat.com>
References: <CAGE7c6AC7u0eJ1d=4c4_oVuJmoK77wTP7Qc9ijqNfH03OZz9oQ@mail.gmail.com>
	<CAPNq5vZxgJFHmjGvyYrPWuU29nf26DifaFEdSDWkXRgt-GdHxw@mail.gmail.com>
	<b4242c35-a1ec-62ce-8f53-432bfea4349c@redhat.com>
Message-ID: <CAGE7c6BPF1TQcdFJPwtQ+ofvA4Jp17XrQ9FEXBBByuaeoCp0kg@mail.gmail.com>

Hi,

indeed i used the keycloak beta (had an issue with the build)
@Jerome it worked like a charm

Apologies for missing this commit and disturbing you for something that was
already fixed
Just for information my issue was with France Connect too

Thanks for your help

Amaury



On Mon, Mar 26, 2018 at 6:35 PM, Marek Posolda <mposolda at redhat.com> wrote:

> You can even download latest Keycloak 4.0.Beta . I think it should be
> there. No even need to build anything from sources :)
>
> Marek
>
>
> On 26/03/18 16:50, J?r?me Blanchard wrote:
>
>> Hi triton,
>> I have submitted a pull request that should fixe that. (
>> https://github.com/keycloak/keycloak/pull/5082)
>> Could you try with the latest sources and confirm that it works now ?
>> Thanks,
>> Best regards, J?r?me.
>>
>> Le lun. 26 mars 2018 ? 15:40, triton oidc <triton.oidc at gmail.com> a
>> ?crit :
>>
>> Hi,
>>>
>>> in my scenario, i'm using Keycloak as an IDP broker.
>>> It works fine with a lot of configuration.
>>>
>>> I build keycloak from source 3 weeks ago.
>>>
>>> However the IDP i'm trying to integrate right now requires a nonce in the
>>> first call on the authorization endpoint.
>>>
>>>
>>> https://myidp.com/authorize?scope=openid+profile&state=state
>>> &response_type=code&client_id=clientid&redirect_uri=redirect_uri
>>> fails
>>> but if i manually add "&nonce=1234" in the url it works
>>>
>>> I could not find an option in the external IDP concerning this nonce
>>> generation.
>>> Did i miss something ?
>>> Should i ask for a feature and i'll wait for someone to look at it ?
>>>
>>> any help would be appreciated
>>>
>>> Thanks a lot
>>>
>>> Amaury
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From simonpayne58 at gmail.com  Tue Mar 27 04:43:55 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Tue, 27 Mar 2018 09:43:55 +0100
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1522128470918.36450@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
Message-ID: <CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

> ?Hi,
>
>
> Do we ?need to reload the keycloak server after changing the
> standalone.xml???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 23 March 2018 20:40
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> if you are referring to the standard entry
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>  </local-cache>
>
>
> then LRU means least recently used.  so it will cache 10,000 users and
> evict the least recently used when cache limit is reached.  obviously this
> will only evict users if you have greater than 10,000 in your system.  So
> in my case i changed to the following
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                     <expiration max-idle="1200000"/>
>  </local-cache>
>
> which will additionally expire entries after 20 minutes.
>
>
> full explanation can be found here https://docs.jboss.org/author/
> display/WFLY10/Infinispan+Subsystem
>
>
> On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache"  option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache.  there
> is a setting in the ldap config which allows you to specify the cache
> value.  however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Tue Mar 27 04:49:10 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Tue, 27 Mar 2018 09:49:10 +0100
Subject: [keycloak-user] 403 on /sso/login with Spring Boot and Keycloak
	Adapter
In-Reply-To: <CA+KtLoYVUYn138U3ZA90NCOWnuQcdQnkRdorwROKPYaNqNqvgQ@mail.gmail.com>
References: <CA+KtLoYVUYn138U3ZA90NCOWnuQcdQnkRdorwROKPYaNqNqvgQ@mail.gmail.com>
Message-ID: <CAPZw1G6uV289ROHZMGaSru7TcC7Ro0XgdpJA6XrVxhXZA0GFrQ@mail.gmail.com>

it appears that your remote app is still connecting to keycloak on
localhost.  looking at the redirect url you can see that it is then
attempting to redirect back to your app on localhost.

Simon.



On Mon, Mar 26, 2018 at 5:10 PM, Marc Logemann <marc.logemann at gmail.com>
wrote:

> Hi,
>
> i have a little Spring Boot Application and it runs pretty nice
> together with the keycloak setup on my dev machine. Now when deploying
> the same application to another server i get something strange:
>
> When trying to access a protected resource, my browser gets a 302 to
> /sso/login which is ok but this URL should also produce a 302 to the
> final Keycloak Login Page. Instead i get a 403 on the sso/login
> request. The crazy thing is, on my local dev machine the /sso/login
> doesnt get a 403 but a 302 with the resulting valid and perfect URL
> (http://localhost:16177/auth/realms/XXXX/protocol/openid-
> connect/auth?response_type=code&client_id=swaggerUI&
> redirect_uri=http%3A%2F%2Flocalhost%3A8091%2Fsso%
> 2Flogin&state=d919e1d0-3804-4e47-9cfe-d8647eb6fd5f&login=true&scope=openid
> )
>
> What i want to say is.... i dont have a clue why i get a 403 on a
> resource /sso/login, which as i assume, is provided by spring keycloak
> adapter. And even crazier... its the same application.
>
> thanks for any hints.
>
> marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tech at psynd.net  Tue Mar 27 05:24:15 2018
From: tech at psynd.net (Simon)
Date: Tue, 27 Mar 2018 11:24:15 +0200
Subject: [keycloak-user] Keycloak MFA platform for authentication of users
	in other systems
Message-ID: <3b672c393a711101414bfd596e345bb4@psynd.net>

Dear experts,

we would like to implement a MFA authentication on Windows or on Unix 
systems and we were wondering if Keycloak could be an option and if it 
might support such functionality.

Did anybody try already anything like that?

Thanks,

Simon

From y.skopets at gmail.com  Tue Mar 27 06:02:53 2018
From: y.skopets at gmail.com (Yaroslav Skopets)
Date: Tue, 27 Mar 2018 12:02:53 +0200
Subject: [keycloak-user] A few questions about OIDC Key Rotation in Keycloak
Message-ID: <CAJsMHL+5oaKFdaNbG=jzxBw1iPUf4rpHW+XZnf_TuLoD5mdqbw@mail.gmail.com>

Hi guys!

I've got a few questions about OIDC Key Rotation in Keycloak:

1) Does Keycloak support fully automatic rotation of OIDC keys ?
    From a user perspective, I'd like to be able to set a rule ala "rotate
keys every 24 hours".
    I see that https://issues.jboss.org/browse/KEYCLOAK-905 had a similar
intent: "Option to enable automatic period rotation of keys (in cluster
make sure only one node does it)"
    Was it actually implemented ?
2) As a user, I'd like to automate rotation of OIDC keys.
    I see that through Admin REST API I can create/activate/delete keys.
    However, does Keycloak allow me as a user to attach custom meta data to
those keys ? Such as `time when the key was created`, `time when the key
was made active`, `time when the key was deactivated`, etc
    My goal is to implement a key rotation policy based on those extra
pieces of meta data.

Thanks in advance!

-- 
Best regards,
Yaroslav Skopets

From Sebastian.Schuster at bosch-si.com  Tue Mar 27 08:11:16 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1))
Date: Tue, 27 Mar 2018 12:11:16 +0000
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
In-Reply-To: <a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>
References: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
	<CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>
	<a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>
Message-ID: <dedd57931c4c484facd4dfc5ad32ac51@bosch-si.com>

A resource parameter was for example described in this OAuth2 spec draft: https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
Currently, the OAuth2 guys are discussing this in the context of the distributed OAuth2 spec, see https://www.ietf.org/mail-archive/web/oauth/current/msg17817.html
But I don't know the details, so I am not sure this is relevant...

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Montag, 26. M?rz 2018 20:35
To: Pedro Igor Silva <psilva at redhat.com>; Paolo Tedesco <Paolo.Tedesco at cern.ch>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authenticating to a client with another client's service account

Yes, as Pedro mentioned, I hope that better audience support will be available in Keycloak master in next few weeks (or months), so in some next beta, it should be available. JIRA is
https://issues.jboss.org/browse/KEYCLOAK-6638 .

Question: This parameter "resource=client_id_of_the_api" seems to be ADFS specific parameter? Or is it mentioned in some specification? We plan to support better audience support through "scope" parameter or have it available by default (depends on where admin defines protocolMapper for audience).

Thanks,
Marek

On 26/03/18 14:01, Pedro Igor Silva wrote:
> This is something we are not doing correctly where access tokens are 
> always created with the client as the audience and not the resource 
> server / target service.
>
> Marek can give more insights about this but I think this should be 
> fixed by the work he is doing around Client Scopes.
>
> Another alternative is use token exchange [1].
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex
> change
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco 
> <Paolo.Tedesco at cern.ch>
> wrote:
>
>> I've found out that the problem was in the audience validation of my API.
>> The access token I get from keycloak when I authenticate my 
>> confidential client has always
>>
>> aud = confidential_client_id
>>
>> How am I supposed to get a token with a difference audience value?
>> I tried specifying in the POST request to the token endpoint
>>
>> resource = client_id_of_the_api
>>
>> which works with ADFS 2016, but seems to be ignored by Keycloak.
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
>> jboss.org> On Behalf Of Paolo Tedesco
>> Sent: Friday, 23 March, 2018 11:11
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Authenticating to a client with another 
>> client's service account
>>
>> Hi all,
>>
>> I have registered two clients in my Keycloak, one is an API (ID =
>> client_api) and another is a confidential client (ID = 
>> confidential_client), which is a standalone application that should 
>> access the API with its own credentials.
>> I've set the access type of both API and application to "confidential".
>>
>> >From the application, I obtain a token with a POST to
>> https://keycloak-server/auth/realms/master/protocol/openid-connect/to
>> ken
>> with these parameters:
>>
>> client_id = confidential_client
>> client_secret = <confidential client secret> grant_type = 
>> client_credentials
>>
>> >From this, I obtain a token, that looks like this:
>> {
>>    "access_token": "eyJhbG...Z0qmQ"
>>    // other stuff
>> }
>>
>> Then, I try to call my API with an authentication header with
>>
>> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>>
>> However, this does not seem to work, and the API acts like the user 
>> is not authenticated.
>> Any idea of what I'm doing wrong?
>>
>> Thanks,
>> Paolo
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From marc.logemann at gmail.com  Tue Mar 27 08:53:02 2018
From: marc.logemann at gmail.com (Marc Logemann)
Date: Tue, 27 Mar 2018 14:53:02 +0200
Subject: [keycloak-user] 403 on /sso/login with Spring Boot and Keycloak
	Adapter
In-Reply-To: <CAPZw1G6uV289ROHZMGaSru7TcC7Ro0XgdpJA6XrVxhXZA0GFrQ@mail.gmail.com>
References: <CA+KtLoYVUYn138U3ZA90NCOWnuQcdQnkRdorwROKPYaNqNqvgQ@mail.gmail.com>
	<CAPZw1G6uV289ROHZMGaSru7TcC7Ro0XgdpJA6XrVxhXZA0GFrQ@mail.gmail.com>
Message-ID: <CA+KtLoa=3tx3Opk5RoNQgqnF0ZCG8YcPFO=_cbtJ+kTUu1gXjA@mail.gmail.com>

Hi,

it was slightly more annoying. In my spring-boot application i defined
sslRequired = EXTERNAL. Unfortunately, my tests on the other machine
were not "local" anymore, thus the keycloak adapter went into SSL mode
and tried to construct the redirect URL. But then i didnt specify an
SSL port so it was a -1 per default. All this resulted in a standard
403. Logging could be way better for such a scenario because i
debugged aprox. 2 hours to get the idea.

Anyway... now it works.

Marc

2018-03-27 10:49 GMT+02:00 Simon Payne <simonpayne58 at gmail.com>:
> it appears that your remote app is still connecting to keycloak on
> localhost.  looking at the redirect url you can see that it is then
> attempting to redirect back to your app on localhost.
>
> Simon.
>
>
>
> On Mon, Mar 26, 2018 at 5:10 PM, Marc Logemann <marc.logemann at gmail.com>
> wrote:
>>
>> Hi,
>>
>> i have a little Spring Boot Application and it runs pretty nice
>> together with the keycloak setup on my dev machine. Now when deploying
>> the same application to another server i get something strange:
>>
>> When trying to access a protected resource, my browser gets a 302 to
>> /sso/login which is ok but this URL should also produce a 302 to the
>> final Keycloak Login Page. Instead i get a 403 on the sso/login
>> request. The crazy thing is, on my local dev machine the /sso/login
>> doesnt get a 403 but a 302 with the resulting valid and perfect URL
>>
>> (http://localhost:16177/auth/realms/XXXX/protocol/openid-connect/auth?response_type=code&client_id=swaggerUI&redirect_uri=http%3A%2F%2Flocalhost%3A8091%2Fsso%2Flogin&state=d919e1d0-3804-4e47-9cfe-d8647eb6fd5f&login=true&scope=openid)
>>
>> What i want to say is.... i dont have a clue why i get a 403 on a
>> resource /sso/login, which as i assume, is provided by spring keycloak
>> adapter. And even crazier... its the same application.
>>
>> thanks for any hints.
>>
>> marc
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From mingjliu.9 at gmail.com  Tue Mar 27 10:43:57 2018
From: mingjliu.9 at gmail.com (Mingjun Liu)
Date: Tue, 27 Mar 2018 22:43:57 +0800
Subject: [keycloak-user] [Proposal] Hard Code the Composite Role
 Relationship of Admin Role into Java code not Database Records?
In-Reply-To: <CAHmY9k8xkybvgq4i_x=10FFMEDFkPes=jZtJtO12mokw_LhYQg@mail.gmail.com>
References: <CAHmY9k8xkybvgq4i_x=10FFMEDFkPes=jZtJtO12mokw_LhYQg@mail.gmail.com>
Message-ID: <CAHmY9k9okLb9STGVy49-2E5mQs5qsSh8-ApGCM=eth4t3Xt7bA@mail.gmail.com>

Hi Team,

I found that the admin role in master realm will have all roles in
xxxx-realm type client in master realm as composite. This design will have
a lots of rows to be inserted into database.

However, the admin role is targeted for super privilideged users to have
all privilidges on all resources in keycloak server, there is rarely
reasons to change this scenario.

One observation is that when there is 6K realms in database, the getRole
method of admin role  would take more than *1 SECOND*. It will result in
bad response for admin rest api.

Benifit:
We are allieviated from lots of database write/read, especially when realm
number grows to thousands and more.
We are more confident to support large number of realms.

Drawbacks: we need carefully implement logics on the special admin role,
multiple places needs work.

Please let me know your concerns. Thank you!

Regards,
Mingjun Liu

From rodolfo_dpk at yahoo.com  Tue Mar 27 16:45:20 2018
From: rodolfo_dpk at yahoo.com (Rodolfo de Paula)
Date: Tue, 27 Mar 2018 20:45:20 +0000 (UTC)
Subject: [keycloak-user] Direct grant flow using a CAS token as a credential.
References: <442310453.630412.1522183520378.ref@mail.yahoo.com>
Message-ID: <442310453.630412.1522183520378@mail.yahoo.com>

Greetings,
We started doing a proof of concept with Keycloak only 2 weeks ago. We already have a small SPA in Vue.js with authentication using the direct grant flow.
Since we have a legacy users database, we plugged a custom UserFederationProvider implementation.
This custom provider helped us to support these 2 cenarios:
1) Users authenticating against our legacy database.2) Users authenticating against? our CAS server. Since the user storage provider has access to user/password, our implementation will also try to get a Service Token from our CAS server and in case of success, it will set a a value to a custom user attribute "CAS_TOKEN" so the SPA will have access to it and use when it's needed (links to CAS protected resources).
This works for our POC but we have a third scenario: We want to authenticate an user coming to our resources but with a token (CAS) appended to the url. With the CAS token, we would need to 1) validate the ticket, 2) get user identity in order to authenticate it. But we have been studying that providers/authenticator example from Keycloak source but it doesn't seems to be useful since we are using direct grant flow.? ?
So can someone please give me a hint on this? Is there any other (better/cleaner) way to do this?
Thanks in advance!


From lahari.guntha at tcs.com  Wed Mar 28 00:58:11 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Wed, 28 Mar 2018 04:58:11 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>,
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
Message-ID: <1522213091103.32619@tcs.com>

?Hi Simon,


We have our keycloak in  standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"


I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user....


Why am I not able to see the groups that the user were added to even after setting the eviction time??


Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups???


Thanks & Regards,

Lahari G

________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 27 March 2018 14:13
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From lahari.guntha at tcs.com  Wed Mar 28 01:04:43 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Wed, 28 Mar 2018 05:04:43 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>,
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
Message-ID: <1522213483195.38672@tcs.com>

Hi Simon,


We have our keycloak in  standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"


I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user....


Why am I not able to see the groups that the user were added to even after setting the eviction time??


Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups???


Thanks & Regards,

Lahari G?


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 27 March 2018 14:13
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From betalb at gmail.com  Wed Mar 28 02:35:40 2018
From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=)
Date: Wed, 28 Mar 2018 06:35:40 +0000
Subject: [keycloak-user] High throughput communication- Use of a
 transparent (by value) token
In-Reply-To: <BY2PR14MB0328C77CD9F5A54964E15D9BEDAE0@BY2PR14MB0328.namprd14.prod.outlook.com>
References: <BY2PR14MB0328C77CD9F5A54964E15D9BEDAE0@BY2PR14MB0328.namprd14.prod.outlook.com>
Message-ID: <CANYoZJmOXerTLDonT7QfBedjV9YOpBWB4kVysW160zuqfk55ug@mail.gmail.com>

This is by design. Keycloak uses JWT tokens, which can be verified without
contacting IdP.

Your app just needs public keys from keycloak instance. This is done
automatically be keycloak adapter. Adapter has 2 ways of getting keys:
* you can supply them explicitly
* adapter can fetch and cache them
??, 25 ????? 2018 ?. ? 17:21, Omri Tavor <omri.tavor at forcepoint.com>:

> Hi,
> I have two backend servers that needs to communicate at a high throughput
> (1000s request per second).
> I don't want each of the requests to block/slow down by the server
> contacting the Keycloak server to verify the token.
> Is there a way, I can create a transparent token that could be verified
> without having to access the KeyCloak server in each request?
> Thanks,
> Omri.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pulgupta at redhat.com  Wed Mar 28 08:29:52 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Wed, 28 Mar 2018 17:59:52 +0530
Subject: [keycloak-user] Get JWT from Keycloak For a SAML based client
Message-ID: <CAApADD3g9QH0oeqpnJgi5+u4FZBmN8UKqsrs1=ipTdDpPSNOpw@mail.gmail.com>

Hi Team,

We are using SAML based clients for our applications but we also need a JWT
to pass to other systems so that they can also do their validation.

Do we have a straight forward way of getting a JWT Token for a SAML based
client from Keycloak.

-- 

PULKIT GUPTA

From Marcel.Nemet at gmail.com  Wed Mar 28 08:51:01 2018
From: Marcel.Nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Wed, 28 Mar 2018 14:51:01 +0200
Subject: [keycloak-user] How to import keycloak-authz from keycloak-js
 npm package in TypeScript?
In-Reply-To: <CAJrcDBeRxXF1fsYQt7+nDvRoaOTVv0+hJxACrUA6kYP-ehN=0A@mail.gmail.com>
References: <CAFsxa5XoURMKLpb-JPOfUH7Gs0DMPcYN=e4eZyGQPVt=QPATsA@mail.gmail.com>
	<CAJrcDBeRxXF1fsYQt7+nDvRoaOTVv0+hJxACrUA6kYP-ehN=0A@mail.gmail.com>
Message-ID: <CAFsxa5Vzvsu8k+u=m+JemW73gEv5im9r_KMavRD9+8aEv5f29Q@mail.gmail.com>

 I managed to import it as

import * as KeycloakAuthorization from 'keycloak-js/dist/keycloak-authz';

I am also wondering whether the line number 21 of file keycloak-authz.d.ts has
an error in it.

Should it be

import * as Keycloak from 'keycloak-js';

instead of

import * as Keycloak from 'keycloak';

I will open an issue.

On Thu, Mar 22, 2018 at 11:13 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Will check this out.
>
> On Thu, Mar 22, 2018 at 5:07 AM, Marcel N?met <Marcel.Nemet at gmail.com>
> wrote:
>
>> I can easily import Keycloak.d.ts from keycloak-js npm module using
>>
>> import * as Keycloak from 'keycloak-js';
>>
>> but I am failing to import the keycloak-authz.d.ts file and
>> the KeycloakAuthorization which is defined inside it.
>>
>> I wonder if anybody knows how to do it or did it previously. Not sure
>> whether keycloak-authz is made available at the npm package level.
>>
>> A loosely related issue I found online is:
>> https://issues.jboss.org/browse/KEYCLOAK-4822
>>
>> --
>> Marcel N?met
>> marcel.nemet at gmail.com
>> 0795153648 <079%20515%2036%2048>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Marcel N?met
marcel.nemet at gmail.com
0795153648

From max.allan+keycloak at surevine.com  Wed Mar 28 11:11:54 2018
From: max.allan+keycloak at surevine.com (Max Allan)
Date: Wed, 28 Mar 2018 16:11:54 +0100
Subject: [keycloak-user] Domain mode cluster, slave authentication?
Message-ID: <CADNp1BZwBqQwg+6deFQ=6SJuLNCp-3SF-MWbsW6F5rC6KDGn6w@mail.gmail.com>

Hi,
Has anyone used the latest WildFly 11 version of Keycloak in domain mode?

I could get it to work on a local instance with host-master and host-slave
config files. But using the same host-slave config on a different instance
it would fail to authenticate.
Error :

[Host Controller] 09:07:25,741 INFO  [org.jboss.remoting] (MSC service
thread 1-1) JBoss Remoting version 5.0.5.Final

[Host Controller] 09:07:25,874 INFO  [org.jboss.as.remoting] (MSC service
thread 1-2) WFLYRMT0001: Listening on 127.0.0.1:3456

[Host Controller] 09:07:26,167 WARN  [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain
controller remote://192.168.33.10:9999: java.lang.IllegalStateException:
WFLYHC0043: Unable to connect due to authentication failure.

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.rethrowIrrecoverableConnectionFailures(
RemoteDomainConnectionService.java:674)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:293)

[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.connectToDomainMaster(
DomainModelControllerService.java:938)

[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.boot(DomainModelControllerService.java:692)

[Host Controller] at org.jboss.as.controller.AbstractControllerService$1.
run(AbstractControllerService.java:370)

[Host Controller] at java.lang.Thread.run(Thread.java:748)

[Host Controller] Caused by: javax.security.sasl.SaslException:
Authentication failed: all available authentication mechanisms failed:

[Host Controller]    DIGEST-MD5: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener.allMechanismsFailed(
ClientConnectionOpenListener.java:109)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:446)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:242)

[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)

[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)

[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

[Host Controller] at ...asynchronous invocation...(Unknown Source)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:570)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:532)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:520)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.connect(
ProtocolConnectionUtils.java:204)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.
connectSync(ProtocolConnectionUtils.java:120)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:
223)

[Host Controller] at org.wildfly.common.context.
Contextual.runExceptionAction(Contextual.java:108)

[Host Controller] at org.wildfly.security.auth.client.AuthenticationContext.
run(AuthenticationContext.java:268)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
openConnection(RemoteDomainConnection.java:223)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection$
InitialConnectTask.connect(RemoteDomainConnection.java:592)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionManager.
connect(ProtocolConnectionManager.java:70)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
connect(RemoteDomainConnection.java:147)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:288)

[Host Controller] ... 4 more

[Host Controller] Suppressed: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:736)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:578)

[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)

[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)

[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

[Host Controller]

[Host Controller] 09:07:26,169 WARN  [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0147: No domain controller discovery options
remain.

[Host Controller] 09:07:26,169 ERROR [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0002: Could not connect to master. Error
was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain
controller discovery option(s) but unable to connect

[Host Controller] 09:07:26,170 FATAL [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0178: Aborting with exit code 99

After poking around a bit I found the slave makes a connection with this
bit of host-slave.xml :

   <domain-controller>
        <remote username="$local" security-realm="ManagementRealm">
            <discovery-options>
                <static-discovery name="primary"
protocol="${jboss.domain.master.protocol:remote}"
host="${jboss.domain.master.address:192.168.33.10}"
port="${jboss.domain.master.port:9999}"/>
            </discovery-options>
        </remote>
    </domain-controller>


I changed $local to admin and it connects fine. But if I understand
Wildfly, then you shouldn't need to specify a username at all, and the
remote server will interpret $local (or none) as the local default user,
which would be "admin".
I tried leaving out the username and that didn't work either.

Have I managed to configure my user wrong on the master somehow? I used
this command (and obviously have the correct secret in the host-slave.xml) :

bin/add-user.sh -u admin -p password -r ManagementRealm -ds -e


Or is this actually expected behaviour?

From marian.rainer-harbach at apa.at  Wed Mar 28 11:58:48 2018
From: marian.rainer-harbach at apa.at (Rainer-Harbach Marian)
Date: Wed, 28 Mar 2018 17:58:48 +0200
Subject: [keycloak-user] Performance
In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC68401176112@DE-CM-MBX26.corp.capgemini.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
	<6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>
	<31225E3A2F1E0E43BA9272CBEBDCC68401176112@DE-CM-MBX26.corp.capgemini.com>
Message-ID: <c2b870bb-09a0-05b2-8868-9d66695d7013@apa.at>

Hi Daniel!

On 2018-03-27 09:57, Hammarberg, Daniel wrote:
> Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower.

How are you importing the users and how long is "too long"? I created my 
five million test users using the admin REST API in one overnight run 
(even when Keycloak was configured to use the default of 27500 hashing 
iterations). I didn't observe any slowdown during the course of that run.

> Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security?

Well, it would be problematic if your database was stolen before every 
user really did change their password.

If you force users to do a password reset anyway an alternative might be 
to import the users without any credentials. Then there would be nothing 
to hash. Users would gain access to their accounts by using the 
forgotten password feature.

Best regards,
Marian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3853 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180328/46c2b58f/attachment.bin 

From filip.kozjak at gmail.com  Wed Mar 28 13:04:39 2018
From: filip.kozjak at gmail.com (Filip Kozjak)
Date: Wed, 28 Mar 2018 19:04:39 +0200
Subject: [keycloak-user] Posting request
Message-ID: <CAHp4y4KVwtYKun-J7cNX2kjjPzs6TNFQ+vdhB7c42EgO=0ObuA@mail.gmail.com>

filip.kozjak at gmail.com

From luke at code-house.org  Wed Mar 28 18:44:03 2018
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Thu, 29 Mar 2018 00:44:03 +0200
Subject: [keycloak-user] Limiting user registrations to closed set
Message-ID: <e27335af-ae4f-a88b-d14e-a2c693f65ee9@code-house.org>

Hi all,
I have a case which is quite simple in terms of logic - I have existing
database of users with attributes such first and last name, as well as
email. I miss username and password or just password if I decide to use
email as login. I would like to use attributes I know for validation of
new user registrations.
Any registration attempt with uknown email, first and last should be denied.
Sadly due to necessity to host user self registration in mobile app I
had to move it outside of keycloak. This means I use a small utility to
create accounts using admin api.

I've tried to use UserStorageProvider, but this SPI is not permited to
"deny" user registration. When I try to add new user, it goes in even if
there is no matching combination of attributes. Which SPI is valid for
my use case?

Kind regards,
Lukasz

From lahari.guntha at tcs.com  Thu Mar 29 02:08:09 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Thu, 29 Mar 2018 06:08:09 +0000
Subject: [keycloak-user] "HTTPS Required"
In-Reply-To: <CAPZw1G5Rpu=CdLZTOg3LAns08r4KhJpLDauQV3VrdVZTduinVQ@mail.gmail.com>
References: <1521815127939.49747@tcs.com>,
	<CAPZw1G5Rpu=CdLZTOg3LAns08r4KhJpLDauQV3VrdVZTduinVQ@mail.gmail.com>
Message-ID: <1522303689399.46974@tcs.com>

Hi Simon,



I have followed  the below docs:

http://piotrnowicki.com/java/2017/01/09/keycloak-docker-with-ssl-proxy/


According to it I have executed the following commands:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect \
        "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)"

and reloaded the server using the following command:?

docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh<http://disq.us/url?url=http%3A%2F%2Fjboss-cli.sh%3AT5wPgjcm2HFYBDE3LIzknhc8Nm8&cuid=3643091> --connect "reload"?


But still it is showing the same thing "HTTPS" required....

Could you please elaborate the steps to put keyclaok behind nginx proxy??

Thanks and Regards,

lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 23 March 2018 20:50
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

If i want https i put keycloak behind a nginx proxy.


On Fri, Mar 23, 2018 at 2:25 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:


Hi All,


I am using Keycloak of version 3.3.0.CR2...


I have launched keycloak as a container in a VM...


Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...


Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....


Is there any other solution we have to get this problem solved??


Thanks & Regards,

Lahari G



=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From dev3 at gmx.de  Thu Mar 29 03:02:33 2018
From: dev3 at gmx.de (Dev Support)
Date: Thu, 29 Mar 2018 09:02:33 +0200
Subject: [keycloak-user] Manage Resources (Keycloak 4)
Message-ID: <trinity-c116ba4f-4199-453a-b38f-48a1879c9acb-1522306953571@3c-app-gmx-bs25>


From filip.kozjak at gmail.com  Thu Mar 29 03:21:19 2018
From: filip.kozjak at gmail.com (Filip Kozjak)
Date: Thu, 29 Mar 2018 09:21:19 +0200
Subject: [keycloak-user]  Could not obtain configuration from server
Message-ID: <CAHp4y4+wMXnkLygCG6S7V7esw=0miT07D1O_LOUz5jivV-KkMQ@mail.gmail.com>

Hi everyone,

I am having troubles obtaining access token for my Java EE REST service
from Keycloak.

I have started Keycloak server at *http://localhost <http://localhost>*,
and I can access the admin console at
*http://localhost:8081/auth/admin/master/console/#/realms/demo
<http://localhost:8081/auth/admin/master/console/#/realms/demo>.*

Next, I created a new realm "demo" and registered my REST service there.
I've copied the generated *keycloak.json *to the WEB-INF of my service and
added what was needed to web.xml. This successfully protected my endpoint.
My REST service is up and running on *http://localhost:8080/
<http://localhost:8080/>.*

However, now I want to set up a client that would be authorized to access
the protected endpoint. The client is running at *http://localhost:9080
<http://localhost:9080>. *Again, it's a Java EE REST service that talks to
the protected service. I registered it as *OAuth Client* in the admin
console and again copied the *keycloak.json* to the resources of my app. I
am trying to obtain the access token like this:

AuthzClient authz = AuthzClient.create();
AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();

This results in the following error:

java.lang.RuntimeException: Could not obtain configuration from server [
http://localhost:8081/auth/realms/demo/.well-known/uma-configuration].<br>
<div id="stack">at
org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:92)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:60)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:53)<br>at
hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invokeRiskLevelApi(ProxyServiceImpl.java:28)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>at
java.lang.reflect.Method.invoke(Method.java:498)<br>at
com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContainer.java:5316)<br>...
16 more<br>
</div>Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 404 / Not Found<br>

I posted a question about it on StackOverflow too:
https://stackoverflow.com/questions/49534589/404-not-found-while-requesting-token-from-keycloak

Is there something I am missing?

From dev3 at gmx.de  Thu Mar 29 03:34:30 2018
From: dev3 at gmx.de (Dev Support)
Date: Thu, 29 Mar 2018 09:34:30 +0200
Subject: [keycloak-user] Manage Resources (Keycloak 4)
Message-ID: <trinity-091e6a77-df23-4d79-8af7-a49d5ff88cf8-1522308870748@3c-app-gmx-bs51>


From Paolo.Tedesco at cern.ch  Thu Mar 29 04:50:34 2018
From: Paolo.Tedesco at cern.ch (Paolo Tedesco)
Date: Thu, 29 Mar 2018 08:50:34 +0000
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
In-Reply-To: <a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>
References: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
	<CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>
	<a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>
Message-ID: <6D320D40264A8545A9C25EC79DE1E32501ECCCA258@CERNXCHG43.cern.ch>

Hi Marek and Pedro,

Thanks for your answers, I will either try token exchange or just turn off audience verification for the time being, and try to assign roles to the client for access control.
I think that "resource" is ADFS specific, I could not find mentions of it other than in ADFS documentation.

What do you mean when you say that you will support audience through the scope parameter? 
That the token request should contain something like "scope = client ID of the target resource"?

Thanks,
Paolo

-----Original Message-----
From: Marek Posolda <mposolda at redhat.com> 
Sent: Monday, 26 March, 2018 20:35
To: Pedro Igor Silva <psilva at redhat.com>; Paolo Tedesco <Paolo.Tedesco at cern.ch>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authenticating to a client with another client's service account

Yes, as Pedro mentioned, I hope that better audience support will be available in Keycloak master in next few weeks (or months), so in some next beta, it should be available. JIRA is
https://issues.jboss.org/browse/KEYCLOAK-6638 .

Question: This parameter "resource=client_id_of_the_api" seems to be ADFS specific parameter? Or is it mentioned in some specification? We plan to support better audience support through "scope" parameter or have it available by default (depends on where admin defines protocolMapper for audience).

Thanks,
Marek

On 26/03/18 14:01, Pedro Igor Silva wrote:
> This is something we are not doing correctly where access tokens are 
> always created with the client as the audience and not the resource 
> server / target service.
>
> Marek can give more insights about this but I think this should be 
> fixed by the work he is doing around Client Scopes.
>
> Another alternative is use token exchange [1].
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex
> change
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco 
> <Paolo.Tedesco at cern.ch>
> wrote:
>
>> I've found out that the problem was in the audience validation of my API.
>> The access token I get from keycloak when I authenticate my 
>> confidential client has always
>>
>> aud = confidential_client_id
>>
>> How am I supposed to get a token with a difference audience value?
>> I tried specifying in the POST request to the token endpoint
>>
>> resource = client_id_of_the_api
>>
>> which works with ADFS 2016, but seems to be ignored by Keycloak.
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
>> jboss.org> On Behalf Of Paolo Tedesco
>> Sent: Friday, 23 March, 2018 11:11
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Authenticating to a client with another 
>> client's service account
>>
>> Hi all,
>>
>> I have registered two clients in my Keycloak, one is an API (ID =
>> client_api) and another is a confidential client (ID = 
>> confidential_client), which is a standalone application that should 
>> access the API with its own credentials.
>> I've set the access type of both API and application to "confidential".
>>
>> >From the application, I obtain a token with a POST to
>> https://keycloak-server/auth/realms/master/protocol/openid-connect/to
>> ken
>> with these parameters:
>>
>> client_id = confidential_client
>> client_secret = <confidential client secret> grant_type = 
>> client_credentials
>>
>> >From this, I obtain a token, that looks like this:
>> {
>>    "access_token": "eyJhbG...Z0qmQ"
>>    // other stuff
>> }
>>
>> Then, I try to call my API with an authentication header with
>>
>> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>>
>> However, this does not seem to work, and the API acts like the user 
>> is not authenticated.
>> Any idea of what I'm doing wrong?
>>
>> Thanks,
>> Paolo
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From remco.cats at gmail.com  Thu Mar 29 04:55:13 2018
From: remco.cats at gmail.com (Remco Cats)
Date: Thu, 29 Mar 2018 10:55:13 +0200
Subject: [keycloak-user] keycloak ldap Oracle Identity Directory
Message-ID: <CAE=N-2EbHBhSLq2tvhQOdsszui9gT9SQ7w963DcHm32uot7BSQ@mail.gmail.com>

 Hi All,

I have a question about keycloak. We have the following situation:

In our LDAP environment we have Groups and Role stored.
In the LDAP environment is a relationship between them via a attribute
uniquemember.

The relationship is then a many to many relationship that is not supported
in keycloak.
So I want to import the groups into groups an roles into roles so that
everything is inside keycloak.
But I also want the relationship between the GROUP and the ROL.

I have already import the groups and roles separately but I cannot map the
relationship between there. And by hand is not the ideal situation.

Does anyone have this issue.

best regards,

Remco

From yspolat at gmail.com  Thu Mar 29 05:31:26 2018
From: yspolat at gmail.com (Yavuz Selim Polat)
Date: Thu, 29 Mar 2018 12:31:26 +0300
Subject: [keycloak-user] kcadm.sh - Updating existing LDAP confg.
Message-ID: <CAGhk3mfsoaWGetAN6QiM-dMwZaFbyxD6JO4GJBpbv_X-2Lo2ug@mail.gmail.com>

Hi,



In Keycloak- User Federation, I already configured a LDAP with below
attributes. As an operation reason, we are developing a script to be able
operate user (import,resync etc.) with LDAP integration.



I found that AdminCLI documentation and on linux side we can perform some
operation via ?kcadm.sh?. My question is, how can I update yellow
highlighted attributes (Users DN and Custom User LDAP Filter) for existing
LDAP confg.?



If I can update Users DN and add ?tuser? to Custom User LDAP Filter
attribute successfully via kcadm.sh. I will have a chance to do some user
operations anyway, like I mentioned above, I just need to update current
LDAP configuration. I couldn?t find in AdminCLI doc for updating operation.



If you know, please share me J


Regards



Console Display Name  - ldap

Priority  - 0

Import Users - On

Edit Mode - READ_ONLY

Sync Registrations - On

Vendor - On

Username LDAP attribute - uid

RDN LDAP attribute - uid

UUID LDAP attribute - uid

User Object Classes - inetOrgPerson, organizationalPerson

Connection URL - ldap://ldap:3333

Users DN - dc=entp,dc=abc

Authentication Type - single

Bind Credential ? N/A

Custom User LDAP Filter - (uid=user)
Search Scope - Subtree

Use Truststore SPI - Only for ldaps

Connection Pooling - Off

Connection Timeout - <Blank>

Read Timeout - 600000

Pagination - Off

Allow Kerberos authentication - Off

Use Kerberos For Password Authentication - Off

Batch Size  - 1000

Periodic Full Sync - Off

Periodic Changed Users Sync - Off

Cache Policy  - DEFAULT

From daniel.hammarberg at capgemini.com  Thu Mar 29 07:03:52 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Thu, 29 Mar 2018 11:03:52 +0000
Subject: [keycloak-user] Performance
In-Reply-To: <c2b870bb-09a0-05b2-8868-9d66695d7013@apa.at>
References: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
	<6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>
	<31225E3A2F1E0E43BA9272CBEBDCC68401176112@DE-CM-MBX26.corp.capgemini.com>
	<c2b870bb-09a0-05b2-8868-9d66695d7013@apa.at>
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401183D88@DE-CM-MBX26.corp.capgemini.com>

Hi Marian,

> How are you importing the users and how long is "too long"? I created my
> five million test users using the admin REST API in one overnight run
> (even when Keycloak was configured to use the default of 27500 hashing
> iterations). I didn't observe any slowdown during the course of that run.

At first, we tried using the admin REST API, but as we experienced the bad performance, we turned to using the method described on http://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

We have tried several times to run this over night in a system without any users. It runs slower and slower. After around 35000 users it stalls more or less completely.

We tried to reduce the number of hashing iterations to one, but that did not do any difference to the import performance.

What database are you running? We have a SQL Server database, where the server is shared between several systems. We don't experience much load on the database though, so we have not yet suspected the database to be the problem.

One interesting finding is that when we try to run the import locally on our laptops, we don't have any performance problems. In that case, we use the H2 database that comes with Keycloak.

Regards
/Daniel


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From marko.strukelj at gmail.com  Thu Mar 29 08:00:24 2018
From: marko.strukelj at gmail.com (Marko Strukelj)
Date: Thu, 29 Mar 2018 14:00:24 +0200
Subject: [keycloak-user] kcadm.sh - Updating existing LDAP confg.
In-Reply-To: <CAGhk3mfsoaWGetAN6QiM-dMwZaFbyxD6JO4GJBpbv_X-2Lo2ug@mail.gmail.com>
References: <CAGhk3mfsoaWGetAN6QiM-dMwZaFbyxD6JO4GJBpbv_X-2Lo2ug@mail.gmail.com>
Message-ID: <CAKU4gG80+AfmrGqnsPdJ=yxRyQm0YYA0wyxxj-vBx43DhmLeug@mail.gmail.com>

The easiest way is to perform this through Admin Consol with developer
tools turned on so that you can se what is sent over to Admin REST API.

It is then easy to do the same through kcadmin.sh.


On Thu, Mar 29, 2018 at 11:31 AM, Yavuz Selim Polat <yspolat at gmail.com>
wrote:

> Hi,
>
>
>
> In Keycloak- User Federation, I already configured a LDAP with below
> attributes. As an operation reason, we are developing a script to be able
> operate user (import,resync etc.) with LDAP integration.
>
>
>
> I found that AdminCLI documentation and on linux side we can perform some
> operation via ?kcadm.sh?. My question is, how can I update yellow
> highlighted attributes (Users DN and Custom User LDAP Filter) for existing
> LDAP confg.?
>
>
>
> If I can update Users DN and add ?tuser? to Custom User LDAP Filter
> attribute successfully via kcadm.sh. I will have a chance to do some user
> operations anyway, like I mentioned above, I just need to update current
> LDAP configuration. I couldn?t find in AdminCLI doc for updating operation.
>
>
>
> If you know, please share me J
>
>
> Regards
>
>
>
> Console Display Name  - ldap
>
> Priority  - 0
>
> Import Users - On
>
> Edit Mode - READ_ONLY
>
> Sync Registrations - On
>
> Vendor - On
>
> Username LDAP attribute - uid
>
> RDN LDAP attribute - uid
>
> UUID LDAP attribute - uid
>
> User Object Classes - inetOrgPerson, organizationalPerson
>
> Connection URL - ldap://ldap:3333
>
> Users DN - dc=entp,dc=abc
>
> Authentication Type - single
>
> Bind Credential ? N/A
>
> Custom User LDAP Filter - (uid=user)
> Search Scope - Subtree
>
> Use Truststore SPI - Only for ldaps
>
> Connection Pooling - Off
>
> Connection Timeout - <Blank>
>
> Read Timeout - 600000
>
> Pagination - Off
>
> Allow Kerberos authentication - Off
>
> Use Kerberos For Password Authentication - Off
>
> Batch Size  - 1000
>
> Periodic Full Sync - Off
>
> Periodic Changed Users Sync - Off
>
> Cache Policy  - DEFAULT
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From marian.rainer-harbach at apa.at  Thu Mar 29 08:04:33 2018
From: marian.rainer-harbach at apa.at (Rainer-Harbach Marian)
Date: Thu, 29 Mar 2018 14:04:33 +0200
Subject: [keycloak-user] Performance
In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC68401183D88@DE-CM-MBX26.corp.capgemini.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC68401175B5F@DE-CM-MBX26.corp.capgemini.com>
	<6b796445-6d4c-c03d-6bde-332060be6c9d@apa.at>
	<31225E3A2F1E0E43BA9272CBEBDCC68401176112@DE-CM-MBX26.corp.capgemini.com>
	<c2b870bb-09a0-05b2-8868-9d66695d7013@apa.at>
	<31225E3A2F1E0E43BA9272CBEBDCC68401183D88@DE-CM-MBX26.corp.capgemini.com>
Message-ID: <1a82a443-26e5-36c0-d199-318985ba0737@apa.at>

Hi Daniel,

> What database are you running? We have a SQL Server database, where the server is shared between several systems. We don't experience much load on the database though, so we have not yet suspected the database to be the problem.

We are using Oracle.

> One interesting finding is that when we try to run the import locally on our laptops, we don't have any performance problems. In that case, we use the H2 database that comes with Keycloak.

One thing you could try is to give Keycloak more memory (Java's Xmx 
parameter). Other than that I don't really know what to suggest.

Best regards,
Marian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3853 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180329/b64cdbe2/attachment.bin 

From psilva at redhat.com  Thu Mar 29 08:07:31 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 29 Mar 2018 09:07:31 -0300
Subject: [keycloak-user] Could not obtain configuration from server
In-Reply-To: <CAHp4y4+wMXnkLygCG6S7V7esw=0miT07D1O_LOUz5jivV-KkMQ@mail.gmail.com>
References: <CAHp4y4+wMXnkLygCG6S7V7esw=0miT07D1O_LOUz5jivV-KkMQ@mail.gmail.com>
Message-ID: <CAJrcDBc5xonZRqJBtEjHf2uPz-xh65RnbhJ1QGMbVxvSqRukwQ@mail.gmail.com>

What version of Keycloak are you using ? Perhaps, Keycloak v4 ?

If so, you need to make sure your keycloak-authz dependency references the
same version.

The uma-configuration discovery endpoint changed to uma2-configuration.

Regards.
Pedro Igor

On Thu, Mar 29, 2018 at 4:21 AM, Filip Kozjak <filip.kozjak at gmail.com>
wrote:

> Hi everyone,
>
> I am having troubles obtaining access token for my Java EE REST service
> from Keycloak.
>
> I have started Keycloak server at *http://localhost <http://localhost>*,
> and I can access the admin console at
> *http://localhost:8081/auth/admin/master/console/#/realms/demo
> <http://localhost:8081/auth/admin/master/console/#/realms/demo>.*
>
> Next, I created a new realm "demo" and registered my REST service there.
> I've copied the generated *keycloak.json *to the WEB-INF of my service and
> added what was needed to web.xml. This successfully protected my endpoint.
> My REST service is up and running on *http://localhost:8080/
> <http://localhost:8080/>.*
>
> However, now I want to set up a client that would be authorized to access
> the protected endpoint. The client is running at *http://localhost:9080
> <http://localhost:9080>. *Again, it's a Java EE REST service that talks to
> the protected service. I registered it as *OAuth Client* in the admin
> console and again copied the *keycloak.json* to the resources of my app. I
> am trying to obtain the access token like this:
>
> AuthzClient authz = AuthzClient.create();
> AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();
>
> This results in the following error:
>
> java.lang.RuntimeException: Could not obtain configuration from server [
> http://localhost:8081/auth/realms/demo/.well-known/uma-configuration].<br>
> <div id="stack">at
> org.keycloak.authorization.client.AuthzClient.<init>(
> AuthzClient.java:92)<br>at
> org.keycloak.authorization.client.AuthzClient.create(
> AuthzClient.java:60)<br>at
> org.keycloak.authorization.client.AuthzClient.create(
> AuthzClient.java:53)<br>at
> hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invokeRiskLevelApi(
> ProxyServiceImpl.java:28)<br>at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)<br>at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)<br>at
> java.lang.reflect.Method.invoke(Method.java:498)<br>at
> com.ibm.ejs.container.EJSContainer.invokeProceed(
> EJSContainer.java:5316)<br>...
> 16 more<br>
> </div>Caused by:
> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
> response from server: 404 / Not Found<br>
>
> I posted a question about it on StackOverflow too:
> https://stackoverflow.com/questions/49534589/404-not-
> found-while-requesting-token-from-keycloak
>
> Is there something I am missing?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Thu Mar 29 08:16:07 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 29 Mar 2018 09:16:07 -0300
Subject: [keycloak-user] Authenticating to a client with another
 client's service account
In-Reply-To: <6D320D40264A8545A9C25EC79DE1E32501ECCCA258@CERNXCHG43.cern.ch>
References: <6D320D40264A8545A9C25EC79DE1E32501ECCC7BD4@CERNXCHG43.cern.ch>
	<CAJrcDBdHzBghawykQbcw8OOP=Bx8g918LfzETwO8vimU3P0Lyw@mail.gmail.com>
	<a47db05c-feaf-54b4-5eee-f29d8dd33bea@redhat.com>
	<6D320D40264A8545A9C25EC79DE1E32501ECCCA258@CERNXCHG43.cern.ch>
Message-ID: <CAJrcDBfMoph_TBfyxz3i6EmfEGc+_LrnGoevOHLT63YwGYZrrg@mail.gmail.com>

On Thu, Mar 29, 2018 at 5:50 AM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
wrote:

> Hi Marek and Pedro,
>
> Thanks for your answers, I will either try token exchange or just turn off
> audience verification for the time being, and try to assign roles to the
> client for access control.
> I think that "resource" is ADFS specific, I could not find mentions of it
> other than in ADFS documentation.
>
> What do you mean when you say that you will support audience through the
> scope parameter?
> That the token request should contain something like "scope = client ID of
> the target resource"?
>

Based on the scopes you ask you get the right audience(s).


>
> Thanks,
> Paolo
>
> -----Original Message-----
> From: Marek Posolda <mposolda at redhat.com>
> Sent: Monday, 26 March, 2018 20:35
> To: Pedro Igor Silva <psilva at redhat.com>; Paolo Tedesco <
> Paolo.Tedesco at cern.ch>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Authenticating to a client with another
> client's service account
>
> Yes, as Pedro mentioned, I hope that better audience support will be
> available in Keycloak master in next few weeks (or months), so in some next
> beta, it should be available. JIRA is
> https://issues.jboss.org/browse/KEYCLOAK-6638 .
>
> Question: This parameter "resource=client_id_of_the_api" seems to be ADFS
> specific parameter? Or is it mentioned in some specification? We plan to
> support better audience support through "scope" parameter or have it
> available by default (depends on where admin defines protocolMapper for
> audience).
>
> Thanks,
> Marek
>
> On 26/03/18 14:01, Pedro Igor Silva wrote:
> > This is something we are not doing correctly where access tokens are
> > always created with the client as the audience and not the resource
> > server / target service.
> >
> > Marek can give more insights about this but I think this should be
> > fixed by the work he is doing around Client Scopes.
> >
> > Another alternative is use token exchange [1].
> >
> > [1]
> > http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex
> > change
> >
> > Regards.
> > Pedro Igor
> >
> > On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco
> > <Paolo.Tedesco at cern.ch>
> > wrote:
> >
> >> I've found out that the problem was in the audience validation of my
> API.
> >> The access token I get from keycloak when I authenticate my
> >> confidential client has always
> >>
> >> aud = confidential_client_id
> >>
> >> How am I supposed to get a token with a difference audience value?
> >> I tried specifying in the POST request to the token endpoint
> >>
> >> resource = client_id_of_the_api
> >>
> >> which works with ADFS 2016, but seems to be ignored by Keycloak.
> >>
> >> Thanks,
> >> Paolo
> >>
> >> -----Original Message-----
> >> From: keycloak-user-bounces at lists.jboss.org
> <keycloak-user-bounces at lists.
> >> jboss.org> On Behalf Of Paolo Tedesco
> >> Sent: Friday, 23 March, 2018 11:11
> >> To: keycloak-user at lists.jboss.org
> >> Subject: [keycloak-user] Authenticating to a client with another
> >> client's service account
> >>
> >> Hi all,
> >>
> >> I have registered two clients in my Keycloak, one is an API (ID =
> >> client_api) and another is a confidential client (ID =
> >> confidential_client), which is a standalone application that should
> >> access the API with its own credentials.
> >> I've set the access type of both API and application to "confidential".
> >>
> >> >From the application, I obtain a token with a POST to
> >> https://keycloak-server/auth/realms/master/protocol/openid-connect/to
> >> ken
> >> with these parameters:
> >>
> >> client_id = confidential_client
> >> client_secret = <confidential client secret> grant_type =
> >> client_credentials
> >>
> >> >From this, I obtain a token, that looks like this:
> >> {
> >>    "access_token": "eyJhbG...Z0qmQ"
> >>    // other stuff
> >> }
> >>
> >> Then, I try to call my API with an authentication header with
> >>
> >> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
> >>
> >> However, this does not seem to work, and the API acts like the user
> >> is not authenticated.
> >> Any idea of what I'm doing wrong?
> >>
> >> Thanks,
> >> Paolo
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From Manfred.Schenk at iosb.fraunhofer.de  Thu Mar 29 08:38:49 2018
From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred)
Date: Thu, 29 Mar 2018 12:38:49 +0000
Subject: [keycloak-user] Securing tomcat-based web applications without
 using container-security(i.e. without using filters,
 constraints and valves)?
Message-ID: <E1282C0B6D2B6940B528596BD272E63E749787B4@ms3mbx3.ms3.corp>

Hello,

I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.

Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?

Thanks in advance,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de


From uo67113 at gmail.com  Thu Mar 29 09:13:47 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 29 Mar 2018 15:13:47 +0200
Subject: [keycloak-user] Securing tomcat-based web applications without
 using container-security(i.e. without using filters,
 constraints and valves)?
In-Reply-To: <E1282C0B6D2B6940B528596BD272E63E749787B4@ms3mbx3.ms3.corp>
References: <E1282C0B6D2B6940B528596BD272E63E749787B4@ms3mbx3.ms3.corp>
Message-ID: <CACp70MkkUFPn2MGM1b2Ph-h0iDfBQNufAg2=pJ5b3RGKw5tyfg@mail.gmail.com>

Hello Schenk,

If your Identity Provider "speaks" SAML, you can give a try to
http://www.keycloak.org/docs/latest/securing_apps/index.
html#java-servlet-filter-adapter. I am testing it for some of our
tomcat-based application and it works out-of-the-box (BTW thanks keycloak
folks!).

My deployment descriptors (web.xml) looks like this:

    <filter>
        <filter-name>Keycloak Filter</filter-name>
        <filter-class>org.keycloak.adapters.saml.servlet.
SamlFilter</filter-class>
        <init-param>
            <param-name>keycloak.config.file</param-name>
            <param-value>/usr/local/tomcat/keycloak-saml-servlet-
adapter.xml</param-value>
        </init-param>
    </filter>
    <!-- From the docs: "You must have a filter mapping that covers /saml.
-->
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/saml</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/secure/*</url-pattern>
    </filter-mapping>


In this way, just playing with the url-patterns of my resources I can make
them private or public. E.g.

    <servlet-mapping>
        <servlet-name>SessionExampleServlet</servlet-name>
        <url-pattern>/SessionExample</url-pattern>
        <url-pattern>/secure/SessionExample</url-pattern>
    </servlet-mapping>

Hope it helps,

Luis


2018-03-29 14:38 GMT+02:00 Schenk, Manfred <
Manfred.Schenk at iosb.fraunhofer.de>:

> Hello,
>
> I want to use keycloak for user Authentication in my tomcat based web
> application.
> But since the web application should also be accessible without any login,
> I think I will not be able to use the container-based security and handle
> the keycloak communication by myself from within my web application.
>
> Are there any tutorials or recommandation around for my use case?
> Which (keycloak-)jars do I need for this task?
>
> Thanks in advance,
> Manfred
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstra?e 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From Manfred.Schenk at iosb.fraunhofer.de  Thu Mar 29 09:23:39 2018
From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred)
Date: Thu, 29 Mar 2018 13:23:39 +0000
Subject: [keycloak-user] Securing tomcat-based web applications without
 using container-security(i.e. without using filters,
 constraints and valves)?
In-Reply-To: <CACp70M=KunqVGu1bfTvFKqcGJu+e6xeO0Q_CiF-cfnoGpWcAuQ@mail.gmail.com>
References: <E1282C0B6D2B6940B528596BD272E63E749787B4@ms3mbx3.ms3.corp>
	<CACp70M=KunqVGu1bfTvFKqcGJu+e6xeO0Q_CiF-cfnoGpWcAuQ@mail.gmail.com>
Message-ID: <E1282C0B6D2B6940B528596BD272E63E7498E83A@ms3mbx3.ms3.corp>

Hello Luis,

Your approach will not work for me: In my setup there is no predefined set of secure and unsecure URLs: there are many URLs which can be accessed without any login and also with login. But the content which is displayed when accessing these URLs depends if the user is authenticated or not.
That?s the reason why all those filters and valves will not work for me.


My idea is as follows:

When a request comes in, I will check if it contains some token. If yes, the system should try to identify the user using keycloak, otherwise the username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for viewing/editing/deleting the entity identified by the requested URL. If the rights are sufficient (even with the anonymous user) all as well, otherwise the system will redirect to the keycloak server to obtain such a token mentioned above.

But I haven?t found any detailed documentation on that use case.

Regards,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de

Von: Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
Gesendet: Donnerstag, 29. M?rz 2018 15:13
An: Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de>
Betreff: Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?

Hello Schenk,

If your Identity Provider "speaks" SAML, you can give a try to http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter. I am testing it for some of our tomcat-based application and it works out-of-the-box (BTW thanks keycloak folks!).

My deployment descriptors (web.xml) looks like this:

    <filter>
        <filter-name>Keycloak Filter</filter-name>
        <filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
        <init-param>
            <param-name>keycloak.config.file</param-name>
            <param-value>/usr/local/tomcat/keycloak-saml-servlet-adapter.xml</param-value>
        </init-param>
    </filter>
    <!-- From the docs: "You must have a filter mapping that covers /saml. -->
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/saml</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/secure/*</url-pattern>
    </filter-mapping>


In this way, just playing with the url-patterns of my resources I can make them private or public. E.g.

    <servlet-mapping>
        <servlet-name>SessionExampleServlet</servlet-name>
        <url-pattern>/SessionExample</url-pattern>
        <url-pattern>/secure/SessionExample</url-pattern>
    </servlet-mapping>

Hope it helps,

Luis



2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>>:
Hello,

I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.

Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?

Thanks in advance,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391<tel:%2B49%20721%206091-391>
mailto:Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From lahari.guntha at tcs.com  Thu Mar 29 09:34:27 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Thu, 29 Mar 2018 13:34:27 +0000
Subject: [keycloak-user] "HTTPS Required"
In-Reply-To: <1522303689399.46974@tcs.com>
References: <1521815127939.49747@tcs.com>,
	<CAPZw1G5Rpu=CdLZTOg3LAns08r4KhJpLDauQV3VrdVZTduinVQ@mail.gmail.com>,
	<1522303689399.46974@tcs.com>
Message-ID: <1522330467401.69975@tcs.com>

Hi,

I am having my keycloak as a container in a VM....which is behind proxy...Only in this case I am getting "HTTPS Required" when accessing it through "HTTP" port.

If the VM is not behind proxy..then setting of "ssl required" to none...works fine....

How to make extra configuration in this case when my keyclaok is behind the proxy???

Thanks and Regards,
Lahari
________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Lahari  Guntha
Sent: 29 March 2018 11:38
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

Hi Simon,



I have followed  the below docs:

http://piotrnowicki.com/java/2017/01/09/keycloak-docker-with-ssl-proxy/


According to it I have executed the following commands:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect \
        "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)"

and reloaded the server using the following command:?

docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh<http://disq.us/url?url=http%3A%2F%2Fjboss-cli.sh%3AT5wPgjcm2HFYBDE3LIzknhc8Nm8&cuid=3643091> --connect "reload"?


But still it is showing the same thing "HTTPS" required....

Could you please elaborate the steps to put keyclaok behind nginx proxy??

Thanks and Regards,

lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 23 March 2018 20:50
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

If i want https i put keycloak behind a nginx proxy.


On Fri, Mar 23, 2018 at 2:25 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:


Hi All,


I am using Keycloak of version 3.3.0.CR2...


I have launched keycloak as a container in a VM...


Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...


Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....


Is there any other solution we have to get this problem solved??


Thanks & Regards,

Lahari G



=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From filip.kozjak at gmail.com  Thu Mar 29 10:20:56 2018
From: filip.kozjak at gmail.com (Filip Kozjak)
Date: Thu, 29 Mar 2018 16:20:56 +0200
Subject: [keycloak-user] Could not obtain configuration from server
In-Reply-To: <CAJrcDBc5xonZRqJBtEjHf2uPz-xh65RnbhJ1QGMbVxvSqRukwQ@mail.gmail.com>
References: <CAHp4y4+wMXnkLygCG6S7V7esw=0miT07D1O_LOUz5jivV-KkMQ@mail.gmail.com>
	<CAJrcDBc5xonZRqJBtEjHf2uPz-xh65RnbhJ1QGMbVxvSqRukwQ@mail.gmail.com>
Message-ID: <CAHp4y4Jp3w1wfekWWPhQ7vMQ9WJjAAyGZnezf0wcXSfm5HDEPA@mail.gmail.com>

Thank you Pedro,

indeed it was a version issue, I was using the older version of Keycloak.
However, after resolving this issue I've encountered a new one with always
getting a *401 Unauthorized* response from the service.

The client code that is calling the service is this:

*String accessToken = AuthzClient.create().obtainAccessToken.getToken();*
WebTarget target = client.target("url");
MyResponse res =
target.request(MediaType.APPLICATION_JSON).*header("Authorization",
"Bearer " + accessToken)*.post(MyResponse.class);

keycloak.json SERVICE

{
  "realm": "demo",
  "bearer-only": true,
  "auth-server-url": "http://127.0.0.1:8780/auth",
  "ssl-required": "external",
  "resource": "risk-assessment-service",
  "confidential-port": 0
}


keycloak.json CLIENT

{
  "realm": "demo",
  "auth-server-url": "http://127.0.0.1:8780/auth",
  "ssl-required": "false",
  "resource": "risk-assessment-client",
  "credentials": {
    "secret": "98f93f5e-e20a-433c-b29a-d3f9cab4bb44"
  },
  "confidential-port": 0
}

Could the problem be something with SSL? Because my service is not
available on https:// endpoints? Or is the calling code not correct?



On 29 March 2018 at 14:07, Pedro Igor Silva <psilva at redhat.com> wrote:

> What version of Keycloak are you using ? Perhaps, Keycloak v4 ?
>
> If so, you need to make sure your keycloak-authz dependency references the
> same version.
>
> The uma-configuration discovery endpoint changed to uma2-configuration.
>
> Regards.
> Pedro Igor
>
> On Thu, Mar 29, 2018 at 4:21 AM, Filip Kozjak <filip.kozjak at gmail.com>
> wrote:
>
>> Hi everyone,
>>
>> I am having troubles obtaining access token for my Java EE REST service
>> from Keycloak.
>>
>> I have started Keycloak server at *http://localhost <http://localhost>*,
>> and I can access the admin console at
>> *http://localhost:8081/auth/admin/master/console/#/realms/demo
>> <http://localhost:8081/auth/admin/master/console/#/realms/demo>.*
>>
>> Next, I created a new realm "demo" and registered my REST service there.
>> I've copied the generated *keycloak.json *to the WEB-INF of my service and
>> added what was needed to web.xml. This successfully protected my endpoint.
>> My REST service is up and running on *http://localhost:8080/
>> <http://localhost:8080/>.*
>>
>> However, now I want to set up a client that would be authorized to access
>> the protected endpoint. The client is running at *http://localhost:9080
>> <http://localhost:9080>. *Again, it's a Java EE REST service that talks
>> to
>> the protected service. I registered it as *OAuth Client* in the admin
>> console and again copied the *keycloak.json* to the resources of my app. I
>> am trying to obtain the access token like this:
>>
>> AuthzClient authz = AuthzClient.create();
>> AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();
>>
>> This results in the following error:
>>
>> java.lang.RuntimeException: Could not obtain configuration from server [
>> http://localhost:8081/auth/realms/demo/.well-known/uma-configuration]
>> .<br>
>> <div id="stack">at
>> org.keycloak.authorization.client.AuthzClient.<init>(AuthzCl
>> ient.java:92)<br>at
>> org.keycloak.authorization.client.AuthzClient.create(AuthzCl
>> ient.java:60)<br>at
>> org.keycloak.authorization.client.AuthzClient.create(AuthzCl
>> ient.java:53)<br>at
>> hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invok
>> eRiskLevelApi(ProxyServiceImpl.java:28)<br>at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)<br>at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)<br>at
>> java.lang.reflect.Method.invoke(Method.java:498)<br>at
>> com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContaine
>> r.java:5316)<br>...
>> 16 more<br>
>> </div>Caused by:
>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
>> response from server: 404 / Not Found<br>
>>
>> I posted a question about it on StackOverflow too:
>> https://stackoverflow.com/questions/49534589/404-not-found-
>> while-requesting-token-from-keycloak
>>
>> Is there something I am missing?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From matthew.broadhead at nbmlaw.co.uk  Thu Mar 29 10:28:44 2018
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Thu, 29 Mar 2018 16:28:44 +0200
Subject: [keycloak-user] trigger events
Message-ID: <79d82580-a223-fc6b-0957-a2d1672e38ff@nbmlaw.co.uk>

i was wondering if there is a way to trigger events.? like if a user 
logs in through facebook it could make a RPC to allow the system to 
update their photo or something.? or if a user requests a password reset 
it could mail the admin user and say "xyz requested a password reset"

From manglade at nextoo.fr  Thu Mar 29 11:06:53 2018
From: manglade at nextoo.fr (Matthias ANGLADE)
Date: Thu, 29 Mar 2018 17:06:53 +0200
Subject: [keycloak-user] Realm as identity provider
Message-ID: <CAJ4f8CNEAgFT6EXN-znqR+cWzOxJn01jNMtwOxPyEQp3hWwxBQ@mail.gmail.com>

Hello,

I'm currently working on a use case for which I need to use a realm as an
identity provider for others realms. Everything is working fine except that
the "realm_access" claim that I originally obtain from the parent realm
isn't propagated in the token I finally retrieve. Considering the schema in
the relevant section of the docs I guess the child realm forge it's own
token based on the one received from the parent realm.

Anyway, is there anyway to concatenate le realm_access claim ? So far, I've
tried to do it by defining identity provider mappers but without any
success.


Yours,

From sinsn_619 at abv.bg  Thu Mar 29 11:23:35 2018
From: sinsn_619 at abv.bg (Pedro Pedro)
Date: Thu, 29 Mar 2018 18:23:35 +0300 (EEST)
Subject: [keycloak-user] Single login page for all realms
Message-ID: <321136676.764847.1522337015305.JavaMail.apache@nm81.abv.bg>

Hi, 
   I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier. Example: user at myTenant.com  
  Now in keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the tenant in the username.  
  Is there such behaviour available in keycloak? I tested with v3.4.3 and did not found, neither in the docs mention any info.  
  If this is not currently supported, what is the best approach for implementing it?  
  This the idea I comeup with:  
  To extend keycloak login/authentication to be in two steps:   	 1 user first enters username and clicks continue button   	 2 the custom logic in keycloak to extract the tenant(realm) from the username and initiate login request, now that I have the realm   	 3 realm login page is loaded with username populated (if I pass login_hint=username, the field should be populated)   	 4 user enters password and clicks login button  
  What you guys think of this approach?   
  I found a thread on the mailing list (that I cant find now...) that discussed the same problem.  It was something along the lines of - create a main realm that will "proxy" to the others, but I'm not quite sure how to do that.  
  Hope to get some insight soon.  
  Pedro. 

From jcain at redhat.com  Thu Mar 29 11:31:13 2018
From: jcain at redhat.com (Josh Cain)
Date: Thu, 29 Mar 2018 10:31:13 -0500
Subject: [keycloak-user] Get JWT from Keycloak For a SAML based client
In-Reply-To: <CAApADD3g9QH0oeqpnJgi5+u4FZBmN8UKqsrs1=ipTdDpPSNOpw@mail.gmail.com>
References: <CAApADD3g9QH0oeqpnJgi5+u4FZBmN8UKqsrs1=ipTdDpPSNOpw@mail.gmail.com>
Message-ID: <46f0e422-ae95-c97b-3f13-0f6068561a8c@redhat.com>

What are the back-end systems attempting to authenticate?  If the
back-end systems simply need to authenticate the calling client, then
the Client Credentials grant is the way to go.

If you're attempting to get an OIDC token on behalf of the user after
SAML authentication, well that's another story...

Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain

On 03/28/2018 07:29 AM, Pulkit Gupta wrote:
> Hi Team,
> 
> We are using SAML based clients for our applications but we also need a JWT
> to pass to other systems so that they can also do their validation.
> 
> Do we have a straight forward way of getting a JWT Token for a SAML based
> client from Keycloak.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180329/b682e773/attachment.bin 

From uo67113 at gmail.com  Thu Mar 29 12:29:28 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 29 Mar 2018 18:29:28 +0200
Subject: [keycloak-user] Securing tomcat-based web applications without
 using container-security(i.e. without using filters,
 constraints and valves)?
In-Reply-To: <E1282C0B6D2B6940B528596BD272E63E7498E83A@ms3mbx3.ms3.corp>
References: <E1282C0B6D2B6940B528596BD272E63E749787B4@ms3mbx3.ms3.corp>
	<CACp70M=KunqVGu1bfTvFKqcGJu+e6xeO0Q_CiF-cfnoGpWcAuQ@mail.gmail.com>
	<E1282C0B6D2B6940B528596BD272E63E7498E83A@ms3mbx3.ms3.corp>
Message-ID: <CACp70MmYr85Cx2L5ciBa6jc+_WFg2v=feS=3ticB2smLBZ9ksA@mail.gmail.com>

Hello Manfred,

mmm, OK, I see. We have an application that I do think that match your
scenario: https://phonebook.cern.ch In this one only one resource is behind
a security-constraint, the singin link: /phonebook/secure/sso This trigger
the login request to our identity provider. This one challenges the user,
and after authentication the response with the user information is sent
back to the application. With this information the application creates the
java.security.Principal objects.  Then the application's  code can make
checks like this one:

java.security.Principal principal = request.getUserPrincipal();
if (principal != null) {
   if(request.isUserInRole("THE_ROLE"){
      .../...
   } else{
      response.sendError(SC_FORBIDDEN)
   }
} else {
.../...
}

In this way you are relying in the standard servlet specification making
your application completely independent of keycloak or any other identiy
and access management you use and portable.

Afterwards nothing stop you from use the keycloak APIs to get any user data
you need. Me, for example, in my applications I get all the user data (e.g.
telephonenumber, department) from
the org.keycloak.adapters.saml.SamlPrincipal

The good and old examples application that comes in any tomcat distribution
is a great place to start. On this specific issue you can have a look at
$CATALINA_BASE/webapps/examples/jsp/security/protected/index.jsp

Hope it helps,

Luis




2018-03-29 15:23 GMT+02:00 Schenk, Manfred <
Manfred.Schenk at iosb.fraunhofer.de>:

> Hello Luis,
>
>
>
> Your approach will not work for me: In my setup there is no predefined set
> of secure and unsecure URLs: there are many URLs which can be accessed
> without any login and also with login. But the content which is displayed
> when accessing these URLs depends if the user is authenticated or not.
>
> That?s the reason why all those filters and valves will not work for me.
>
>
>
>
>
> My idea is as follows:
>
>
>
> When a request comes in, I will check if it contains some token. If yes,
> the system should try to identify the user using keycloak, otherwise the
> username iss et to anonymous.
>
> In the next step the system checks if the user has sufficient rights for
> viewing/editing/deleting the entity identified by the requested URL. If the
> rights are sufficient (even with the anonymous user) all as well, otherwise
> the system will redirect to the keycloak server to obtain such a token
> mentioned above.
>
>
>
> But I haven?t found any detailed documentation on that use case.
>
>
>
> Regards,
>
> Manfred
>
>
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstra?e 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391 <+49%20721%206091391>
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
>
>
> *Von:* Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> *Gesendet:* Donnerstag, 29. M?rz 2018 15:13
> *An:* Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de>
> *Betreff:* Re: [keycloak-user] Securing tomcat-based web applications
> without using container-security(i.e. without using filters, constraints
> and valves)?
>
>
>
> Hello Schenk,
>
>
>
> If your Identity Provider "speaks" SAML, you can give a try to
> http://www.keycloak.org/docs/latest/securing_apps/index.
> html#java-servlet-filter-adapter. I am testing it for some of our
> tomcat-based application and it works out-of-the-box (BTW thanks keycloak
> folks!).
>
>
>
> My deployment descriptors (web.xml) looks like this:
>
>
>
>     <filter>
>
>         <filter-name>Keycloak Filter</filter-name>
>
>         <filter-class>org.keycloak.adapters.saml.servlet.
> SamlFilter</filter-class>
>
>         <init-param>
>
>             <param-name>keycloak.config.file</param-name>
>
>             <param-value>/usr/local/tomcat/keycloak-saml-servlet-
> adapter.xml</param-value>
>
>         </init-param>
>
>     </filter>
>
>     <!-- From the docs: "You must have a filter mapping that covers /saml.
> -->
>
>     <filter-mapping>
>
>         <filter-name>Keycloak Filter</filter-name>
>
>         <url-pattern>/saml</url-pattern>
>
>     </filter-mapping>
>
>     <filter-mapping>
>
>         <filter-name>Keycloak Filter</filter-name>
>
>         <url-pattern>/secure/*</url-pattern>
>
>     </filter-mapping>
>
>
>
>
>
> In this way, just playing with the url-patterns of my resources I can make
> them private or public. E.g.
>
>
>
>     <servlet-mapping>
>
>         <servlet-name>SessionExampleServlet</servlet-name>
>
>         <url-pattern>/SessionExample</url-pattern>
>
>         <url-pattern>/secure/SessionExample</url-pattern>
>
>     </servlet-mapping>
>
>
>
> Hope it helps,
>
>
>
> Luis
>
>
>
>
>
>
>
> 2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk at iosb.
> fraunhofer.de>:
>
> Hello,
>
> I want to use keycloak for user Authentication in my tomcat based web
> application.
> But since the web application should also be accessible without any login,
> I think I will not be able to use the container-based security and handle
> the keycloak communication by myself from within my web application.
>
> Are there any tutorials or recommandation around for my use case?
> Which (keycloak-)jars do I need for this task?
>
> Thanks in advance,
> Manfred
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstra?e 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From daya.gnanasekaran at gmail.com  Thu Mar 29 15:03:57 2018
From: daya.gnanasekaran at gmail.com (Daya Gnanasekaran)
Date: Thu, 29 Mar 2018 19:03:57 +0000
Subject: [keycloak-user] Client vs resource
Message-ID: <CAGa9DRd2-x3qvL5wFeR2X6J7EkcwzwHFKRcnBJ0jFMsKj5__Zg@mail.gmail.com>

I'm planning to use keyclok to secure our product and i have doubts around
defining clients and resoureces,

Our product consists of 4 major components, lets say A,B,C,D and each
components has a set of APIs. Component A intracts with B and C. Component
B interacts with C. There can be multiple instances of C connected to B and
there can be multiple instances of D connected to C. The users in an
organization can have various roles like admin or read-only user on each
component. User, who is an admin for componet A can be a read-only user in
component B and same applies for various instances of C.

Now i'm stuck at whether to create multiple clients, one per component or
create one client and make each of this component a resource.

Your thoughts?

Daya

From d.moeyersons at vmm.be  Fri Mar 30 07:45:55 2018
From: d.moeyersons at vmm.be (David Moeyersons)
Date: Fri, 30 Mar 2018 11:45:55 +0000
Subject: [keycloak-user] Forwarding header fields in the Keycloak Proxy
Message-ID: <b66b135b8d854b60bdf64547bc718f19@vmm.be>

Hi,

The following page: http://www.keycloak.org/docs/3.4/server_installation/index.html#header-names-config talks about forwarding header fields to a proxied server using a Keycloak Proxy, but the process on how to forward these fields is described nowhere.
Also the example doesn't contain valid json code:
{
    "header-names" {
        "keycloak-subject": "MY_SUBJECT"
    }
}
When I add a colon after "header-names" the Keycloak Proxy seems to accept the statement, but no header fields are forwarded to my end server. (except for the realm - WWW-Authenticate: Basic realm="TestRealm")
Is the part about forwarding header fields in the Keycloak Proxy documented somewhere? I don't seem to find anything about it.

Kind regards,

David Moeyersons
Disclaimer: www.vmm.be/disclaimer

Kent u onze nieuwsbrief al? www.vmm.be/nieuwsbrief

From matthew.broadhead at nbmlaw.co.uk  Sat Mar 31 03:55:27 2018
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Sat, 31 Mar 2018 09:55:27 +0200
Subject: [keycloak-user] delete all users
Message-ID: <73e6d686-42ac-49f5-f618-343619314714@nbmlaw.co.uk>

is there a way to flush all of the users from a realm during testing?