From matthew.torres211 at gmail.com Mon Oct 1 02:52:35 2018 From: matthew.torres211 at gmail.com (Matthew Torres) Date: Mon, 1 Oct 2018 14:52:35 +0800 Subject: [keycloak-user] Keycloak to authorise my REST API from admin console Message-ID: Good day! I'm not sure if I am understanding the usage correctly for Keycloak's authorisation functionality or not. Suppose I have an Express REST Api with thousands of routes and the users are authenticated using Keycloak. After grouping the routes and mapping it to the correct roles I created a *Resource* in Keycloak admin dashboard. After creating the resources and defining a URI related to my routes in the field will it automatically protect my routes when a user accesses it? Or do I need to explicitly assign the role in the middleware of my express app. Now I know that the latter will work but I was wondering since I specified the URI in the resource already will it not protect my routes? Example: If I have a resource called *ManageResource* with URIs:* /profile, /create,* etc. mapped with a Role based permission of *HR*. When a user named George having a role of *janitor* accesses the route using a token. Without explicitly defining the roles in the express app will it deny George of accessing the resource? I know the answer is no but is there a way for me to protect my routes using only the keycloak admin dashboard? *Sincerely,* *Matthew Aldrin S. Torres* From K.Buler at adbglobal.com Mon Oct 1 05:20:52 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Mon, 1 Oct 2018 11:20:52 +0200 Subject: [keycloak-user] Wrong error message while IDP integration Message-ID: <4ddee878-9947-48f1-0d82-5a01f1dcf979@adbglobal.com> Hi, I am testing Identity Brokering, so I tried to run two Keycloak instances in 4.5.0.Final version: MAIN and SECOND. SECOND is a Identity Provider for the MAIN instance. Everything is fine since redirecting from SECOND. In GUI of MAIN instance I am getting: We're sorry... An error occurred, please login again through your application. In logs of MAIN: 10:36:11,122 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_code Which is wrong, because after DEBUG enabled in Wildfly (MAIN) I found that code is successfully converted into access_token with the SECOND instance in request: POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1 SECOND doesn't log anything. What is interesting and may be helpful -> few lines before WARN/error: 10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header 10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field 10:36:11,120 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939. 10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header 10:36:11,120 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field 10:36:11,121 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939. 10:36:11,122 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header 10:36:11,122 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the cookies field 10:36:11,122 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Found AUTH_SESSION_ID cookie with value 5edf6c51-d976-4dc5-a64d-c3d748847939. 10:36:11,122 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-1) Authentication session not found. Trying to restart from cookie. 10:36:11,122 DEBUG [org.keycloak.protocol.RestartLoginCookie] (default task-1) KC_RESTART cookie doesn't exist Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions. From me at mpouss.in Mon Oct 1 07:27:51 2018 From: me at mpouss.in (Mathieu Poussin) Date: Mon, 01 Oct 2018 13:27:51 +0200 Subject: [keycloak-user] Add CA certificates for LDAPS ? Message-ID: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> Hello. What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. This is the error I am getting : Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 99 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 105 more Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? Connecting over LDAP is not an option a this prevent some features to work like password reset. Thanks. From Brian.Brooks at datapath.com Mon Oct 1 11:23:49 2018 From: Brian.Brooks at datapath.com (Brian Brooks (US)) Date: Mon, 1 Oct 2018 15:23:49 +0000 Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK In-Reply-To: References: Message-ID: Hi Stian, Is the 'jwt' JWT validation extension/app you used during the DevNation webinar available in github or elsewhere? I looked around in https://github.com/stianst/devnation-deep-dive and I see it referenced in the README.md but I can't find the source code. "In a different tab open the [JWT validation extension](http://localhost:8080/auth/realms/demo/jwt). This is a custom extension to Keycloak that allows decoding a token as well as verifying the signature of the token. " https://github.com/stianst/devnation-deep-dive/blame/dadeb5767a4910db2f9a5aac51a69225f909a63d/README.md#LL352-354 Sincerely, Brian -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Brian Brooks (US) Sent: Thursday, September 20, 2018 12:48 PM To: keycloak-user Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK This question is for Stian Thorgersen... I enjoyed your DevNation DEEP DIVE INTO KEYCLOAK webinar today. Great job! During the webinar, you demonstrated a web app 'jwt' which supported decoding a token. The URL was https://localhost:8080/auth/realms/demo/jwt Is that jwt token decoder app available in github? Brian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Mon Oct 1 11:34:43 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 1 Oct 2018 17:34:43 +0200 Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK In-Reply-To: References: Message-ID: Hi Brian ! You can find the extension here https://github.com/stianst/keycloak-experimental/tree/master/token-validation Sebi On Mon, Oct 1, 2018 at 5:26 PM Brian Brooks (US) wrote: > Hi Stian, > > Is the 'jwt' JWT validation extension/app you used during the DevNation > webinar available in github or elsewhere? > > I looked around in https://github.com/stianst/devnation-deep-dive and I > see it referenced in the README.md but I can't find the source code. > > "In a different tab open the [JWT validation extension]( > http://localhost:8080/auth/realms/demo/jwt). > This is a custom extension to Keycloak that allows decoding a token as > well as verifying the > signature of the token. " > > https://github.com/stianst/devnation-deep-dive/blame/dadeb5767a4910db2f9a5aac51a69225f909a63d/README.md#LL352-354 > > Sincerely, > Brian > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Brian Brooks (US) > Sent: Thursday, September 20, 2018 12:48 PM > To: keycloak-user > Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation > DEEP DIVE INTO KEYCLOAK > > This question is for Stian Thorgersen... > > I enjoyed your DevNation DEEP DIVE INTO KEYCLOAK webinar today. Great job! > > During the webinar, you demonstrated a web app 'jwt' which supported > decoding a token. > The URL was > https://localhost:8080/auth/realms/demo/jwt > > Is that jwt token decoder app available in github? > > Brian > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Brian.Brooks at datapath.com Mon Oct 1 11:54:39 2018 From: Brian.Brooks at datapath.com (Brian Brooks (US)) Date: Mon, 1 Oct 2018 15:54:39 +0000 Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK In-Reply-To: References: Message-ID: Thanks, Sebastien! For anyone else curious, here's the place in the webinar that shows Stian using this extension: DevNation Live | A Deep Dive into Keycloak time 17m:17s https://youtu.be/ZxpY_zZ52kU?t=1037 Brian Brooks Sr Software Engineer mailto:%20Brian.Brooks at datapath.com Office: +1 678 252 4498 2205 Northmont Pkwy, STE 100 Duluth, GA 30096 This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From: Sebastien Blanc Sent: Monday, October 1, 2018 11:35 AM To: Brian Brooks (US) Cc: keycloak userlist Subject: Re: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK Hi Brian ! You can find the extension here https://github.com/stianst/keycloak-experimental/tree/master/token-validation Sebi On Mon, Oct 1, 2018 at 5:26 PM Brian Brooks (US) wrote: Hi Stian, Is the 'jwt' JWT validation extension/app you used during the DevNation webinar available in github or elsewhere? I looked around in https://github.com/stianst/devnation-deep-dive and I see it referenced in the README.md but I can't find the source code. "In a different tab open the [JWT validation extension](http://localhost:8080/auth/realms/demo/jwt). This is a custom extension to Keycloak that allows decoding a token as well as verifying the signature of the token. " https://github.com/stianst/devnation-deep-dive/blame/dadeb5767a4910db2f9a5aac51a69225f909a63d/README.md#LL352-354 Sincerely, Brian -----Original Message----- From: mailto:keycloak-user-bounces at lists.jboss.org On Behalf Of Brian Brooks (US) Sent: Thursday, September 20, 2018 12:48 PM To: keycloak-user Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation DEEP DIVE INTO KEYCLOAK This question is for Stian Thorgersen... I enjoyed your DevNation DEEP DIVE INTO KEYCLOAK webinar today.? Great job! During the webinar, you demonstrated a web app 'jwt' which supported decoding a token. The URL was https://localhost:8080/auth/realms/demo/jwt Is that jwt token decoder app available in github? Brian _______________________________________________ keycloak-user mailing list mailto:keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list mailto:keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Oct 1 14:14:22 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Oct 2018 20:14:22 +0200 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> Message-ID: <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> You can configure the Truststore SPI, which is mentioned in our docs here: https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore Some additional notes around LDAP are here: https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl Marek On 01/10/18 13:27, Mathieu Poussin wrote: > Hello. > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > This is the error I am getting : > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > at sun.security.validator.Validator.validate(Validator.java:262) > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > ... 99 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > ... 105 more > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > Thanks. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Niranjan.Tungatkar at arris.com Mon Oct 1 15:48:58 2018 From: Niranjan.Tungatkar at arris.com (Tungatkar, Niranjan) Date: Mon, 1 Oct 2018 19:48:58 +0000 Subject: [keycloak-user] Disable strict-transport-security header on /auth url Message-ID: I have a non-homogeneous set of services (https and http) which use keycloak for authentication. My Keycloak instance supports SSL but the services but other services are http. I have an admin user which access the https://keycloak-url:31443/auth url for user management. I disabled the strict transport security header on all the realms, which stops strict-transport-security header being sent and thus preventing redirection to https. But my problem is whenever the admin user hits the /auth url it sends strict-transport-security header which messes up my angular app. Is there a way I can configure the response of /auth or the welcome page to stop sending the strict-transport-security header. Thanks Niranjan. From gideonray at gmail.com Mon Oct 1 16:14:06 2018 From: gideonray at gmail.com (Gideon Caranzo) Date: Mon, 1 Oct 2018 15:14:06 -0500 Subject: [keycloak-user] slow role search In-Reply-To: References: Message-ID: Do you know a workaround to improve this? Thanks. On Thu, Sep 27, 2018 at 12:02 PM Gideon Caranzo wrote: > Hi, > > I'm running Keycloak with 1700 realms and API calls like getting a realm > now takes a lot of time. I profiled it and found that role checking is > causing the issue particularly *KeycloakModelUtils.searchFor(RoleModel > role, RoleModel composite, Set visited)*. > > I'm using a user with "admin" role to call get realm API. And since i have > 1700 realms, "admin" role now have about 30K composite roles under it. The > line below from KeycloakModelUtils.searchFor() will load all 30K composite > roles causing the slow down. > > *Set compositeRoles = composite.getComposites();* > > Is there a way to avoid this issue? Or is it possible to fix the code such > that it will do a database query instead of searching in memory to check if > the role exist? > > Thank you, > Gideon > From sthorger at redhat.com Mon Oct 1 18:05:13 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Oct 2018 00:05:13 +0200 Subject: [keycloak-user] Disable strict-transport-security header on /auth url In-Reply-To: References: Message-ID: You really do need to use https for both Keycloak and your applications otherwise you have basically no security, especially with token based security. Rather than try to circumvent this I strongly suggest you enable https everywhere. On Mon, 1 Oct 2018, 21:57 Tungatkar, Niranjan, wrote: > > I have a non-homogeneous set of services (https and http) which use > keycloak for authentication. > My Keycloak instance supports SSL but the services but other services are > http. > > I have an admin user which access the https://keycloak-url:31443/auth url > for user management. > > > I disabled the strict transport security header on all the realms, which > stops strict-transport-security header being sent and thus preventing > redirection to https. > > But my problem is whenever the admin user hits the /auth url it sends > strict-transport-security header which messes up my angular app. > > Is there a way I can configure the response of /auth or the welcome page > to stop sending the strict-transport-security header. > > Thanks > Niranjan. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mwaki011 at gmail.com Mon Oct 1 18:53:42 2018 From: mwaki011 at gmail.com (Mike Wakim) Date: Mon, 1 Oct 2018 18:53:42 -0400 Subject: [keycloak-user] Problem with "clear_table_on_view_change" JDBC property on 4.4.0 and 4.5.0 Message-ID: Hello, We utilize Keycloak with MariaDB. Recently, we have tried working with Keycloak 4.4.0 (and 4.5.0), and we started seeing a new issue that is related to JGROUPS. It seems that Keycloak is not able to recognize the "clear_table_on_view_change" jdbc paramter which we pass which is related to discovery. This is the error message that we are seeing: 2018-10-01 22:41:31,013 ERROR [org.jboss.msc.service.fail] (ServerService > Thread Pool -- 50) MSC000001: Failed to start service > org.wildfly.clustering.jgroups.channel.ee: > org.jboss.msc.service.StartException in service > org.wildfly.clustering.jgroups.channel.ee: > java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:100) > at > org.wildfly.clustering.service.AsynchronousServiceBuilder.lambda$start$0(AsynchronousServiceBuilder.java:99) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > Caused by: java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:119) > at > org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:102) > at > org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:98) > ... 7 more > Caused by: java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:852) > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:114) > ... 9 more > Caused by: java.lang.IllegalArgumentException: Unrecognized JDBC_PING > properties: [clear_table_on_view_change] > at org.jgroups.stack.Protocol.setProperties(Protocol.java:144) > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.lambda$createProtocol$0(AbstractProtocolConfigurationBuilder.java:108) > at > org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:850) > ... 10 more > > 2018-10-01 22:41:31,024 ERROR > [org.jboss.as.controller.management-operation] (Controller Boot Thread) > WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "jgroups"), > ("channel" => "ee") > ]) - failure description: {"WFLYCTL0080: Failed services" => {" > org.wildfly.clustering.jgroups.channel.ee" => > "java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.lang.IllegalArgumentException: Unrecognized JDBC_PING > properties: [clear_table_on_view_change]"}} > > This error does not happen when we use Keycloak 4.2.1. Our configuration in standalone-ha.xml for the tcp stack is the following: > > > > > java:jboss/datasources/KeycloakDS > > > true > > > true > > > > socket-binding="jgroups-tcp-fd"/> > > > > > > > > 5 > > > > > > And we are using the JDBC driver version 2.2.6. It seems that the clear_table_on_view_change property was removed from JGROUPS without any documentation / explanation. Has anybody faced a similar issue? Any thoughts on how to fix this? Thanks, Mike From rafaelweingartner at gmail.com Mon Oct 1 20:50:28 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 1 Oct 2018 21:50:28 -0300 Subject: [keycloak-user] Problem to build Keycloak 4.4.0 and 4.5.0. Message-ID: Hello Keycloakers, I have been having some problem to build Keycloak 4.4.0 and 4.5.0, and so far I have not been able to understand it. The error I am having is the following: > 20:12:00,549 INFO [org.keycloak.testsuite.ssl.TrustStoreEmailTest] > [TrustStoreEmailTest] verifyEmailWithSslEnabled() FINISHED > 20:12:00,554 INFO > [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removing test > realms after test class > 20:12:01,451 INFO > [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removed realms: > test, > Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.545 sec > - in org.keycloak.testsuite.ssl.TrustStoreEmailTest > 20:12:01,477 INFO > [org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow] Stopping > auth server. > Results : > Failed tests: > JavascriptAdapterTest.fragmentInLoginFunction:564->assertOnTestAppUrl:102 > URL expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=iHPVhBI_xGU > JavascriptAdapterTest.fragmentInURLTest:551->assertOnTestAppUrl:102 URL > expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=wpm4e1xKPgE > JavascriptAdapterTest.implicitFlowTest:229->assertOnTestAppUrl:102 URL > expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=bBq5ixLvMQI > JavascriptAdapterTest.loginRequiredAction:326->assertOnTestAppUrl:102 URL > expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=t_17Y5O68es > JavascriptAdapterTest.testGetProfile:164->assertOnTestAppUrl:102 URL > expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=V31A0S8OHr4 > JavascriptAdapterTest.testLoginWithKCLocale:131->assertOnTestAppUrl:102 > URL expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=EN_NUcdVMI4 > JavascriptAdapterTest.testRefreshToken:143->assertOnTestAppUrl:102 URL > expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=cJg0NsrBK74 > JavascriptAdapterTest.testRefreshTokenIfUnder30s:152->assertOnTestAppUrl:102 > URL expected to begin with: > http://localhost:8180/auth/realms/test/testing/javascript/index.html; > actual URL: > http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=QZE5t54_rXQ > Tests in error: > > JavascriptAdapterTest.grantBrowserBasedApp:206->lambda$grantBrowserBasedApp$99c597a6$2:206 > ? Runtime > JavascriptAdapterTest.implicitFlowCertEndpoint:283 ? WebDriver > {"errorMessage"... > JavascriptAdapterTest.implicitFlowOnTokenExpireTest:270 ? WebDriver > {"errorMes... > JavascriptAdapterTest.implicitFlowRefreshTokenTest:258 ? WebDriver > {"errorMess... > JavascriptAdapterTest.initializeWithRefreshToken:515 ? WebDriver > {"errorMessag... > JavascriptAdapterTest.initializeWithTimeSkew:480 ? WebDriver > {"errorMessage":"... > JavascriptAdapterTest.initializeWithTokenTest:453 ? WebDriver > {"errorMessage":... > JavascriptAdapterTest.reentrancyCallbackTest:527 ? WebDriver > {"errorMessage":"... > JavascriptAdapterTest.testBearerRequest:310 ? WebDriver > {"errorMessage":"Can't... > JavascriptAdapterTest.testCertEndpoint:236 ? WebDriver > {"errorMessage":"Can't ... > Tests run: 2062, Failures: 8, Errors: 10, Skipped: 195 > I have no clues on why this is happening. Does anybody here have any ideas on how to proceed debugging? The command I am using is the following: > mvn clean install ?Pdistribution > My Maven and Java version are the following: > root at f48b9f8e1312:~/keycloak# mvn --version > Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; > 2018-06-17T18:33:14Z) > Maven home: /root/apache-maven-3.5.4 > Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: > /root/jdk1.8.0_181/jre > Default locale: en_US, platform encoding: ANSI_X3.4-1968 > OS name: "linux", version: "4.4.0-130-generic", arch: "amd64", family: > "unix" > The Phanton version is: > root at f48b9f8e1312:~/keycloak# phantomjs --version > 2.1.1 > It is interesting that with the machine (Java, PhatonJS, and Maven) I am able to build the 4.0.0 version. However, I have not been able to build 4.4.0 at all. Any help is welcome here :) -- Rafael Weing?rtner From Sebastian.Schuster at bosch-si.com Tue Oct 2 02:45:57 2018 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS)) Date: Tue, 2 Oct 2018 06:45:57 +0000 Subject: [keycloak-user] Problem with "clear_table_on_view_change" JDBC property on 4.4.0 and 4.5.0 In-Reply-To: References: Message-ID: Hi Mike, In Keycloak 4.4.0 the JGroups version has changed to 4.0.11. Its new JDBC_PING implementation has only the master node maintain the table instead of every node inserting itself. I assume that's why this " clear_table_on_view_change" property is not needed anymore... Best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Open Source Services (INST-CSS/BSV-OS) Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Mike Wakim Sent: Dienstag, 2. Oktober 2018 00:54 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Problem with "clear_table_on_view_change" JDBC property on 4.4.0 and 4.5.0 Hello, We utilize Keycloak with MariaDB. Recently, we have tried working with Keycloak 4.4.0 (and 4.5.0), and we started seeing a new issue that is related to JGROUPS. It seems that Keycloak is not able to recognize the "clear_table_on_view_change" jdbc paramter which we pass which is related to discovery. This is the error message that we are seeing: 2018-10-01 22:41:31,013 ERROR [org.jboss.msc.service.fail] (ServerService > Thread Pool -- 50) MSC000001: Failed to start service > org.wildfly.clustering.jgroups.channel.ee: > org.jboss.msc.service.StartException in service > org.wildfly.clustering.jgroups.channel.ee: > java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:100) > at > org.wildfly.clustering.service.AsynchronousServiceBuilder.lambda$start$0(AsynchronousServiceBuilder.java:99) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > Caused by: java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:119) > at > org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:102) > at > org.jboss.as.clustering.jgroups.subsystem.ChannelBuilder.start(ChannelBuilder.java:98) > ... 7 more > Caused by: java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > at > org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:852) > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.createProtocol(AbstractProtocolConfigurationBuilder.java:114) > ... 9 more > Caused by: java.lang.IllegalArgumentException: Unrecognized JDBC_PING > properties: [clear_table_on_view_change] > at org.jgroups.stack.Protocol.setProperties(Protocol.java:144) > at > org.jboss.as.clustering.jgroups.subsystem.AbstractProtocolConfigurationBuilder.lambda$createProtocol$0(AbstractProtocolConfigurationBuilder.java:108) > at > org.wildfly.security.manager.WildFlySecurityManager.doUnchecked(WildFlySecurityManager.java:850) > ... 10 more > > 2018-10-01 22:41:31,024 ERROR > [org.jboss.as.controller.management-operation] (Controller Boot > Thread) > WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "jgroups"), > ("channel" => "ee") > ]) - failure description: {"WFLYCTL0080: Failed services" => {" > org.wildfly.clustering.jgroups.channel.ee" => > "java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.lang.IllegalArgumentException: > java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.security.PrivilegedActionException: > java.lang.IllegalArgumentException: Unrecognized JDBC_PING properties: > [clear_table_on_view_change] > Caused by: java.lang.IllegalArgumentException: Unrecognized > JDBC_PING > properties: [clear_table_on_view_change]"}} > > This error does not happen when we use Keycloak 4.2.1. Our configuration in standalone-ha.xml for the tcp stack is the following: > > > > > java:jboss/datasources/KeycloakDS > > > true > > > true > > > > socket-binding="jgroups-tcp-fd"/> > > > > > > > > 5 > > > > > > And we are using the JDBC driver version 2.2.6. It seems that the clear_table_on_view_change property was removed from JGROUPS without any documentation / explanation. Has anybody faced a similar issue? Any thoughts on how to fix this? Thanks, Mike _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From me at mpouss.in Tue Oct 2 03:58:05 2018 From: me at mpouss.in (Mathieu Poussin) Date: Tue, 02 Oct 2018 09:58:05 +0200 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> Message-ID: <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> Hello Marek. I've done that already but looks like it is completely ignored. I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin) Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected) Thanks. Mathieu ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda wrote ---- > You can configure the Truststore SPI, which is mentioned in our docs > here: > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > Some additional notes around LDAP are here: > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > Marek > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > Hello. > > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > > > This is the error I am getting : > > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > at sun.security.validator.Validator.validate(Validator.java:262) > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > ... 99 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > ... 105 more > > > > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > > > Thanks. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From slaskawi at redhat.com Tue Oct 2 10:14:05 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 2 Oct 2018 16:14:05 +0200 Subject: [keycloak-user] Keycloak Docker Quickstart In-Reply-To: References: Message-ID: Hey, Indeed, that looks very nice and useful. Going further with Maven Archetype seems like a reasonable thing to do. However, from my personal experience, not much users use it (I guess it's easier to clone a repo these days than to use Maven Archetype Generator). But big +1 from me! Thanks, Sebastian On Tue, Sep 25, 2018 at 2:50 PM Piergiorgio Lucidi < piergiorgiolucidi at gmail.com> wrote: > Hi, > > I have just published a first version of a generic Keycloak SDK based on > Docker fully managed by Maven. I would like to understand if this first > work can be useful for the current Keycloak development. > > I'm also interested to know if there are developers interested to > contribute in this project. > > Article link: > > https://www.open4dev.com/journal/2018/9/25/introducing-the-keycloak-docker-quickstart-sdk > > Github: > https://github.com/OpenPj/keycloak-docker-quickstart > > I'm wondering if this project can be improved as a Maven Archetype with > dynamic parameters for generating components only if needed by developers. > I mean without having all the Maven modules for components that you don't > need to extend or create. > > Please let me know what you think and how this project can be extended to > become more helpful for the overall community. > > Thank you and hope this helps. > > Cheers, > PJ > > -- > Piergiorgio Lucidi > https://www.open4dev.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From andreas.lau at outlook.com Tue Oct 2 12:28:44 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Tue, 2 Oct 2018 16:28:44 +0000 Subject: [keycloak-user] How to bind keycloak context to jsf session Message-ID: Hello, can somebody please explain how I can integrate the keycloak in a jsf application? I am using the wildfly adapter and I configured the login-config of the web.xml to use keycloak. Everything works fine. But now I'd like to access the access token and further get the id-token inside the SessionContext of some Beans. Ideally I would like to bind the Information to the Session. So if the user logs out the keycloak session also gets closed and if he logs in the user infos are provided. I found a project in the keycloak examples https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi which seams to fill a User-Object at the beginning of the ServletContext and seems to do a logout in keycloak at its destroying. I would like to know if this is a proper way to provide the user information in the secured area of the application. I am not quite sure because the log out technically does not mean that the ServeletContext gets destroyed, right? I'm a bit confused, hopefully somebody can provide some help. Thanks in advance. From wyllys.ingersoll at keepertech.com Tue Oct 2 15:51:22 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Tue, 2 Oct 2018 15:51:22 -0400 Subject: [keycloak-user] Public key for verifying JWT? Message-ID: Im trying to verify a JWT access token from Keycloak using the python jose-jwt library, but cannot seem to get it to succeed. When using the HS512 algorithm, how does one retrieve the key needed to verify the JWT tokens? The JWT header decodes to something like this: {"alg":"HS512","typ" : "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see how to get the key associated with the given kid value above. I tried using the "client secret" from the credential section, but thats not working. What am I missing? thanks! From henning.waack at codecentric.de Tue Oct 2 16:29:47 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Tue, 2 Oct 2018 22:29:47 +0200 Subject: [keycloak-user] Deadlock on KC 4.0 with Mysql 5.7 Message-ID: Dear all. Using KC 4.0 with Mysql 5.7 (both not clustered) I get the following Deadlock exception in Wildfly when running a minor load test (in which I create new KC users concurrently): 22:01:24,843 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-87) Uncaught server error: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700) at org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:70) at org.keycloak.models.jpa.UserAdapter.removeAttribute(UserAdapter.java:162) at org.keycloak.models.jpa.UserAdapter.setAttribute(UserAdapter.java:138) at org.keycloak.services.resources.admin.UserResource.updateUserFromRep(UserResource.java:224) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:121) at sun.reflect.GeneratedMethodAccessor735.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2999) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:50) at org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264) at org.hibernate.internal.SessionImpl.executeUpdate(SessionImpl.java:1356) at org.hibernate.internal.QueryImpl.executeUpdate(QueryImpl.java:102) at org.hibernate.jpa.internal.QueryImpl.internalExecuteUpdate(QueryImpl.java:405) at org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:61) ... 65 more Caused by: java.sql.SQLTransactionRollbackException: (conn=1038) Deadlock found when trying to get lock; try restarting transaction at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:179) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) at org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeUpdate(MariaDbPreparedStatementClient.java:183) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 78 more Caused by: java.sql.SQLException: Deadlock found when trying to get lock; try restarting transaction Query is: insert into USER_ATTRIBUTE (NAME, USER_ID, VALUE, ID) values (?, ?, ?, ?), parameters ['systemReferenceId','177a0641-8214-41a5-b919-678f636392cb','fqYtvpMXRs','4a84a120-648e-4003-bca6-4335ddc77c35'] at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:153) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:255) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) ... 82 more The respective codes (UserAdapter.java and UserAttributeEntity.java) have not been touch for some time, so I wonder if I have configured Wildfly/Mysql/Keycloak wrongly, or if this is an ill-advised combination (KC 4.x with Mysql 5.7). Any ideas? Thanks & greetings Henning From sthorger at redhat.com Wed Oct 3 01:30:21 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 3 Oct 2018 07:30:21 +0200 Subject: [keycloak-user] Public key for verifying JWT? In-Reply-To: References: Message-ID: HS* signing algorithms can not be verified by the client today as it is not using a shared secret, rather a secret only Keycloak knows. You need to pick a different algorithm or use token introspection endpoint. On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, wrote: > Im trying to verify a JWT access token from Keycloak using the python > jose-jwt library, but cannot seem to get it to succeed. When using the > HS512 algorithm, how does one retrieve the key needed to verify the JWT > tokens? > > The JWT header decodes to something like this: {"alg":"HS512","typ" : > "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see how > to get the key associated with the given kid value above. > > I tried using the "client secret" from the credential section, but thats > not working. > > What am I missing? > > thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From testoauth55 at gmail.com Wed Oct 3 02:47:25 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Wed, 3 Oct 2018 12:17:25 +0530 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: Has anyone else come across this issue? On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings wrote: > Steps: > > 1. After obtaining a token from keycloak, I am able to > authenticate/authorize user with this token. > 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce > policy decisions"*. If the same token was valid a few minutes before, > shouldn't I get the "*token expired*" message instead of "*Failed to > enforce policy decisions*"? > > My access token lifespan is set to 8 hours. Still I see this behavior > after just 15-20 minutes. Attached image for token expiry settings: > > > [image: image.png] > -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 80955 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181003/f45f757b/attachment-0001.png From hmlnarik at redhat.com Wed Oct 3 03:45:47 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 3 Oct 2018 09:45:47 +0200 Subject: [keycloak-user] SAML Token contains carriage returns ( ) In-Reply-To: References: Message-ID: Keycloak usually does not add any carriage return entities. What version of keycloak do you use? Have you changed/endorsed any XML processing library? On Mon, Sep 17, 2018 at 6:31 PM Dean Peterson wrote: > Is there a way to remove the carriage returns keycloak uses in the saml > assertion token? This is incompatible with Websphere idAssertion using > keycloak as the Identity provider. Ex, notice the characters in the > content: > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > ID="ID_a42073de-3815-4951-8db4-5d07d46dbf75" > IssueInstant="2018-09-17T05:35:29.198Z" Version="2.0"> > http://localhost:8080/auth/realms/unemployment-insurance > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > "> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > "> > URI="#ID_a42073de-3815-4951-8db4-5d07d46dbf75"> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature > "> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 > > ">8aoA9CDfFV8PXBnuafSS3JU/MXuGX3to93E+go9DJrk=UpQPIpNTXMuds8BP5a/N08sXeVMV9Bo6/gxb+rZo38tJwu9GGdrX2SeUlQUWVKRcH0qQRlWzVLfO > > nvb9gbIs/qGrIRQf2nvb40ywN0V8QqCaQr8VU++2rOJGSUfByGjazopvp2WrOM0JdlD6WjeqCs27 > > L+fpbVKC8GGZQB+KblqQ08xJ17yN0VDxwDAk+QDwkGpioe9p6/nSZZYCIimPF8BR0TxgwCm9KZl7 > > ASNv+d7m6Zaarj/CnqjLG0zDWPfAdW6R5sWuRmUzHiDG3AwpOaxxLP2d5HGPCRCfmiCHMVN3EVx4 > > FoQg/ej8QQ1Z0fCOg/N9qRJnFxYbnjMdc1w4rw==Ayvm2xqFD1Xb_CeLG0LbFdh2PuBAflqKnI7kCiTwqjwMIICuzCCAaMCBgFlsHW+ezANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZVbmVtcGxveW1lbnQg > > SW5zdXJhbmNlMB4XDTE4MDkwNjE5NTUzMVoXDTI4MDkwNjE5NTcxMVowITEfMB0GA1UEAwwWVW5l ..... > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hmlnarik at redhat.com Wed Oct 3 03:56:59 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 3 Oct 2018 09:56:59 +0200 Subject: [keycloak-user] SAML RSAKeyValue causing error In-Reply-To: References: Message-ID: Yes, you can set Keycloak not to include KeyInfo via system property picketlink.xmlsig.includeKeyInfo set to false. This is far from ideal though since it affects all clients. Feel free to raise a feature request in JIRA to support this better. On Wed, Sep 19, 2018 at 7:51 PM Dean Peterson wrote: > I am having trouble using Keycloak as the external provider to our > Websphere Application. I received the following response from IBM support: > > I discussed the issue with our SAML SSO SME. He found in SAML token, > besides X509Certificate, it also contains RSAKeyValue (). > This document states: > > > https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_limitationsofsaml.html > > . > > RSAKeyValue is supported for the KeyInfo element in a Signature. However, > the X.509 certificate is not available when using RSAKeyValue. When the > X.509 certificate is not available to the runtime, the signer of the SAML > Assertion cannot be checked against a truststore. If you want to receive > SAML Assertions that use RSAKeyValue you cannot configure the runtime to > use a truststore. > > . > > Can you config the idP so that it only sends X509 certificate, not RSAKey? > > > Is it possible to remove the RSAKeyValue from the saml token and still send > just the certificate? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hmlnarik at redhat.com Wed Oct 3 04:04:22 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 3 Oct 2018 10:04:22 +0200 Subject: [keycloak-user] Can KeyCloak support Multi-lateral SAML federation? In-Reply-To: <0B5DA61A-359C-4517-89D1-99CE8D74B567@canarie.ca> References: <0B5DA61A-359C-4517-89D1-99CE8D74B567@canarie.ca> Message-ID: Keycloak server currently has no way to refresh the metadata of other parties in the federation, this functionality would need to be implemented. It looks like rather a good feature though, related to a more narrow usecase of [1]. Feel free to raise a feature request in JIRA. [1] https://issues.jboss.org/browse/KEYCLOAK-4199. On Thu, Aug 30, 2018 at 10:08 PM Chris Phillips wrote: > Hi. > I?m going through assessing KeyCloak as being able to be an Identity > Provider in a multi-lateral SAML federation context and am seeking insight > from the users and devs involved in KeyCloak. > > For an IdP to be considered interoperable in a multi-lateral SAML trust > federation context, IdPs need to be able to do a base set of functions. > These are some of the critical (but not only) ones: > > * Retrieve, with a configurable frequency (usually hourly), an online > metadata aggregate > * validate the signature on the aggregate > * when signature validity is verified, load all the entities (Identity > Providers/Service Providers) to be trusted or used in trust decisions in > the Identity Provider. > > I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could > be missing something. > > Is anyone using KeyCloak in this manner or are there plans for this > functionality on KeyCloak?s technical roadmap? > > Some additional items to decorate my ask for information.. > > To give an idea of scale, the aggregates I want to work with have ~4500 > entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly. > > The list of items important for interoperability can be seen here with the > ones I called out above appearing in section 2.2.1: > https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html > > > I?ve searched the keycloak-users list a bit and came across the reference > to EntitiesDescriptor which lead me to this issue and code update in > KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to > think that the support for reading in aggregates is not possible and maybe > engineered out of the product itself. Am I right in thinking that? > > > Thoughts and insights welcome.. > > Chris. > > ___________________________________________________________________________________________ > Chris Phillips > Technical Architect, Canadian Access Federation, CANARIE| > chris.phillips at canarie.ca |GPG: > 0x7F6245580380811D > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Wed Oct 3 08:15:43 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 3 Oct 2018 14:15:43 +0200 Subject: [keycloak-user] difference between the x509 Client Certificate authentication and X509 Client Authenticator Message-ID: Hello Everyone, I'm wondering about the difference between the newly released featureX509 Client Authenticator in the 4.3 version and the x509 Client *Certificate* Authentication that has been released for a while. I know that the x509 Client *Certificate* Authentication when enabled will allow user to authenticate upon a client certificate. They will then don't need to give a login/password. But I don't see the x509 Client Authentication description somewhere. Any input? Regards, From psilva at redhat.com Wed Oct 3 08:18:27 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 3 Oct 2018 09:18:27 -0300 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: Do you have a stacktrace ? On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings wrote: > Has anyone else come across this issue? > > On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings > wrote: > > > Steps: > > > > 1. After obtaining a token from keycloak, I am able to > > authenticate/authorize user with this token. > > 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce > > policy decisions"*. If the same token was valid a few minutes before, > > shouldn't I get the "*token expired*" message instead of "*Failed to > > enforce policy decisions*"? > > > > My access token lifespan is set to 8 hours. Still I see this behavior > > after just 15-20 minutes. Attached image for token expiry settings: > > > > > > [image: image.png] > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Wed Oct 3 09:02:59 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 3 Oct 2018 15:02:59 +0200 Subject: [keycloak-user] difference between the x509 Client Certificate authentication and X509 Client Authenticator In-Reply-To: References: Message-ID: You're confusion is probably around the term "Client". The existing X509 feature was for *user* authentication, the new feature is to authenticate a Keycloak *Clients* (meaning an application/service ) with x509 certificate, like we already did with secret or Signed JWT ( https://www.keycloak.org/docs/latest/server_admin/index.html#_client-credentials). On Wed, Oct 3, 2018 at 2:33 PM Meissa M'baye Sakho wrote: > Hello Everyone, > I'm wondering about the difference between the newly released featureX509 > Client Authenticator in the 4.3 version and the x509 Client *Certificate* > Authentication that has been released for a while. > > I know that the x509 Client *Certificate* Authentication when enabled will > allow user to authenticate upon a client certificate. They will then don't > need to give a login/password. > > But I don't see the x509 Client Authentication description somewhere. > > Any input? > Regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From msakho at redhat.com Wed Oct 3 09:05:30 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 3 Oct 2018 15:05:30 +0200 Subject: [keycloak-user] difference between the x509 Client Certificate authentication and X509 Client Authenticator In-Reply-To: References: Message-ID: Sounds clear to me now. Thank you Sebastien Le mer. 3 oct. 2018 ? 15:03, Sebastien Blanc a ?crit : > You're confusion is probably around the term "Client". The existing X509 > feature was for *user* authentication, the new feature is to authenticate > a Keycloak *Clients* (meaning an application/service ) with x509 > certificate, like we already did with secret or Signed JWT ( > https://www.keycloak.org/docs/latest/server_admin/index.html#_client-credentials). > > > > > On Wed, Oct 3, 2018 at 2:33 PM Meissa M'baye Sakho > wrote: > >> Hello Everyone, >> I'm wondering about the difference between the newly released featureX509 >> Client Authenticator in the 4.3 version and the x509 Client *Certificate* >> Authentication that has been released for a while. >> >> I know that the x509 Client *Certificate* Authentication when enabled will >> allow user to authenticate upon a client certificate. They will then >> don't >> need to give a login/password. >> >> But I don't see the x509 Client Authentication description somewhere. >> >> Any input? >> Regards, >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From calebmchenry at gmail.com Wed Oct 3 09:14:37 2018 From: calebmchenry at gmail.com (Caleb McHenry) Date: Wed, 3 Oct 2018 09:14:37 -0400 Subject: [keycloak-user] Securing a REST API Along Side SAML Message-ID: I have a web app that makes REST calls to various servers (all of which I have control of). I have a requirement to secure my web app with SAML using keycloak (which I have been able to do). Now I want to secure my REST APIs. After doing some digging into the Keycloak docs and the mailing list it appears that I should use the SAML assertion to get an OAtuh2 token (since it appears using ECP is ill-advised). My understanding is that I cannot get a username and it's roles from Keycloak by giving it a SAML assertion. So does this mean I need to keep track of active sessions and the users and roles they correspond to? This seems like a bad idea to me because it could easily become out of sync with Keycloak. I understand I can get the username and roles from the intial login assertion, but I would think I would want my REST APIs to verify the requester is who they say they are. Please correct me if I am over looking or misunderstanding something. But if anyone has suggestions they would be appreciated. Thanks, Caleb From wyllys.ingersoll at keepertech.com Wed Oct 3 09:46:11 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Wed, 3 Oct 2018 09:46:11 -0400 Subject: [keycloak-user] Public key for verifying JWT? In-Reply-To: References: Message-ID: Isnt that a rather important bug to be fixed? Whats the point of signing something with a key that cannot be shared with the verifiers? On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen wrote: > HS* signing algorithms can not be verified by the client today as it is > not using a shared secret, rather a secret only Keycloak knows. You need to > pick a different algorithm or use token introspection endpoint. > > On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, < > wyllys.ingersoll at keepertech.com> wrote: > >> Im trying to verify a JWT access token from Keycloak using the python >> jose-jwt library, but cannot seem to get it to succeed. When using the >> HS512 algorithm, how does one retrieve the key needed to verify the JWT >> tokens? >> >> The JWT header decodes to something like this: {"alg":"HS512","typ" : >> "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see how >> to get the key associated with the given kid value above. >> >> I tried using the "client secret" from the credential section, but thats >> not working. >> >> What am I missing? >> >> thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From markus197224 at gmail.com Wed Oct 3 10:28:41 2018 From: markus197224 at gmail.com (Markus) Date: Wed, 3 Oct 2018 16:28:41 +0200 Subject: [keycloak-user] Role for managing, but not deleting users in Admin Console Message-ID: Hi, We need to give a user group permission to manage local Keycloak users on certain realms using the Admin Console. When using the manage-users role, the group members are able to manage AND delete users. But they should just be able to manage users or carry out administrative tasks, not to delete users. How can I achieve this? Thanks, --Markus From rafaelweingartner at gmail.com Wed Oct 3 13:04:15 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 3 Oct 2018 14:04:15 -0300 Subject: [keycloak-user] Problem to build Keycloak 4.4.0 and 4.5.0. In-Reply-To: References: Message-ID: Any takers on this issue? Some more information, I am using a Docker container to execute the build. The 4.0.0.Final is built just fine, but the 4.4.0.Final is not. The container has access to 15GiB of RAM and 4 vCPUs. Also, I tried looking at the test that is failing ?org.keycloak.testsuite.adapter.javascript.JavascriptAdapterTest.fragmentInLoginFunction()?, but I could not understand what it is doing there. Can somebody provide me some clues here? On Mon, Oct 1, 2018 at 9:50 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Hello Keycloakers, > > I have been having some problem to build Keycloak 4.4.0 and 4.5.0, and so > far I have not been able to understand it. The error I am having is the > following: > >> 20:12:00,549 INFO [org.keycloak.testsuite.ssl.TrustStoreEmailTest] >> [TrustStoreEmailTest] verifyEmailWithSslEnabled() FINISHED >> 20:12:00,554 INFO >> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removing test >> realms after test class >> 20:12:01,451 INFO >> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removed realms: >> test, >> Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.545 sec >> - in org.keycloak.testsuite.ssl.TrustStoreEmailTest >> 20:12:01,477 INFO >> [org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow] Stopping >> auth server. >> Results : >> Failed tests: >> JavascriptAdapterTest.fragmentInLoginFunction:564->assertOnTestAppUrl:102 >> URL expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=iHPVhBI_xGU >> JavascriptAdapterTest.fragmentInURLTest:551->assertOnTestAppUrl:102 URL >> expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=wpm4e1xKPgE >> JavascriptAdapterTest.implicitFlowTest:229->assertOnTestAppUrl:102 URL >> expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=bBq5ixLvMQI >> JavascriptAdapterTest.loginRequiredAction:326->assertOnTestAppUrl:102 >> URL expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=t_17Y5O68es >> JavascriptAdapterTest.testGetProfile:164->assertOnTestAppUrl:102 URL >> expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=V31A0S8OHr4 >> JavascriptAdapterTest.testLoginWithKCLocale:131->assertOnTestAppUrl:102 >> URL expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=EN_NUcdVMI4 >> JavascriptAdapterTest.testRefreshToken:143->assertOnTestAppUrl:102 URL >> expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=cJg0NsrBK74 >> JavascriptAdapterTest.testRefreshTokenIfUnder30s:152->assertOnTestAppUrl:102 >> URL expected to begin with: >> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >> actual URL: >> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=QZE5t54_rXQ >> Tests in error: >> >> JavascriptAdapterTest.grantBrowserBasedApp:206->lambda$grantBrowserBasedApp$99c597a6$2:206 >> ? Runtime >> JavascriptAdapterTest.implicitFlowCertEndpoint:283 ? WebDriver >> {"errorMessage"... >> JavascriptAdapterTest.implicitFlowOnTokenExpireTest:270 ? WebDriver >> {"errorMes... >> JavascriptAdapterTest.implicitFlowRefreshTokenTest:258 ? WebDriver >> {"errorMess... >> JavascriptAdapterTest.initializeWithRefreshToken:515 ? WebDriver >> {"errorMessag... >> JavascriptAdapterTest.initializeWithTimeSkew:480 ? WebDriver >> {"errorMessage":"... >> JavascriptAdapterTest.initializeWithTokenTest:453 ? WebDriver >> {"errorMessage":... >> JavascriptAdapterTest.reentrancyCallbackTest:527 ? WebDriver >> {"errorMessage":"... >> JavascriptAdapterTest.testBearerRequest:310 ? WebDriver >> {"errorMessage":"Can't... >> JavascriptAdapterTest.testCertEndpoint:236 ? WebDriver >> {"errorMessage":"Can't ... >> Tests run: 2062, Failures: 8, Errors: 10, Skipped: 195 >> > > I have no clues on why this is happening. Does anybody here have any ideas > on how to proceed debugging? > > The command I am using is the following: > >> mvn clean install ?Pdistribution >> > > My Maven and Java version are the following: > >> root at f48b9f8e1312:~/keycloak# mvn --version >> Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; >> 2018-06-17T18:33:14Z) >> Maven home: /root/apache-maven-3.5.4 >> Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: >> /root/jdk1.8.0_181/jre >> Default locale: en_US, platform encoding: ANSI_X3.4-1968 >> OS name: "linux", version: "4.4.0-130-generic", arch: "amd64", family: >> "unix" >> > > The Phanton version is: > >> root at f48b9f8e1312:~/keycloak# phantomjs --version >> 2.1.1 >> > > It is interesting that with the machine (Java, PhatonJS, and Maven) I am > able to build the 4.0.0 version. However, I have not been able to build > 4.4.0 at all. > > Any help is welcome here :) > > -- > Rafael Weing?rtner > -- Rafael Weing?rtner From adesbiaux at vente-privee.com Wed Oct 3 14:29:16 2018 From: adesbiaux at vente-privee.com (Adrien DESBIAUX) Date: Wed, 3 Oct 2018 18:29:16 +0000 Subject: [keycloak-user] Why no Mapper Type -> User Client Role with SAML clients? Message-ID: Hi there, It may have been asked already, but I cannot find it in keycloak-user email history and threads. So, I was wondering why it was not possible to have a mapper of type "User Client Role" with a SAML client. Only Role list is available but then it is also including realm roles which is a bit noisy. Thank you in advance for your time replying to that email. Cheers! From Brian.Brooks at datapath.com Wed Oct 3 16:56:34 2018 From: Brian.Brooks at datapath.com (Brian Brooks (US)) Date: Wed, 3 Oct 2018 20:56:34 +0000 Subject: [keycloak-user] Add Display Name in Client Authorization Resources and Scopes Pages Message-ID: Are there any plans to add the Display Name column to the client authorization "Resources" page and "Authorization Scopes" page? Right now, when the Display Name is set, it doesn't seem to be used for anything. We'd like our customer's to have a "friendly" Display Name while we set the resource "Name" and scope "Name" fields to more programmatic-oriented identifiers. Is there an existing JIRA requesting this change? I saw this mailing list post that seem to be related: "On Fri Nov 3 03:37:27 EDT 2017, Stian Thorgersen wrote: > BTW, Why do you display the "name" value on the screen instead of the > display name value? Not a critical issue, but a noted quirk. Probably just wasn't updated when we added display name field as originally we only had the name. JIRA/PR welcome ;)" http://lists.jboss.org/pipermail/keycloak-user/2017-November/012164.html Brian Brooks Sr Software Engineer Brian.Brooks at datapath.com Office: +1 678 252 4498 2205 Northmont Pkwy, STE 100 Duluth, GA 30096 This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From christoph_john at gmx.de Wed Oct 3 19:22:04 2018 From: christoph_john at gmx.de (Christoph John) Date: Thu, 4 Oct 2018 01:22:04 +0200 Subject: [keycloak-user] Deploying Keycloak with a Mysql database in Openshift Origin fails Message-ID: Hello together, I am trying to get keycloak up and running with a mysql database in Openshift Origin (3.10) without success. As I have no idea anymore what could go wrong, I hope someone on the list can give me a helpful hint. So far I tried the following: -The template from keycloak/openshift-examples/keycloak-https.json. Unfortunately, it does not work for me. To my understanding, when the keycloak pod is deployed, it does not find the mysql database and therefore fails, see attached log file. Unfortunately, I am quite new to openshift and have not understood yet, how the service discovery in Openshift works. When attaching a bash to the deployed keycloak pod, I can find the correct IP address of the mysql database service, for example in MYSQL_PORT=tcp://172.30.228.24:3306 . I have attached the full list of environment variables as well. I also had a look into the keycloak sources. Under keycloak/server/tools/cli/databases/mysql/change-database.cl I have found the following line: /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql) But I have not understood yet from where the variable ${env.DB_ADDR:mysql} should come. At least I do not find a DB_ADDR field in my environment. - My second attempt was therefore to use the container "jboss/keycloak-openshift? from Dockerhub with Docker directly, in the hope to get more reasonable debugging information from the docker logs. For the mysql container I used the same container like is deployed from the mysql 5.7 template in Openshift. In both of the previous setups I manually configured a keyclock database scheme and granted privileges to the relevant user. With the following command line I got keycloak up and running smoothly. docker run -d --name keycloak --net keycloak-network -e KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=pwd -e DB_VENDOR=MYSQL -e DB_ADDR=mysql -e DB_DATABASE=keycloak -e DB_USER=user -e DB_PASSWORD=pwd -e JDBC_PARAMS='useSSL=false' -p 8443:8443 jboss/keycloak-openshift start-keycloak.sh I also checked the command line described on GitHub with the ?link option mysql:mysql. This does also work. Back in Openshift I tried to deploy Keycloak manually (Add to Project/ Deploy Image) and added the same environment variables (different variants with and without DB_ADDR) like in the above command line. Unfortunately, I still do not get things up and running. Still keycloak does not find the database on deployment. I do not know how I have to specify the DB_ADDR environment variable correctly or how I have to connect keycloak with the mysql service object alternatively. If I bind the service via its secret, I do not get a DB_ADDR environment variable at all. The closest thing to it is an environment variable called uri=mysql://172.30.228.24:3306 . Would be great if someone could give me a hint here, what I am doing wrong, and how I could get keyclock up and running with a mysql database in Openshift Origin? Thanks a lot for your help. Best regards, Christoph ??????????????????????????? Environment variables from keycloak pod whose deployment fails JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING KEYCLOAK_PASSWORD=pwd JDBC_MYSQL_VERSION=5.1.46 HOSTNAME=keycloak-2-6gtkj SECURE_KEYCLOAK_SERVICE_PORT=8443 KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT=tcp://172.30.0.1:443 TERM=xterm SECURE_KEYCLOAK_PORT_8443_TCP=tcp://172.30.25.80:8443 KEYCLOAK_SERVICE_HOST=172.30.104.119 LAUNCH_JBOSS_IN_BACKGROUND=1 KUBERNETES_SERVICE_PORT=443 KUBERNETES_SERVICE_HOST=172.30.0.1 KUBERNETES_PORT_53_TCP=tcp://172.30.0.1:53 JBOSS_HOME=/opt/jboss/keycloak JDBC_MARIADB_VERSION=2.2.3 KUBERNETES_PORT_53_TCP_PORT=53 KUBERNETES_PORT_53_UDP=udp://172.30.0.1:53 KUBERNETES_SERVICE_PORT_DNS=53 KEYCLOAK_PORT=tcp://172.30.104.119:8080 DB_VENDOR=MYSQL MYSQL_PORT_3306_TCP_PORT=3306 KEYCLOAK_PORT_8080_TCP_PROTO=tcp KUBERNETES_PORT_53_TCP_ADDR=172.30.0.1 MYSQL_PORT_3306_TCP=tcp://172.30.228.24:3306 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin KUBERNETES_PORT_53_UDP_ADDR=172.30.0.1 _=/usr/bin/env PWD=/opt/jboss SECURE_KEYCLOAK_SERVICE_HOST=172.30.25.80 JAVA_HOME=/usr/lib/jvm/java JGROUPS_DISCOVERY_PROPERTIES=keycloak.imsproject.svc.cluster.local MYSQL_SERVICE_PORT_MYSQL=3306 LANG=en_US.UTF-8 KUBERNETES_PORT_53_UDP_PORT=53 KEYCLOAK_VERSION=4.5.0.Final KEYCLOAK_PORT_8080_TCP_PORT=8080 SECURE_KEYCLOAK_PORT=tcp://172.30.25.80:8443 JDBC_POSTGRES_VERSION=42.2.2 HOME=/ SHLVL=2 KEYCLOAK_PORT_8080_TCP=tcp://172.30.104.119:8080 KUBERNETES_PORT_53_UDP_PROTO=udp KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_SERVICE_PORT_HTTPS=443 MYSQL_PORT_3306_TCP_PROTO=tcp KEYCLOAK_SERVICE_PORT=8080 SECURE_KEYCLOAK_PORT_8443_TCP_PORT=8443 MYSQL_PORT_3306_TCP_ADDR=172.30.228.24 MYSQL_SERVICE_PORT=3306 PROXY_ADDRESS_FORWARDING=false KEYCLOAK_PORT_8080_TCP_ADDR=172.30.104.119 KUBERNETES_SERVICE_PORT_DNS_TCP=53 KUBERNETES_PORT_53_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=172.30.0.1 KEYCLOAK_USER=IMSUser MYSQL_PORT=tcp://172.30.228.24:3306 KUBERNETES_PORT_443_TCP=tcp://172.30.0.1:443 SECURE_KEYCLOAK_PORT_8443_TCP_PROTO=tcp MYSQL_SERVICE_HOST=172.30.228.24 SECURE_KEYCLOAK_PORT_8443_TCP_ADDR=172.30.25.80 ////////////////////////////////////////////////////////////////////////////////////////////////////// Log output from the failing keycloak pod Added 'IMSUser' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user -b 0.0.0.0 WARNING: MYSQL_PORT variable name is DEPRECATED replace with DB_PORT ========================================================================= Using MySQL database ========================================================================= 22:46:32,107 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.8.5.Final 22:46:32,216 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.2.Final 22:46:32,235 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.2.Final 22:46:32,506 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting 22:46:32,626 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this 22:46:34,920 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:34,971 INFO [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 1.3.3.Final 22:46:35,071 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:35,356 INFO [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none 22:46:35,388 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-6) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost 22:46:35,554 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server 22:46:35,560 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 3435ms - Started 65 of 79 services (25 services are lazy, passive or on-demand) The batch executed successfully 22:46:35,826 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) stopped in 27ms 22:46:37,339 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.8.5.Final 22:46:37,420 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.2.Final 22:46:37,434 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.2.Final 22:46:37,662 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting 22:46:37,772 INFO [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this 22:46:40,028 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:40,073 INFO [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 1.3.3.Final 22:46:40,167 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:40,456 INFO [org.jboss.as.patching] (MSC service thread 1-4) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none 22:46:40,515 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost 22:46:40,626 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server 22:46:40,628 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 3282ms - Started 65 of 84 services (30 services are lazy, passive or on-demand) The batch executed successfully 22:46:40,897 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) stopped in 18ms Setting JGroups discovery to dns.DNS_PING with properties {keycloak.imsproject.svc.cluster.local} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/jboss/keycloak JAVA: /usr/lib/jvm/java/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 22:46:48,021 INFO [org.jboss.modules] (main) JBoss Modules version 1.8.5.Final 22:46:48,691 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.2.Final 22:46:48,730 INFO [org.jboss.threads] (main) JBoss Threads version 2.3.2.Final 22:46:49,029 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting 22:46:49,191 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this 22:46:51,823 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:51,874 INFO [org.wildfly.security] (ServerService Thread Pool -- 6) ELY00001: WildFly Elytron version 1.3.3.Final 22:46:51,968 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 22:46:52,270 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 22:46:52,349 INFO [org.xnio] (MSC service thread 1-4) XNIO version 3.6.3.Final 22:46:52,369 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO Implementation Version 3.6.3.Final 22:46:52,477 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 33) WFLYCLINF0001: Activating Infinispan subsystem. 22:46:52,585 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 28) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4) 22:46:52,628 INFO [org.jboss.as.jaxrs] (ServerService Thread Pool -- 35) WFLYRS0016: RESTEasy version 3.5.1.Final 22:46:52,623 INFO [org.jboss.as.security] (ServerService Thread Pool -- 46) WFLYSEC0002: Activating Security Subsystem 22:46:52,567 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 43) WFLYNAM0001: Activating Naming Subsystem 22:46:52,596 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 34) WFLYIO001: Worker 'default' has auto-configured to 6 core threads with 48 task threads based on your 3 available processors 22:46:52,575 INFO [org.jboss.as.ee] (ServerService Thread Pool -- 30) WFLYEE0119: The system property 'ee8.preview.mode' is NOT set to 'true'. For provided EE 8 APIs where the EE 8 version of the API differs from what is supported in EE 7, the EE 7 variant of the API will be used. Support for this setting will be removed once all EE 8 APIs are provided and certified. 22:46:52,608 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 48) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique. 22:46:52,599 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 37) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.0.11 22:46:52,687 INFO [org.jboss.as.connector] (MSC service thread 1-4) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.9.Final) 22:46:52,743 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 22:46:52,747 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 28) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1) 22:46:52,770 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=5.0.2.Final 22:46:52,789 INFO [org.jboss.remoting] (MSC service thread 1-5) JBoss Remoting version 5.0.7.Final 22:46:52,799 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0003: Undertow 2.0.9.Final starting 22:46:52,794 INFO [org.jboss.as.naming] (MSC service thread 1-6) WFLYNAM0003: Starting Naming Service 22:46:52,839 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-4) WFLYJCA0018: Started Driver service with driver-name = mysql 22:46:52,841 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 22:46:53,208 INFO [org.jboss.as.ejb3] (MSC service thread 1-5) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 48 (per class), which is derived from thread worker pool sizing. 22:46:53,208 INFO [org.jboss.as.ejb3] (MSC service thread 1-6) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 12 (per class), which is derived from the number of CPUs on this host. 22:46:53,389 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 49) WFLYUT0014: Creating file handler for path '/opt/jboss/keycloak/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]'] 22:46:53,414 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server. 22:46:53,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0018: Host default-host starting 22:46:53,679 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080 22:46:53,681 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0006: Undertow AJP listener ajp listening on 0.0.0.0:8009 22:46:53,710 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 50) MODCLUSTER000001: Initializing mod_cluster version 1.3.9.Final 22:46:53,765 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 50) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364 22:46:53,944 INFO [org.jboss.as.ejb3] (MSC service thread 1-6) WFLYEJB0493: EJB subsystem suspension complete 22:46:54,216 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 22:46:54,217 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-5) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 22:46:54,438 INFO [org.jboss.as.patching] (MSC service thread 1-4) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none 22:46:54,545 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-4) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost 22:46:54,623 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-6) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/jboss/keycloak/standalone/deployments 22:46:54,665 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 22:46:55,185 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443 22:46:56,388 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux) 22:46:56,389 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux) 22:46:56,390 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux) 22:46:56,391 WARN [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux) 22:47:00,310 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb 22:47:00,324 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000078: Starting JGroups channel ejb 22:47:00,326 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000078: Starting JGroups channel ejb 22:47:00,336 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 22:47:00,336 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: Starting JGroups channel ejb 22:47:00,377 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-2-6gtkj|0] (1) [keycloak-2-6gtkj] 22:47:00,370 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-2-6gtkj|0] (1) [keycloak-2-6gtkj] 22:47:00,379 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-2-6gtkj|0] (1) [keycloak-2-6gtkj] 22:47:00,378 INFO [org.infinispan.CLUSTER] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [keycloak-2-6gtkj|0] (1) [keycloak-2-6gtkj] 22:47:00,378 INFO [org.infinispan.CLUSTER] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [keycloak-2-6gtkj|0] (1) [keycloak-2-6gtkj] 22:47:00,399 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000079: Channel ejb local address is keycloak-2-6gtkj, physical addresses are [10.128.1.109:55200] 22:47:00,405 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-2-6gtkj, physical addresses are [10.128.1.109:55200] 22:47:00,412 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: Channel ejb local address is keycloak-2-6gtkj, physical addresses are [10.128.1.109:55200] 22:47:00,416 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-2-6gtkj, physical addresses are [10.128.1.109:55200] 22:47:00,461 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: Channel ejb local address is keycloak-2-6gtkj, physical addresses are [10.128.1.109:55200] 22:47:00,415 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-4) ISPN000128: Infinispan version: Infinispan 'Gaina' 9.2.4.Final 22:47:01,446 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0002: Started keys cache from keycloak container 22:47:01,531 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0002: Started users cache from keycloak container 22:47:01,532 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0002: Started realms cache from keycloak container 22:47:01,533 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started authorization cache from keycloak container 22:47:01,692 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started actionTokens cache from keycloak container 22:47:01,698 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started offlineSessions cache from keycloak container 22:47:01,703 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started offlineClientSessions cache from keycloak container 22:47:01,707 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0002: Started clientSessions cache from keycloak container 22:47:01,717 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started work cache from keycloak container 22:47:01,720 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started sessions cache from keycloak container 22:47:01,723 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started client-mappings cache from ejb container 22:47:01,736 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started authenticationSessions cache from keycloak container 22:47:01,737 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started loginFailures cache from keycloak container 22:47:03,105 INFO [org.keycloak.services] (ServerService Thread Pool -- 50) KC-SERVICES0001: Loading config from standalone.xml or domain.xml 22:47:04,201 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started realmRevisions cache from keycloak container 22:47:04,214 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started userRevisions cache from keycloak container 22:47:04,263 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container 22:47:04,268 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 50) Node name: keycloak-2-6gtkj, Site name: null 22:47:05,132 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 50) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) at com.mysql.jdbc.Util.getInstance(Util.java:408) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.lang.NumberFormatException: For input string: "tcp:" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.lang.Integer.parseInt(Integer.java:615) at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) ... 56 more 22:47:05,168 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 22:47:05,177 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 50) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) ... 43 more Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 45 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) ... 48 more Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) at com.mysql.jdbc.Util.getInstance(Util.java:408) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.lang.NumberFormatException: For input string: "tcp:" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.lang.Integer.parseInt(Integer.java:615) at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) ... 56 more 22:47:05,250 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000080: Disconnecting JGroups channel ejb 22:47:05,253 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000080: Disconnecting JGroups channel ejb 22:47:05,254 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000080: Disconnecting JGroups channel ejb 22:47:05,279 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 22:47:05,283 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0008: Undertow AJP listener ajp suspending 22:47:05,284 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending 22:47:05,290 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 55) MODCLUSTER000002: Initiating mod_cluster shutdown 22:47:05,313 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-6) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 22:47:05,313 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name = mysql 22:47:05,315 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 22:47:05,320 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0007: Undertow AJP listener ajp stopped, was bound to 0.0.0.0:8009 22:47:05,340 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0019: Host default-host stopping 22:47:05,348 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0019: Stopped Driver service with driver-name = h2 22:47:05,364 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 22:47:05,373 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped realms cache from keycloak container 22:47:05,378 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container 22:47:05,379 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped authorization cache from keycloak container 22:47:05,384 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped keys cache from keycloak container 22:47:05,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped client-mappings cache from ejb container 22:47:05,392 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel ejb 22:47:05,400 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0008: Undertow HTTP listener default suspending 22:47:05,401 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0003: Stopped work cache from keycloak container 22:47:05,403 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped sessions cache from keycloak container 22:47:05,404 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 22:47:05,407 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container 22:47:05,407 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0004: Undertow 2.0.9.Final stopping 22:47:05,407 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container 22:47:05,409 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0003: Stopped actionTokens cache from keycloak container 22:47:05,413 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped clientSessions cache from keycloak container 22:47:05,415 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 22:47:05,440 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-5) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container 22:47:05,450 INFO [org.jboss.as.server.deployment] (MSC service thread 1-6) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 277ms 22:47:05,454 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-5) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container 22:47:05,466 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-5) WFLYCLINF0003: Stopped userRevisions cache from keycloak container 22:47:05,467 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000080: Disconnecting JGroups channel ejb From Kevin.Fox at pnnl.gov Wed Oct 3 19:35:40 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Wed, 3 Oct 2018 23:35:40 +0000 Subject: [keycloak-user] Keycloak and Kubernetes Message-ID: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov> I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin From Tom.Mandera at ngc.com Wed Oct 3 20:39:52 2018 From: Tom.Mandera at ngc.com (Mandera, Thomas [US] (TS)) Date: Thu, 4 Oct 2018 00:39:52 +0000 Subject: [keycloak-user] Client Adapter and Clock Skew Message-ID: I am using the Keycloak client adapter (Tomcat Valve) with Shibboleth as the IdP. I have been encountering problems which I believe relate to clock-skew, which I'm unable to resolve externally (No amount of clock syncing between the IdP and the SP has been consistently good enough to avoid periodic problems, and I have limited ability to make further configuration changes). Shibboleth sends the NOT-BEFORE time in the payload, and the Keycloak adapter dutifully honors that. Occasionally the assertion arrives and the SP's clock is before the token is valid, and the user/token is rejected. I believe this is in the order of several milliseconds, but even 1ms is enough for the Keycloak client to reject the assertion. KEYCLOAK-4538 corrected this problem, but only for the JsonClient. In 4.4.0, org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.hasExpired() makes the call to XMLTimeUtil.isValid. There is an alternate hasExpired() that takes in "clockSkewInMillis" but I don't see anything that calls that routine. (org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler makes the call to AssertionUtil.hasExpired()) Am I missing where/how to configure the allowable clockskew for the client? If I'm not, then I propose adding the clockSkewInMillis as an attribute to the IDP configuration in keycloak-saml.xml by adding to the XSD (should the XSD version number increment from 1.9 to 2.0 along the way?), adding it to the IDP object that represents the IDP configuration, and then within AbstractSamlAuthenticationHandler, we can retrieve the clockSkewInMillis from the SamlDeployment deployment object, and make the appropriate call (or, as I think the latest revisions with 4.5.0 do, initialize the allowable skew to 0 and update it when necessary - but I believe 4.5.0 still doesn't provide me with a method to SET the allowable clock skew) Am I correct in my understanding that there is not currently a means to configure the allowable clock-skew-in-millis for the Tomcat (and others?) SAML client? Thank you, -Tom From testoauth55 at gmail.com Thu Oct 4 00:20:27 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 4 Oct 2018 09:50:27 +0530 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: Yes. Please find below: 2018-10-04 09:48:43,985 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-3) Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes from security token. at org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) at org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) at org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) at org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) ... 65 more On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva wrote: > Do you have a stacktrace ? > > On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings wrote: > >> Has anyone else come across this issue? >> >> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >> wrote: >> >> > Steps: >> > >> > 1. After obtaining a token from keycloak, I am able to >> > authenticate/authorize user with this token. >> > 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce >> > policy decisions"*. If the same token was valid a few minutes before, >> > shouldn't I get the "*token expired*" message instead of "*Failed to >> > enforce policy decisions*"? >> > >> > My access token lifespan is set to 8 hours. Still I see this behavior >> > after just 15-20 minutes. Attached image for token expiry settings: >> > >> > >> > [image: image.png] >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From spam at kukrilabs.com Thu Oct 4 03:01:54 2018 From: spam at kukrilabs.com (Ewan) Date: Thu, 04 Oct 2018 09:01:54 +0200 Subject: [keycloak-user] keycloak-user Digest, Vol 58, Issue 8 In-Reply-To: References: Message-ID: <1538636514.86095.1530285416.50041401@webmail.messagingengine.com> Hi Christoph, Some (hopefully) useful clarifications and explanations for you: * The syntax `${env.DB_ADDR:mysql}` will look for the environment variable `DB_ADDR` falling back to `mysql` if this is not set * Services in Openshift have their own internal DNS of the format `..svc.cluster.local` with `..svc.cluster.local` being a default search domain inside the container. Therefore, using the the default `mysql` from the above, if you have a service called `mysql` and no DB_ADDR set this should not be a problem. * Judging by the actual error `Caused by: java.lang.NumberFormatException: For input string: ?tcp:` I would suggest that one environment variable is causing conflict by prepending with `tcp:` * I see a warning `WARNING: MYSQL_PORT variable name is DEPRECATED replace with DB_PORT` in your startup log and the corresponding value `MYSQL_PORT=tcp://172.30.228.24:3306` in your environment variables. I believe this is causing a problem. * Digging into the startup script, I think I have seen the issue which comes from this section in the docker entry point: https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/docker-entrypoint.sh#L109 * Because the service is called `mysql` which creates an environment variable `MYSQL_PORT` this is being automatically detected and updated to be DB_PORT. Unfortunately this then contains the `tcp:` and is invalid. * My suggestion to you is the following: * Create a new namespace/project in Openshift (to avoid any naming conflicts) * Deploy the MySQL template into the new namespace with the name ?keycloak-mysql? (change this from the default `mysql` to avoid the environment renaming mentioned above. We will set a value in the deployment config) and database `keycloak` * Deploy the `jboss/keycloak-openshift` image into the container with name `keycloak` * Update the `keycloak` deployment config and add the environment variables `DB_VENDOR=mysql DB_ADDR=keycloak-mysql` and set the `DB_USER` and `DB_PASSWORD` values to the generated secret variables to have these maintained in a single place. Hopefully some of the above will help you progress a little. A useful tip if you are not aware: If you are trying to debug a pod or deployment in Openshift that fails on startup, use `oc debug dc/{{ name_of_deploymentconfig }}` from your command line to start a throwaway container that will not run the entry point script. You can then check some things and try running the startup script yourself (it tells you what command it would have run when you first run the debug command). Happy Hacking Ewan On Thu, Oct 4, 2018, at 1:28 AM, keycloak-user-request at lists.jboss.org wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Deploying Keycloak with a Mysql database in Openshift Origin > fails (Christoph John) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 4 Oct 2018 01:22:04 +0200 > From: Christoph John > Subject: [keycloak-user] Deploying Keycloak with a Mysql database in > Openshift Origin fails > To: keycloak-user at lists.jboss.org > Message-ID: > Content-Type: text/plain; charset=utf-8 > > Hello together, > I am trying to get keycloak up and running with a mysql database in > Openshift Origin (3.10) without success. As I have no idea anymore what > could go wrong, I hope someone on the list can give me a helpful hint. > So far I tried the following: > > -The template from keycloak/openshift-examples/keycloak-https.json. > Unfortunately, it does not work for me. To my understanding, when the > keycloak pod is deployed, it does not find the mysql database and > therefore fails, see attached log file. Unfortunately, I am quite new to > openshift and have not understood yet, how the service discovery in > Openshift works. When attaching a bash to the deployed keycloak pod, I > can find the correct IP address of the mysql database service, for > example in MYSQL_PORT=tcp://172.30.228.24:3306 > . I have attached the full list of > environment variables as well. > > I also had a look into the keycloak sources. Under keycloak/server/ > tools/cli/databases/mysql/change-database.cl I have found the following > line: > > /subsystem=datasources/data-source=KeycloakDS: add(jndi- > name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, > connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/$ > {env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql) > > But I have not understood yet from where the variable $ > {env.DB_ADDR:mysql} should come. At least I do not find a DB_ADDR field > in my environment. > > - My second attempt was therefore to use the container "jboss/keycloak- > openshift? from Dockerhub with Docker directly, in the hope to get more > reasonable debugging information from the docker logs. For the mysql > container I used the same container like is deployed from the mysql 5.7 > template in Openshift. In both of the previous setups I manually > configured a keyclock database scheme and granted privileges to the > relevant user. With the following command line I got keycloak up and > running smoothly. > > docker run -d --name keycloak --net keycloak-network -e > KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=pwd -e DB_VENDOR=MYSQL -e > DB_ADDR=mysql -e DB_DATABASE=keycloak -e DB_USER=user -e DB_PASSWORD=pwd > -e JDBC_PARAMS='useSSL=false' -p 8443:8443 jboss/keycloak-openshift > start-keycloak.sh > > I also checked the command line described on GitHub with the ?link > option mysql:mysql. This does also work. > > Back in Openshift I tried to deploy Keycloak manually (Add to Project/ > Deploy Image) and added the same environment variables (different > variants with and without DB_ADDR) like in the above command line. > Unfortunately, I still do not get things up and running. Still keycloak > does not find the database on deployment. I do not know how I have to > specify the DB_ADDR environment variable correctly or how I have to > connect keycloak with the mysql service object alternatively. If I bind > the service via its secret, I do not get a DB_ADDR environment variable > at all. The closest thing to it is an environment variable called > uri=mysql://172.30.228.24:3306 . > > Would be great if someone could give me a hint here, what I am doing > wrong, and how I could get keyclock up and running with a mysql database > in Openshift Origin? > > Thanks a lot for your help. > > Best regards, > > Christoph > > ??????????????????????????? > Environment variables from keycloak pod whose deployment fails > > > JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING > KEYCLOAK_PASSWORD=pwd > JDBC_MYSQL_VERSION=5.1.46 > HOSTNAME=keycloak-2-6gtkj > SECURE_KEYCLOAK_SERVICE_PORT=8443 > KUBERNETES_PORT_443_TCP_PORT=443 > KUBERNETES_PORT=tcp://172.30.0.1:443 > TERM=xterm > SECURE_KEYCLOAK_PORT_8443_TCP=tcp://172.30.25.80:8443 > KEYCLOAK_SERVICE_HOST=172.30.104.119 > LAUNCH_JBOSS_IN_BACKGROUND=1 > KUBERNETES_SERVICE_PORT=443 > KUBERNETES_SERVICE_HOST=172.30.0.1 > KUBERNETES_PORT_53_TCP=tcp://172.30.0.1:53 > JBOSS_HOME=/opt/jboss/keycloak > JDBC_MARIADB_VERSION=2.2.3 > KUBERNETES_PORT_53_TCP_PORT=53 > KUBERNETES_PORT_53_UDP=udp://172.30.0.1:53 > KUBERNETES_SERVICE_PORT_DNS=53 > KEYCLOAK_PORT=tcp://172.30.104.119:8080 > DB_VENDOR=MYSQL > MYSQL_PORT_3306_TCP_PORT=3306 > KEYCLOAK_PORT_8080_TCP_PROTO=tcp > KUBERNETES_PORT_53_TCP_ADDR=172.30.0.1 > MYSQL_PORT_3306_TCP=tcp://172.30.228.24:3306 > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > KUBERNETES_PORT_53_UDP_ADDR=172.30.0.1 > _=/usr/bin/env > PWD=/opt/jboss > SECURE_KEYCLOAK_SERVICE_HOST=172.30.25.80 > JAVA_HOME=/usr/lib/jvm/java > JGROUPS_DISCOVERY_PROPERTIES=keycloak.imsproject.svc.cluster.local > MYSQL_SERVICE_PORT_MYSQL=3306 > LANG=en_US.UTF-8 > KUBERNETES_PORT_53_UDP_PORT=53 > KEYCLOAK_VERSION=4.5.0.Final > KEYCLOAK_PORT_8080_TCP_PORT=8080 > SECURE_KEYCLOAK_PORT=tcp://172.30.25.80:8443 > JDBC_POSTGRES_VERSION=42.2.2 > HOME=/ > SHLVL=2 > KEYCLOAK_PORT_8080_TCP=tcp://172.30.104.119:8080 > KUBERNETES_PORT_53_UDP_PROTO=udp > KUBERNETES_PORT_443_TCP_PROTO=tcp > KUBERNETES_SERVICE_PORT_HTTPS=443 > MYSQL_PORT_3306_TCP_PROTO=tcp > KEYCLOAK_SERVICE_PORT=8080 > SECURE_KEYCLOAK_PORT_8443_TCP_PORT=8443 > MYSQL_PORT_3306_TCP_ADDR=172.30.228.24 > MYSQL_SERVICE_PORT=3306 > PROXY_ADDRESS_FORWARDING=false > KEYCLOAK_PORT_8080_TCP_ADDR=172.30.104.119 > KUBERNETES_SERVICE_PORT_DNS_TCP=53 > KUBERNETES_PORT_53_TCP_PROTO=tcp > KUBERNETES_PORT_443_TCP_ADDR=172.30.0.1 > KEYCLOAK_USER=IMSUser > MYSQL_PORT=tcp://172.30.228.24:3306 > KUBERNETES_PORT_443_TCP=tcp://172.30.0.1:443 > SECURE_KEYCLOAK_PORT_8443_TCP_PROTO=tcp > MYSQL_SERVICE_HOST=172.30.228.24 > SECURE_KEYCLOAK_PORT_8443_TCP_ADDR=172.30.25.80 > > ////////////////////////////////////////////////////////////////////////////////////////////////////// > Log output from the failing keycloak pod > > Added 'IMSUser' to '/opt/jboss/keycloak/standalone/configuration/ > keycloak-add-user.json', restart server to load user > -b 0.0.0.0 > WARNING: MYSQL_PORT variable name is DEPRECATED replace with DB_PORT > ========================================================================= > > Using MySQL database > > ========================================================================= > > 22:46:32,107 INFO [org.jboss.modules] (CLI command executor) JBoss > Modules version 1.8.5.Final > 22:46:32,216 INFO [org.jboss.msc] (CLI command executor) JBoss MSC > version 1.4.2.Final > 22:46:32,235 INFO [org.jboss.threads] (CLI command executor) JBoss > Threads version 2.3.2.Final > 22:46:32,506 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting > 22:46:32,626 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: > Failed to clean existing content for temp file provider of type temp. > Enable DEBUG level log to find what caused this > 22:46:34,920 INFO [org.jboss.as.controller.management-deprecated] > (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the > resource at address '/core-service=management/management-interface=http- > interface' is deprecated, and may be removed in a future version. See > the attribute description in the output of the read-resource-description > operation to learn more about the deprecation. > 22:46:34,971 INFO [org.wildfly.security] (Controller Boot Thread) > ELY00001: WildFly Elytron version 1.3.3.Final > 22:46:35,071 INFO [org.jboss.as.controller.management-deprecated] > (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the > resource at address '/subsystem=undertow/server=default-server/https- > listener=https' is deprecated, and may be removed in a future version. > See the attribute description in the output of the read-resource- > description operation to learn more about the deprecation. > 22:46:35,356 INFO [org.jboss.as.patching] (MSC service thread 1-2) > WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches > include: none > 22:46:35,388 WARN [org.jboss.as.domain.management.security] (MSC > service thread 1-6) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/ > configuration/application.keystore not found, it will be auto generated > on first use with a self signed certificate for host localhost > 22:46:35,554 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0212: Resuming server > 22:46:35,560 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 3435ms - > Started 65 of 79 services (25 services are lazy, passive or on-demand) > The batch executed successfully > 22:46:35,826 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) stopped in 27ms > 22:46:37,339 INFO [org.jboss.modules] (CLI command executor) JBoss > Modules version 1.8.5.Final > 22:46:37,420 INFO [org.jboss.msc] (CLI command executor) JBoss MSC > version 1.4.2.Final > 22:46:37,434 INFO [org.jboss.threads] (CLI command executor) JBoss > Threads version 2.3.2.Final > 22:46:37,662 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting > 22:46:37,772 INFO [org.jboss.vfs] (MSC service thread 1-1) VFS000002: > Failed to clean existing content for temp file provider of type temp. > Enable DEBUG level log to find what caused this > 22:46:40,028 INFO [org.jboss.as.controller.management-deprecated] > (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the > resource at address '/core-service=management/management-interface=http- > interface' is deprecated, and may be removed in a future version. See > the attribute description in the output of the read-resource-description > operation to learn more about the deprecation. > 22:46:40,073 INFO [org.wildfly.security] (Controller Boot Thread) > ELY00001: WildFly Elytron version 1.3.3.Final > 22:46:40,167 INFO [org.jboss.as.controller.management-deprecated] > (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the > resource at address '/subsystem=undertow/server=default-server/https- > listener=https' is deprecated, and may be removed in a future version. > See the attribute description in the output of the read-resource- > description operation to learn more about the deprecation. > 22:46:40,456 INFO [org.jboss.as.patching] (MSC service thread 1-4) > WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches > include: none > 22:46:40,515 WARN [org.jboss.as.domain.management.security] (MSC > service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/ > configuration/application.keystore not found, it will be auto generated > on first use with a self signed certificate for host localhost > 22:46:40,626 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0212: Resuming server > 22:46:40,628 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 3282ms - > Started 65 of 84 services (30 services are lazy, passive or on-demand) > The batch executed successfully > 22:46:40,897 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) stopped in 18ms > Setting JGroups discovery to dns.DNS_PING with properties > {keycloak.imsproject.svc.cluster.local} > ========================================================================= > > JBoss Bootstrap Environment > > JBOSS_HOME: /opt/jboss/keycloak > > JAVA: /usr/lib/jvm/java/bin/java > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M - > XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true - > Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > ========================================================================= > > 22:46:48,021 INFO [org.jboss.modules] (main) JBoss Modules version > 1.8.5.Final > 22:46:48,691 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.2.Final > 22:46:48,730 INFO [org.jboss.threads] (main) JBoss Threads version > 2.3.2.Final > 22:46:49,029 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: > Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) starting > 22:46:49,191 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: > Failed to clean existing content for temp file provider of type temp. > Enable DEBUG level log to find what caused this > 22:46:51,823 INFO [org.jboss.as.controller.management-deprecated] > (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the > resource at address '/core-service=management/management-interface=http- > interface' is deprecated, and may be removed in a future version. See > the attribute description in the output of the read-resource-description > operation to learn more about the deprecation. > 22:46:51,874 INFO [org.wildfly.security] (ServerService Thread Pool -- > 6) ELY00001: WildFly Elytron version 1.3.3.Final > 22:46:51,968 INFO [org.jboss.as.controller.management-deprecated] > (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'security- > realm' in the resource at address '/subsystem=undertow/server=default- > server/https-listener=https' is deprecated, and may be removed in a > future version. See the attribute description in the output of the read- > resource-description operation to learn more about the deprecation. > 22:46:52,270 INFO [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0039: Creating http management service using socket-binding > (management-http) > 22:46:52,349 INFO [org.xnio] (MSC service thread 1-4) XNIO version > 3.6.3.Final > 22:46:52,369 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO > Implementation Version 3.6.3.Final > 22:46:52,477 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 33) WFLYCLINF0001: Activating Infinispan subsystem. > 22:46:52,585 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 28) WFLYJCA0004: Deploying JDBC-compliant > driver class org.h2.Driver (version 1.4) > 22:46:52,628 INFO [org.jboss.as.jaxrs] (ServerService Thread Pool -- > 35) WFLYRS0016: RESTEasy version 3.5.1.Final > 22:46:52,623 INFO [org.jboss.as.security] (ServerService Thread Pool -- > 46) WFLYSEC0002: Activating Security Subsystem > 22:46:52,567 INFO [org.jboss.as.naming] (ServerService Thread Pool -- > 43) WFLYNAM0001: Activating Naming Subsystem > 22:46:52,596 INFO [org.wildfly.extension.io] (ServerService Thread Pool > -- 34) WFLYIO001: Worker 'default' has auto-configured to 6 core threads > with 48 task threads based on your 3 available processors > 22:46:52,575 INFO [org.jboss.as.ee] (ServerService Thread Pool -- 30) > WFLYEE0119: The system property 'ee8.preview.mode' is NOT set to 'true'. > For provided EE 8 APIs where the EE 8 version of the API differs from > what is supported in EE 7, the EE 7 variant of the API will be used. > Support for this setting will be removed once all EE 8 APIs are provided > and certified. > 22:46:52,608 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 48) > WFLYTX0013: The node-identifier attribute on the /subsystem=transactions > is set to the default value. This is a danger for environments running > multiple servers. Please make sure the attribute value is unique. > 22:46:52,599 INFO [org.jboss.as.clustering.jgroups] (ServerService > Thread Pool -- 37) WFLYCLJG0001: Activating JGroups subsystem. JGroups > version 4.0.11 > 22:46:52,687 INFO [org.jboss.as.connector] (MSC service thread 1-4) > WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.9.Final) > 22:46:52,743 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-3) WFLYJCA0018: Started Driver service with driver-name = h2 > 22:46:52,747 INFO [org.jboss.as.connector.subsystems.datasources] > (ServerService Thread Pool -- 28) WFLYJCA0005: Deploying non-JDBC- > compliant driver class com.mysql.jdbc.Driver (version 5.1) > 22:46:52,770 INFO [org.jboss.as.security] (MSC service thread 1-3) > WFLYSEC0001: Current PicketBox version=5.0.2.Final > 22:46:52,789 INFO [org.jboss.remoting] (MSC service thread 1-5) JBoss > Remoting version 5.0.7.Final > 22:46:52,799 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-4) WFLYUT0003: Undertow 2.0.9.Final starting > 22:46:52,794 INFO [org.jboss.as.naming] (MSC service thread 1-6) > WFLYNAM0003: Starting Naming Service > 22:46:52,839 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-4) WFLYJCA0018: Started Driver service with driver-name = mysql > 22:46:52,841 INFO [org.jboss.as.mail.extension] (MSC service thread 1- > 4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] > 22:46:53,208 INFO [org.jboss.as.ejb3] (MSC service thread 1-5) > WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance > size of 48 (per class), which is derived from thread worker pool sizing. > 22:46:53,208 INFO [org.jboss.as.ejb3] (MSC service thread 1-6) > WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance > size of 12 (per class), which is derived from the number of CPUs on this > host. > 22:46:53,389 INFO [org.wildfly.extension.undertow] (ServerService > Thread Pool -- 49) WFLYUT0014: Creating file handler for path '/opt/ > jboss/keycloak/welcome-content' with options [directory-listing: > 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink- > paths: '[]'] > 22:46:53,414 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0012: Started server default-server. > 22:46:53,442 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-1) WFLYUT0018: Host default-host starting > 22:46:53,679 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0006: Undertow HTTP listener default listening on > 0.0.0.0:8080 > 22:46:53,681 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-5) WFLYUT0006: Undertow AJP listener ajp listening on 0.0.0.0:8009 > 22:46:53,710 INFO [org.jboss.modcluster] (ServerService Thread Pool -- > 50) MODCLUSTER000001: Initializing mod_cluster version 1.3.9.Final > 22:46:53,765 INFO [org.jboss.modcluster] (ServerService Thread Pool -- > 50) MODCLUSTER000032: Listening to proxy advertisements on / > 224.0.1.105:23364 > 22:46:53,944 INFO [org.jboss.as.ejb3] (MSC service thread 1-6) > WFLYEJB0493: EJB subsystem suspension complete > 22:46:54,216 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0001: Bound data source > [java:jboss/datasources/ExampleDS] > 22:46:54,217 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-5) WFLYJCA0001: Bound data source > [java:jboss/datasources/KeycloakDS] > 22:46:54,438 INFO [org.jboss.as.patching] (MSC service thread 1-4) > WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches > include: none > 22:46:54,545 WARN [org.jboss.as.domain.management.security] (MSC > service thread 1-4) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/ > configuration/application.keystore not found, it will be auto generated > on first use with a self signed certificate for host localhost > 22:46:54,623 INFO [org.jboss.as.server.deployment.scanner] (MSC service > thread 1-6) WFLYDS0013: Started FileSystemDeploymentService for > directory /opt/jboss/keycloak/standalone/deployments > 22:46:54,665 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime- > name: "keycloak-server.war") > 22:46:55,185 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443 > 22:46:56,388 WARN [org.jgroups.protocols.UDP] (ServerService Thread > Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was > set to 1.00MB, but the OS only allocated 212.99KB. This might lead to > performance problems. Please set your max send buffer in the OS > correctly (e.g. net.core.wmem_max on Linux) > 22:46:56,389 WARN [org.jgroups.protocols.UDP] (ServerService Thread > Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was > set to 20.00MB, but the OS only allocated 212.99KB. This might lead to > performance problems. Please set your max receive buffer in the OS > correctly (e.g. net.core.rmem_max on Linux) > 22:46:56,390 WARN [org.jgroups.protocols.UDP] (ServerService Thread > Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was > set to 1.00MB, but the OS only allocated 212.99KB. This might lead to > performance problems. Please set your max send buffer in the OS > correctly (e.g. net.core.wmem_max on Linux) > 22:46:56,391 WARN [org.jgroups.protocols.UDP] (ServerService Thread > Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was > set to 25.00MB, but the OS only allocated 212.99KB. This might lead to > performance problems. Please set your max receive buffer in the OS > correctly (e.g. net.core.rmem_max on Linux) > 22:47:00,310 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000078: Starting JGroups channel ejb > 22:47:00,324 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-6) ISPN000078: Starting JGroups channel ejb > 22:47:00,326 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-4) ISPN000078: Starting JGroups channel ejb > 22:47:00,336 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000078: Starting JGroups channel ejb > 22:47:00,336 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-3) ISPN000078: Starting JGroups channel ejb > 22:47:00,377 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) > ISPN000094: Received new cluster view for channel ejb: [keycloak-2- > 6gtkj|0] (1) [keycloak-2-6gtkj] > 22:47:00,370 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) > ISPN000094: Received new cluster view for channel ejb: [keycloak-2- > 6gtkj|0] (1) [keycloak-2-6gtkj] > 22:47:00,379 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) > ISPN000094: Received new cluster view for channel ejb: [keycloak-2- > 6gtkj|0] (1) [keycloak-2-6gtkj] > 22:47:00,378 INFO [org.infinispan.CLUSTER] (MSC service thread 1-6) > ISPN000094: Received new cluster view for channel ejb: [keycloak-2- > 6gtkj|0] (1) [keycloak-2-6gtkj] > 22:47:00,378 INFO [org.infinispan.CLUSTER] (MSC service thread 1-4) > ISPN000094: Received new cluster view for channel ejb: [keycloak-2- > 6gtkj|0] (1) [keycloak-2-6gtkj] > 22:47:00,399 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-6) ISPN000079: Channel ejb local address is keycloak-2- > 6gtkj, physical addresses are [10.128.1.109:55200] > 22:47:00,405 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000079: Channel ejb local address is keycloak-2- > 6gtkj, physical addresses are [10.128.1.109:55200] > 22:47:00,412 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-4) ISPN000079: Channel ejb local address is keycloak-2- > 6gtkj, physical addresses are [10.128.1.109:55200] > 22:47:00,416 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000079: Channel ejb local address is keycloak-2- > 6gtkj, physical addresses are [10.128.1.109:55200] > 22:47:00,461 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-3) ISPN000079: Channel ejb local address is keycloak-2- > 6gtkj, physical addresses are [10.128.1.109:55200] > 22:47:00,415 INFO [org.infinispan.factories.GlobalComponentRegistry] > (MSC service thread 1-4) ISPN000128: Infinispan version: Infinispan > 'Gaina' 9.2.4.Final > 22:47:01,446 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 61) WFLYCLINF0002: Started keys cache from keycloak > container > 22:47:01,531 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 59) WFLYCLINF0002: Started users cache from keycloak > container > 22:47:01,532 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 58) WFLYCLINF0002: Started realms cache from keycloak > container > 22:47:01,533 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0002: Started authorization cache from > keycloak container > 22:47:01,692 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 57) WFLYCLINF0002: Started actionTokens cache from > keycloak container > 22:47:01,698 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > 22:47:01,703 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0002: Started offlineClientSessions cache > from keycloak container > 22:47:01,707 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 60) WFLYCLINF0002: Started clientSessions cache from > keycloak container > 22:47:01,717 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0002: Started work cache from keycloak > container > 22:47:01,720 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started sessions cache from keycloak > container > 22:47:01,723 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 62) WFLYCLINF0002: Started client-mappings cache from ejb > container > 22:47:01,736 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started authenticationSessions cache > from keycloak container > 22:47:01,737 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0002: Started loginFailures cache from > keycloak container > 22:47:03,105 INFO [org.keycloak.services] (ServerService Thread Pool -- > 50) KC-SERVICES0001: Loading config from standalone.xml or domain.xml > 22:47:04,201 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started realmRevisions cache from > keycloak container > 22:47:04,214 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started userRevisions cache from > keycloak container > 22:47:04,263 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started authorizationRevisions cache > from keycloak container > 22:47:04,268 INFO > [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] > (ServerService Thread Pool -- 50) Node name: keycloak-2-6gtkj, Site > name: null > 22:47:05,132 WARN > [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] > (ServerService Thread Pool -- 50) IJ000604: Throwable while attempting > to get a new connection: null: javax.resource.ResourceException: > IJ031084: Unable to create connection > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) > at > org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) > at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) > at > org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda > $waitForLock$0(LiquibaseDBLockProvider.java:97) > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) > at org.keycloak.services.resources.KeycloakApplication > $1.run(KeycloakApplication.java:143) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > at > org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at io.undertow.servlet.core.ManagedServlet > $DefaultInstanceStrategy.start(ManagedServlet.java:300) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > at io.undertow.servlet.core.DeploymentManagerImpl > $2.call(DeploymentManagerImpl.java:584) > at io.undertow.servlet.core.DeploymentManagerImpl > $2.call(DeploymentManagerImpl.java:555) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction > $1.call(ServletRequestContextThreadSetupAction.java:42) > at io.undertow.servlet.core.ContextClassLoaderSetupAction > $1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda > $create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService > $1.run(UndertowDeploymentService.java:78) > at java.util.concurrent.Executors > $RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor > $ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor > $ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: > Cannot load connection class because of underlying exception: > 'java.lang.NumberFormatException: For input string: "tcp:"'. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) > at com.mysql.jdbc.Util.getInstance(Util.java:408) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861) > at > com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) > ... 55 more > Caused by: java.lang.NumberFormatException: For input string: "tcp:" > at > java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > at java.lang.Integer.parseInt(Integer.java:580) > at java.lang.Integer.parseInt(Integer.java:615) > at > com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825) > at > com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) > ... 56 more > > 22:47:05,168 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested via an OS signal > 22:47:05,177 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool -- 50) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService > $1.run(UndertowDeploymentService.java:81) > at java.util.concurrent.Executors > $RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor > $ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor > $ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > at > org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at io.undertow.servlet.core.ManagedServlet > $DefaultInstanceStrategy.start(ManagedServlet.java:300) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > at io.undertow.servlet.core.DeploymentManagerImpl > $2.call(DeploymentManagerImpl.java:584) > at io.undertow.servlet.core.DeploymentManagerImpl > $2.call(DeploymentManagerImpl.java:555) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction > $1.call(ServletRequestContextThreadSetupAction.java:42) > at io.undertow.servlet.core.ContextClassLoaderSetupAction > $1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda > $create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService > $UndertowThreadSetupAction.lambda$create > $0(UndertowDeploymentInfoService.java:1514) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentService > $1.run(UndertowDeploymentService.java:78) > ... 8 more > Caused by: java.lang.RuntimeException: Failed to connect to database > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda > $waitForLock$0(LiquibaseDBLockProvider.java:97) > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) > at org.keycloak.services.resources.KeycloakApplication > $1.run(KeycloakApplication.java:143) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 31 more > Caused by: java.sql.SQLException: javax.resource.ResourceException: > IJ000453: Unable to get managed connection for > java:jboss/datasources/KeycloakDS > at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) > at > org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) > ... 43 more > Caused by: javax.resource.ResourceException: IJ000453: Unable to get > managed connection for java:jboss/datasources/KeycloakDS > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) > at > org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) > at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) > ... 45 more > Caused by: javax.resource.ResourceException: IJ031084: Unable to create > connection > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) > ... 48 more > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: > Cannot load connection class because of underlying exception: > 'java.lang.NumberFormatException: For input string: "tcp:"'. > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) > at com.mysql.jdbc.Util.getInstance(Util.java:408) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861) > at > com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338) > at > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) > ... 55 more > Caused by: java.lang.NumberFormatException: For input string: "tcp:" > at > java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > at java.lang.Integer.parseInt(Integer.java:580) > at java.lang.Integer.parseInt(Integer.java:615) > at > com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825) > at > com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) > ... 56 more > > 22:47:05,250 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000080: Disconnecting JGroups channel ejb > 22:47:05,253 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000080: Disconnecting JGroups channel ejb > 22:47:05,254 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-3) ISPN000080: Disconnecting JGroups channel ejb > 22:47:05,279 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-2) WFLYJCA0010: Unbound data source > [java:jboss/datasources/KeycloakDS] > 22:47:05,283 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-5) WFLYUT0008: Undertow AJP listener ajp suspending > 22:47:05,284 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0008: Undertow HTTPS listener https suspending > 22:47:05,290 INFO [org.jboss.modcluster] (ServerService Thread Pool -- > 55) MODCLUSTER000002: Initiating mod_cluster shutdown > 22:47:05,313 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-6) WFLYJCA0010: Unbound data source > [java:jboss/datasources/ExampleDS] > 22:47:05,313 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name = mysql > 22:47:05,315 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to > 0.0.0.0:8443 > 22:47:05,320 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-5) WFLYUT0007: Undertow AJP listener ajp stopped, was bound to > 0.0.0.0:8009 > 22:47:05,340 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-5) WFLYUT0019: Host default-host stopping > 22:47:05,348 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-3) WFLYJCA0019: Stopped Driver service with driver-name = h2 > 22:47:05,364 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0003: Stopped offlineSessions cache from > keycloak container > 22:47:05,373 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 58) WFLYCLINF0003: Stopped realms cache from keycloak > container > 22:47:05,378 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak > container > 22:47:05,379 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 61) WFLYCLINF0003: Stopped authorization cache from > keycloak container > 22:47:05,384 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0003: Stopped keys cache from keycloak > container > 22:47:05,391 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0003: Stopped client-mappings cache from ejb > container > 22:47:05,392 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000080: Disconnecting JGroups channel ejb > 22:47:05,400 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0008: Undertow HTTP listener default suspending > 22:47:05,401 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 60) WFLYCLINF0003: Stopped work cache from keycloak > container > 22:47:05,403 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0003: Stopped sessions cache from keycloak > container > 22:47:05,404 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-3) WFLYUT0007: Undertow HTTP listener default stopped, was bound to > 0.0.0.0:8080 > 22:47:05,407 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0003: Stopped offlineClientSessions cache > from keycloak container > 22:47:05,407 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-6) WFLYUT0004: Undertow 2.0.9.Final stopping > 22:47:05,407 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 57) WFLYCLINF0003: Stopped authenticationSessions cache > from keycloak container > 22:47:05,409 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 62) WFLYCLINF0003: Stopped actionTokens cache from > keycloak container > 22:47:05,413 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0003: Stopped clientSessions cache from > keycloak container > 22:47:05,415 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 59) WFLYCLINF0003: Stopped loginFailures cache from > keycloak container > 22:47:05,440 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-5) WFLYCLINF0003: Stopped authorizationRevisions cache from > keycloak container > 22:47:05,450 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-6) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: > keycloak-server.war) in 277ms > 22:47:05,454 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-5) WFLYCLINF0003: Stopped realmRevisions cache from keycloak > container > 22:47:05,466 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-5) WFLYCLINF0003: Stopped userRevisions cache from keycloak > container > 22:47:05,467 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-5) ISPN000080: Disconnecting JGroups channel ejb > > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 58, Issue 8 > ******************************************** From graham.burgess at razer.com Thu Oct 4 03:54:50 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Thu, 4 Oct 2018 07:54:50 +0000 Subject: [keycloak-user] Keycloak and Kubernetes In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov> Message-ID: I don't know what is recommended, however I am in the process of using the Helm chart. That said, neither the Helm chart or the container used currently support HA, so I am going to be probably "jerry rigging" something to get that to work based on the work done in both. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Fox, Kevin M Sent: Wednesday, October 3, 2018 4:36 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak and Kubernetes I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From albin.blent at ffcg.se Thu Oct 4 05:25:26 2018 From: albin.blent at ffcg.se (Albin Blent) Date: Thu, 4 Oct 2018 09:25:26 +0000 Subject: [keycloak-user] Keycloak-js, one React app different clientIds Message-ID: Hi, We are trying to integrate the keycloak-js lib in to your react web app. Depending on what page you log in through we want to use different clientIds. The problem is that each time we render the app and create a new instance of the Keycloak object from keycloak-js we need to supply a clientId. Before the user logs in through the keycloak portal we can figure out what clientId should be used depending on what page the user is coming from, but when redirected back from the keycloak login portal we can't know. We have tried to only use the keycloak.init({ onLoad: 'login-required' }) function and just picking a random clientId for the second initiation of the object but this does not seem to work when the user first uses one of the clientIds and then the other after the redirect. We have also tried: keycloak.init() if (!keycloak.authenticated) { keycloak.login({redirectUri: 'example.com?clientId=' + clientId}) } So that we can use the query param of the redirect to know how to initialise the Keycloak object with the right clientId. But here keycloak.authenticated is always false. Is there a common solution for handling multiple clientIds? Are we using the init() and login() combo wrong? We are using Keycloak server version 4.3.0.Final and keycloak-js 4.4.0 Best regards Albin From sthorger at redhat.com Thu Oct 4 06:53:46 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 4 Oct 2018 12:53:46 +0200 Subject: [keycloak-user] Review for German translation of admin messages Message-ID: Can someone please review https://github.com/keycloak/keycloak/pull/5549 From K.Buler at adbglobal.com Thu Oct 4 08:51:32 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Thu, 4 Oct 2018 12:51:32 +0000 Subject: [keycloak-user] Integration with OpenID provider In-Reply-To: References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com> <92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com> <3b0f565f-2ea8-3f2b-fdbf-2b038503f407@adbglobal.com> Message-ID: I have just tested the 4.5.0.Final version and Keycloak does not send the Authorization header. Keycloak is sending client_id and client_secret. According to standards (https://tools.ietf.org/html/rfc6749#section-2.3) authorization server MUST support Authorization header (HTTP Basic) and MAY support client_id and client_secret in the body. Can I switch method of authentication between Keycloak and another IDP? If not, this is not compatible with OAuth/OpenID standards. Please contact me, I can help with implementation, because I need it ASAP :) Karol On 28.09.2018 09:23, Lokesh Ravichandru wrote: Sure will try and post my findings. - Lokesh On Fri, Sep 28, 2018 at 12:51 PM Karol Buler > wrote: Do you have "confidential client"? If so, could you please confirm that Keycloak is sending the Authorization header? Basic from client_id:client_secret. Karol On 28.09.2018 09:16, Lokesh Ravichandru wrote: We are using 4.4.0 version, we faced the same issue because of missing id_token from our Identity broker application connected to keycloak. For trial you can install 4.4.0 version as a test build and attach your identity provider for test run. - Lokesh On Fri, Sep 28, 2018 at 12:42 PM Karol Buler > wrote: Indeed. Structure looks like this: { "access_token": "", "token_type": "", "expires_in": int value, "refresh_token": "", "scope": "", "id_token": "" } Karol On 28.09.2018 09:10, Lokesh Ravichandru wrote: Just for details, is your Identity broker returning id_token along with the access token ? - Lokesh On Fri, Sep 28, 2018 at 12:36 PM Karol Buler > wrote: Additional information is that this is 3.4.3.Final Keycloak. Do you know about this problem? Maybe it is fixed in newer version? On 25.09.2018 13:01, Karol Buler wrote: > Hi, > > I am trying to add Identity Broker based on OpenID Connect to my > Keycloak. Everything is fine, redirecting to login page is working, > but... always is "but" :) I've got error in Keycloak: > > org.keycloak.broker.provider.IdentityBrokerException: No access_token > from server. > > What I found is that the Keycloak doesn't send the "Authorization" > header in request "code-to-token". Is it bug/feature or am I missing > some configuration? > > Best regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > adbglobal.com > This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. > Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Grootan Technologies Private Limited R-Block, 15th main street Anna nagar, Chennai 600 040 tel +91 97890 24698 mail lokesh.ravichandru at grootan.com | web https://www.grootan.com -- Grootan Technologies Private Limited R-Block, 15th main street Anna nagar, Chennai 600 040 tel +91 97890 24698 mail lokesh.ravichandru at grootan.com | web https://www.grootan.com -- Grootan Technologies Private Limited R-Block, 15th main street Anna nagar, Chennai 600 040 tel +91 97890 24698 mail lokesh.ravichandru at grootan.com | web https://www.grootan.com From Don.Reynolds at quest.com Thu Oct 4 09:49:31 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Thu, 4 Oct 2018 13:49:31 +0000 Subject: [keycloak-user] Is the Keycloak JavaScript adapter vulnerable to Session fixation? Message-ID: Hello, Using the Keycloak JavaScript adapter (keycloak.js) from an HTML5/Angular application, when the login page is displayed, the response header from the "Auth" endpoint includes a "Set-Cookie: AUTH_SESSION_ID=xxx". Upon successfully logging in, it would appear that the value for the "AUTH_SESSION_ID" remains the same as it was prior to the login. According to the Keycloak documentation, some of the adapters support changing the session id upon login so that the "AUTH_SESSION_ID" is changed upon login, but this does not look like the case for the JavaScript adapter. I also came across https://issues.jboss.org/browse/KEYCLOAK-4820 which describes how some adapters change the session id upon log in, but others do not support it. Since the JavaScript adapter is not changing the session id upon successful login, it would be my understanding that this would make it vulnerable to Session fixation (https://www.owasp.org/index.php/Session_fixation). Is my understanding correct? If so, is there a way to solve this for the JavaScript adapter (keycloak.js)? If my understanding is not correct, can anyone explain why this would not be considered being vulnerable to session fixation? Thanks in advance for any advice in this area. Thanks, Don From Matt.Penna at intradiem.com Thu Oct 4 09:59:07 2018 From: Matt.Penna at intradiem.com (Matt Penna) Date: Thu, 4 Oct 2018 13:59:07 +0000 Subject: [keycloak-user] Set Browser Authentication Order Message-ID: Hello. We currently are using Keycloak with Kerberos and SAML browser authentication (both set to ALTERNATIVE). We have a requirement to try SAML authentication first then try Kerberos. This works properly when attempting from outside the Kerberos domain. When trying inside the domain Kerberos always win out. Is it possible to set the authentication order to try SAML first then Kerberos? I am not sure if this is possible or not with Keycloak but wanted more info on if this is possible or not. If it is possible how would we configure this? Thanks!!!! From testoauth55 at gmail.com Thu Oct 4 10:00:37 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 4 Oct 2018 19:30:37 +0530 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} Message-ID: I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the realm from 4.3 and imported in 4.4. The "policy-enforcer": {} in keycloak.json results in *403 : {"error":"invalid_scope","error_description":"Requires uma_protection scope."}* In keycloak 4.3 everything works fine. I have exported realm and used with keycloak 4.4, but the policy-enforcer does not work. Is there some extra step that is needed apart from exporting and importing json? If I remove policy-enforcer line the app works fine. *APP code:* final String KEYCLOAK_JSON = //json path; InputStream config = Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); KeycloakInstalled keycloak = new KeycloakInstalled(config); *Stack trace thrown at the time of starting app:* java.lang.RuntimeException: Could not find resource Logged in... at org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) at org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) at org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) at org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) at org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) at com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) Caused by: org.keycloak.authorization.client.AuthorizationDeniedException: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_scope","error_description":"Requires uma_protection scope."} at org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) at org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) at org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) at org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) ... 7 more Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_scope","error_description":"Requires uma_protection scope."} at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) at org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) at org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) ... 8 more From wyllys.ingersoll at keepertech.com Thu Oct 4 10:12:09 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Thu, 4 Oct 2018 10:12:09 -0400 Subject: [keycloak-user] realm templates? Message-ID: Does keycloak support the ability to create a "template" of a realm that can be imported to create a new realm (with a new name and description). The idea is that we want to be able to quickly provision new realms (think: a "realm" per unique organization) without having to recreate the associated clients, roles, scopes, policies, permissions, etc. This will allow us to have all of the supported realms have the same structure and rules, but remain in completely isolated namespaces and have unique users and resource instances. I have been able to sort-of achieve this using the json created by the "Partial export" (including groups, roles, and clients) and then editing the json to change the name of the realm and remove all of the unique "id" fields to avoid DB conflicts upon import, but that still leaves out the resource authorization settings (though I suppose those can be exported and imported as a 2nd step). thanks, Wyllys Ingersoll From francisco.bermejo.herrera at tecsisa.com Thu Oct 4 10:33:20 2018 From: francisco.bermejo.herrera at tecsisa.com (=?UTF-8?Q?Francisco_Jos=C3=A9_Bermejo_Herrera?=) Date: Thu, 4 Oct 2018 16:33:20 +0200 Subject: [keycloak-user] Question about application of protocol mappers when requesting an RPT Message-ID: Hello, Why are protocol mappers belonging to the token's Authorized Party (azp) applied when requesting an RPT instead of those belonging to its Audience (aud)? For example, when a Token Exchange is performed, the mappers belonging to the new Audience are applied, not the Authorized Party ones. Concretely, we have detected that this behavior is being enforced at this line of code: AuthorizationTokenService.java#L248 Is that correct? Shouldn't mappers belonging to the Audience be applied instead? Thank you in advance! From Kevin.Fox at pnnl.gov Thu Oct 4 11:40:55 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Thu, 4 Oct 2018 15:40:55 +0000 Subject: [keycloak-user] Keycloak and Kubernetes In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov>, Message-ID: <1A3C52DFCD06494D8528644858247BF01C1B3A2F@EX10MBOX03.pnnl.gov> Ok, cool. Looking at the charts values file, it implies it does support HA: https://github.com/helm/charts/blob/master/stable/keycloak/values.yaml Its setting up antiaffinity, overriding a lot of discovery stuff, etc. Out of the box, its pointing at jboss/keycloak:4.2.1.Final though for an image. That seems wrong. Did the HA stuff merge into the non HA image? Has there been any changes that would make the chart incompatible with newer versions? Has anyone ever tried upgrading with the chart? Thanks, Kevin ________________________________________ From: Graham Burgess [graham.burgess at razer.com] Sent: Thursday, October 04, 2018 12:54 AM To: Fox, Kevin M; keycloak-user at lists.jboss.org Subject: RE: Keycloak and Kubernetes I don't know what is recommended, however I am in the process of using the Helm chart. That said, neither the Helm chart or the container used currently support HA, so I am going to be probably "jerry rigging" something to get that to work based on the work done in both. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Fox, Kevin M Sent: Wednesday, October 3, 2018 4:36 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak and Kubernetes I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Kevin.Fox at pnnl.gov Thu Oct 4 11:45:57 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Thu, 4 Oct 2018 15:45:57 +0000 Subject: [keycloak-user] Keycloak and Kubernetes In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov>, Message-ID: <1A3C52DFCD06494D8528644858247BF01C1B3A52@EX10MBOX03.pnnl.gov> Oh, and the upstream charts developers seem pretty open to contributions. so if you do have to jerry rig something, lets try and get that upstream? Either you could try or let me know what you did and maybe I can? Thanks, Kevin ________________________________________ From: Graham Burgess [graham.burgess at razer.com] Sent: Thursday, October 04, 2018 12:54 AM To: Fox, Kevin M; keycloak-user at lists.jboss.org Subject: RE: Keycloak and Kubernetes I don't know what is recommended, however I am in the process of using the Helm chart. That said, neither the Helm chart or the container used currently support HA, so I am going to be probably "jerry rigging" something to get that to work based on the work done in both. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Fox, Kevin M Sent: Wednesday, October 3, 2018 4:36 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak and Kubernetes I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From z_88 at yahoo.com Thu Oct 4 11:50:29 2018 From: z_88 at yahoo.com (ZKX) Date: Thu, 4 Oct 2018 15:50:29 +0000 (UTC) Subject: [keycloak-user] keycloak 4.5 client integration with spring boot and spring security problem References: <499851086.4769611.1538668229109.ref@mail.yahoo.com> Message-ID: <499851086.4769611.1538668229109@mail.yahoo.com> We are doing a POC with a spring boot/security project with keycloak.? Initially we only had keycloak-spring-boot-starter without directly reference with spring security. It is very straightforward with just setting the keycloak properties in the application.properties file. Later on we need to use?@PreAuthorize("hasRole('admin')") to enforce security check on some services, therefore, we added spring security library with additional security configuration: as mentioned in the keycloak document.? Mostly as the described in this tutorial:?https://www.baeldung.com/spring-boot-keycloak Everything works fine with keycloak 4.3/4.4, we still can use the keycloak config in application.properties file together with spring security, since we had following code in our spring boot configuration:? ? @Bean? ? public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {? ? ? ? return new KeycloakSpringBootConfigResolver();? ? } However, recently we upgrade our spring boot keycloak starter to 4.5, and our application failed to start with following error: Error creating bean with name 'KeycloakSpringBootConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference? Just wondering how to resolve this?Anyone use spring boot with spring security together with keycloak starter 4.5 successfully?? Thanks,Kevin From graham.burgess at razer.com Thu Oct 4 11:58:03 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Thu, 4 Oct 2018 15:58:03 +0000 Subject: [keycloak-user] Keycloak and Kubernetes In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C1B3A52@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov>, , <1A3C52DFCD06494D8528644858247BF01C1B3A52@EX10MBOX03.pnnl.gov> Message-ID: Totally would agree, that is how I became a OSS contributor. I could have sworn the chart needed something but the docker container definitely needs work. It even looks like the did work on it for the containers too :) Well that is today's project. Graham From: Fox, Kevin M Sent: Thursday, October 4, 8:46 AM Subject: RE: Keycloak and Kubernetes To: Graham Burgess, keycloak-user at lists.jboss.org Oh, and the upstream charts developers seem pretty open to contributions. so if you do have to jerry rig something, lets try and get that upstream? Either you could try or let me know what you did and maybe I can? Thanks, Kevin ________________________________________ From: Graham Burgess [graham.burgess at razer.com] Sent: Thursday, October 04, 2018 12:54 AM To: Fox, Kevin M; keycloak-user at lists.jboss.org Subject: RE: Keycloak and Kubernetes I don't know what is recommended, however I am in the process of using the Helm chart. That said, neither the Helm chart or the container used currently support HA, so I am going to be probably "jerry rigging" something to get that to work based on the work done in both. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Fox, Kevin M Sent: Wednesday, October 3, 2018 4:36 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak and Kubernetes I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Thu Oct 4 14:42:24 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 4 Oct 2018 15:42:24 -0300 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} In-Reply-To: References: Message-ID: Please, check if your client is granted with a "uma_protection" client role. I think client roles were not being exported correctly and we fixed that in the latest release. On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings wrote: > I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the > realm from 4.3 and imported in 4.4. > > The "policy-enforcer": {} in keycloak.json results in *403 > : {"error":"invalid_scope","error_description":"Requires uma_protection > scope."}* > > In keycloak 4.3 everything works fine. I have exported realm and used with > keycloak 4.4, but the policy-enforcer does not work. Is there some extra > step that is needed apart from exporting and importing json? > If I remove policy-enforcer line the app works fine. > > *APP code:* > final String KEYCLOAK_JSON = //json path; > InputStream config = > > Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); > KeycloakInstalled keycloak = new KeycloakInstalled(config); > > > > *Stack trace thrown at the time of starting app:* > > java.lang.RuntimeException: Could not find resource > Logged in... > at > > org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) > at > > org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) > at > > org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) > at > > org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) > at > > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) > at > > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) > at > > org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) > at > > com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) > Caused by: org.keycloak.authorization.client.AuthorizationDeniedException: > org.keycloak.authorization.client.util.HttpResponseException: Unexpected > response from server: 403 / Forbidden / Response from server: > {"error":"invalid_scope","error_description":"Requires uma_protection > scope."} > at > > org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) > at > > org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) > at > > org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) > at > > org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) > at > > org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) > ... 7 more > Caused by: org.keycloak.authorization.client.util.HttpResponseException: > Unexpected response from server: 403 / Forbidden / Response from server: > {"error":"invalid_scope","error_description":"Requires uma_protection > scope."} > at > > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) > at > > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) > at > > org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) > at > > org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) > at > > org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) > ... 8 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Oct 4 14:45:02 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 4 Oct 2018 15:45:02 -0300 Subject: [keycloak-user] keycloak 4.5 client integration with spring boot and spring security problem In-Reply-To: <499851086.4769611.1538668229109@mail.yahoo.com> References: <499851086.4769611.1538668229109.ref@mail.yahoo.com> <499851086.4769611.1538668229109@mail.yahoo.com> Message-ID: Hi, Please, see http://lists.jboss.org/pipermail/keycloak-user/2018-September/015688.html. I'm working in a fix, right now. Regards. Pedro Igor On Thu, Oct 4, 2018 at 1:43 PM ZKX wrote: > We are doing a POC with a spring boot/security project with keycloak. > Initially we only had keycloak-spring-boot-starter without directly > reference with spring security. It is very straightforward with just > setting the keycloak properties in the application.properties file. > Later on we need to use @PreAuthorize("hasRole('admin')") to enforce > security check on some services, therefore, we added spring security > library with additional security configuration: > as mentioned in the keycloak document. Mostly as the described in this > tutorial: https://www.baeldung.com/spring-boot-keycloak > Everything works fine with keycloak 4.3/4.4, we still can use the keycloak > config in application.properties file together with spring security, since > we had following code in our spring boot configuration: @Bean public > KeycloakSpringBootConfigResolver KeycloakConfigResolver() { return > new KeycloakSpringBootConfigResolver(); } > However, recently we upgrade our spring boot keycloak starter to 4.5, and > our application failed to start with following error: > Error creating bean with name 'KeycloakSpringBootConfigResolver': > Requested bean is currently in creation: Is there an unresolvable circular > reference? > > Just wondering how to resolve this?Anyone use spring boot with spring > security together with keycloak starter 4.5 successfully? > Thanks,Kevin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Thu Oct 4 14:50:33 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 4 Oct 2018 15:50:33 -0300 Subject: [keycloak-user] Question about application of protocol mappers when requesting an RPT In-Reply-To: References: Message-ID: Hi, Good catch, could you file a JIRA please? Regards. Pedro Igor On Thu, Oct 4, 2018 at 12:01 PM Francisco Jos? Bermejo Herrera < francisco.bermejo.herrera at tecsisa.com> wrote: > Hello, > > Why are protocol mappers belonging to the token's Authorized Party (azp) > applied when requesting an RPT instead of those belonging to its Audience > (aud)? > For example, when a Token Exchange is performed, the mappers belonging to > the new Audience are applied, not the Authorized Party ones. > > Concretely, we have detected that this behavior is being enforced at this > line of code: > AuthorizationTokenService.java#L248 > < > https://github.com/keycloak/keycloak/blob/24e60747b694ab4d03e8e1cbf8e4da764337ff48/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L248 > > > > Is that correct? Shouldn't mappers belonging to the Audience be applied > instead? > > Thank you in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hcsgzh at gmail.com Thu Oct 4 16:59:02 2018 From: hcsgzh at gmail.com (hugh shangguan) Date: Fri, 5 Oct 2018 09:59:02 +1300 Subject: [keycloak-user] Restricting access to the Keycloak Admin Console Message-ID: Hi there, Is there any way to configure Keycloak so that the admin console is not accessible from a remote IP? Basically, I'd like to set it up Keycloak admin console where you can access it locally on the server but cannot access it remotely. This process is just like that setup your Keycloak admin console at the first time. For the authentication, users still can login remotely to Keycloak server for tokens. Any help? Cheers. -- Hugh Zhaohui Shangguan From christoph_john at gmx.de Thu Oct 4 18:13:48 2018 From: christoph_john at gmx.de (Christoph John) Date: Fri, 5 Oct 2018 00:13:48 +0200 Subject: [keycloak-user] keycloak-user Digest, Vol 58, Issue 8 Message-ID: Hi Ewan, thanks a lot for the hints, you saved my day. You were absolutely right. Indeed, the init script has two bugs that lead to a wrong DB_PORT environment variable. I provided a workaround and a description of the two bugs here. https://github.com/jboss-dockerfiles/keycloak/pull/155 Unfortunately, my bash magic is not good enough to provide a clean solution for the init script. Best regards, Christoph From rafaelweingartner at gmail.com Thu Oct 4 20:56:09 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 4 Oct 2018 21:56:09 -0300 Subject: [keycloak-user] Problem to build Keycloak 4.4.0 and 4.5.0. In-Reply-To: References: Message-ID: Does Keycloak have some sort of requirement (Docker, PhantonJs, and so on) to run the unit/integration/functional tests? On Wed, Oct 3, 2018 at 2:04 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Any takers on this issue? > > Some more information, I am using a Docker container to execute the build. > The 4.0.0.Final is built just fine, but the 4.4.0.Final is not. The > container has access to 15GiB of RAM and 4 vCPUs. > > Also, I tried looking at the test that is failing > ?org.keycloak.testsuite.adapter.javascript.JavascriptAdapterTest.fragmentInLoginFunction()?, > but I could not understand what it is doing there. Can somebody provide me > some clues here? > > On Mon, Oct 1, 2018 at 9:50 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Hello Keycloakers, >> >> I have been having some problem to build Keycloak 4.4.0 and 4.5.0, and so >> far I have not been able to understand it. The error I am having is the >> following: >> >>> 20:12:00,549 INFO [org.keycloak.testsuite.ssl.TrustStoreEmailTest] >>> [TrustStoreEmailTest] verifyEmailWithSslEnabled() FINISHED >>> 20:12:00,554 INFO >>> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removing test >>> realms after test class >>> 20:12:01,451 INFO >>> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removed realms: >>> test, >>> Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.545 >>> sec - in org.keycloak.testsuite.ssl.TrustStoreEmailTest >>> 20:12:01,477 INFO >>> [org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow] Stopping >>> auth server. >>> Results : >>> Failed tests: >>> JavascriptAdapterTest.fragmentInLoginFunction:564->assertOnTestAppUrl:102 >>> URL expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=iHPVhBI_xGU >>> JavascriptAdapterTest.fragmentInURLTest:551->assertOnTestAppUrl:102 URL >>> expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=wpm4e1xKPgE >>> JavascriptAdapterTest.implicitFlowTest:229->assertOnTestAppUrl:102 URL >>> expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=bBq5ixLvMQI >>> JavascriptAdapterTest.loginRequiredAction:326->assertOnTestAppUrl:102 >>> URL expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=t_17Y5O68es >>> JavascriptAdapterTest.testGetProfile:164->assertOnTestAppUrl:102 URL >>> expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=V31A0S8OHr4 >>> JavascriptAdapterTest.testLoginWithKCLocale:131->assertOnTestAppUrl:102 >>> URL expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=EN_NUcdVMI4 >>> JavascriptAdapterTest.testRefreshToken:143->assertOnTestAppUrl:102 URL >>> expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=cJg0NsrBK74 >>> JavascriptAdapterTest.testRefreshTokenIfUnder30s:152->assertOnTestAppUrl:102 >>> URL expected to begin with: >>> http://localhost:8180/auth/realms/test/testing/javascript/index.html; >>> actual URL: >>> http://localhost:8180/auth/realms/test/login-actions/required-action?execution=OAUTH_GRANT&client_id=js-console&tab_id=QZE5t54_rXQ >>> Tests in error: >>> >>> JavascriptAdapterTest.grantBrowserBasedApp:206->lambda$grantBrowserBasedApp$99c597a6$2:206 >>> ? Runtime >>> JavascriptAdapterTest.implicitFlowCertEndpoint:283 ? WebDriver >>> {"errorMessage"... >>> JavascriptAdapterTest.implicitFlowOnTokenExpireTest:270 ? WebDriver >>> {"errorMes... >>> JavascriptAdapterTest.implicitFlowRefreshTokenTest:258 ? WebDriver >>> {"errorMess... >>> JavascriptAdapterTest.initializeWithRefreshToken:515 ? WebDriver >>> {"errorMessag... >>> JavascriptAdapterTest.initializeWithTimeSkew:480 ? WebDriver >>> {"errorMessage":"... >>> JavascriptAdapterTest.initializeWithTokenTest:453 ? WebDriver >>> {"errorMessage":... >>> JavascriptAdapterTest.reentrancyCallbackTest:527 ? WebDriver >>> {"errorMessage":"... >>> JavascriptAdapterTest.testBearerRequest:310 ? WebDriver >>> {"errorMessage":"Can't... >>> JavascriptAdapterTest.testCertEndpoint:236 ? WebDriver >>> {"errorMessage":"Can't ... >>> Tests run: 2062, Failures: 8, Errors: 10, Skipped: 195 >>> >> >> I have no clues on why this is happening. Does anybody here have any >> ideas on how to proceed debugging? >> >> The command I am using is the following: >> >>> mvn clean install ?Pdistribution >>> >> >> My Maven and Java version are the following: >> >>> root at f48b9f8e1312:~/keycloak# mvn --version >>> Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; >>> 2018-06-17T18:33:14Z) >>> Maven home: /root/apache-maven-3.5.4 >>> Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: >>> /root/jdk1.8.0_181/jre >>> Default locale: en_US, platform encoding: ANSI_X3.4-1968 >>> OS name: "linux", version: "4.4.0-130-generic", arch: "amd64", family: >>> "unix" >>> >> >> The Phanton version is: >> >>> root at f48b9f8e1312:~/keycloak# phantomjs --version >>> 2.1.1 >>> >> >> It is interesting that with the machine (Java, PhatonJS, and Maven) I am >> able to build the 4.0.0 version. However, I have not been able to build >> 4.4.0 at all. >> >> Any help is welcome here :) >> >> -- >> Rafael Weing?rtner >> > > > -- > Rafael Weing?rtner > -- Rafael Weing?rtner From testoauth55 at gmail.com Thu Oct 4 21:01:32 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 5 Oct 2018 06:31:32 +0530 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} In-Reply-To: References: Message-ID: uma_authorization role is present in both the installations (4.3 and 4.4)*. uma_protection *role is *not *present in any. Is it the case that keycloak 4.3 used to work without* uma_protection *and 4.4 needs* uma_protection *role*?* On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva wrote: > Please, check if your client is granted with a "uma_protection" client > role. I think client roles were not being exported correctly and we fixed > that in the latest release. > > On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings wrote: > >> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the >> realm from 4.3 and imported in 4.4. >> >> The "policy-enforcer": {} in keycloak.json results in *403 >> : {"error":"invalid_scope","error_description":"Requires uma_protection >> scope."}* >> >> In keycloak 4.3 everything works fine. I have exported realm and used with >> keycloak 4.4, but the policy-enforcer does not work. Is there some extra >> step that is needed apart from exporting and importing json? >> If I remove policy-enforcer line the app works fine. >> >> *APP code:* >> final String KEYCLOAK_JSON = //json path; >> InputStream config = >> >> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); >> KeycloakInstalled keycloak = new KeycloakInstalled(config); >> >> >> >> *Stack trace thrown at the time of starting app:* >> >> java.lang.RuntimeException: Could not find resource >> Logged in... >> at >> >> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) >> at >> >> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) >> at >> >> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) >> at >> >> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) >> at >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) >> at >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) >> at >> >> org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) >> at >> >> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) >> Caused by: org.keycloak.authorization.client.AuthorizationDeniedException: >> org.keycloak.authorization.client.util.HttpResponseException: Unexpected >> response from server: 403 / Forbidden / Response from server: >> {"error":"invalid_scope","error_description":"Requires uma_protection >> scope."} >> at >> >> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) >> at >> >> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) >> at >> >> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) >> ... 7 more >> Caused by: org.keycloak.authorization.client.util.HttpResponseException: >> Unexpected response from server: 403 / Forbidden / Response from server: >> {"error":"invalid_scope","error_description":"Requires uma_protection >> scope."} >> at >> >> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) >> at >> >> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) >> at >> >> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) >> ... 8 more >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From testoauth55 at gmail.com Thu Oct 4 21:11:46 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 5 Oct 2018 06:41:46 +0530 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} In-Reply-To: References: Message-ID: Secondly, I manually added uma_protection role to my client in keycloak 4.4 like this, but I still get the same exception. Is this role supposed to be added in a different way? [image: image.png] Firstly, uma_authorization role is present in both the installations (4.3 and 4.4)*. uma_protection *role is *not *present in any. Is it the case that keycloak 4.3 used to work without* uma_protection *and 4.4 needs* uma_protection *role*?* On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings wrote: > uma_authorization > > role is present in both the installations (4.3 and 4.4)*. uma_protection > *role is *not *present in any. > Is it the case that keycloak 4.3 used to work without* uma_protection *and > 4.4 needs* uma_protection *role*?* > > On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva > wrote: > >> Please, check if your client is granted with a "uma_protection" client >> role. I think client roles were not being exported correctly and we fixed >> that in the latest release. >> >> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings >> wrote: >> >>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the >>> realm from 4.3 and imported in 4.4. >>> >>> The "policy-enforcer": {} in keycloak.json results in *403 >>> : {"error":"invalid_scope","error_description":"Requires uma_protection >>> scope."}* >>> >>> In keycloak 4.3 everything works fine. I have exported realm and used >>> with >>> keycloak 4.4, but the policy-enforcer does not work. Is there some extra >>> step that is needed apart from exporting and importing json? >>> If I remove policy-enforcer line the app works fine. >>> >>> *APP code:* >>> final String KEYCLOAK_JSON = //json path; >>> InputStream config = >>> >>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); >>> KeycloakInstalled keycloak = new KeycloakInstalled(config); >>> >>> >>> >>> *Stack trace thrown at the time of starting app:* >>> >>> java.lang.RuntimeException: Could not find resource >>> Logged in... >>> at >>> >>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) >>> at >>> >>> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) >>> at >>> >>> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) >>> at >>> >>> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) >>> at >>> >>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) >>> at >>> >>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) >>> at >>> >>> org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) >>> at >>> >>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) >>> Caused by: >>> org.keycloak.authorization.client.AuthorizationDeniedException: >>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected >>> response from server: 403 / Forbidden / Response from server: >>> {"error":"invalid_scope","error_description":"Requires uma_protection >>> scope."} >>> at >>> >>> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) >>> at >>> >>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) >>> at >>> >>> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) >>> ... 7 more >>> Caused by: org.keycloak.authorization.client.util.HttpResponseException: >>> Unexpected response from server: 403 / Forbidden / Response from server: >>> {"error":"invalid_scope","error_description":"Requires uma_protection >>> scope."} >>> at >>> >>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) >>> at >>> >>> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) >>> at >>> >>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) >>> ... 8 more >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 34068 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/f3f98711/attachment-0001.png From testoauth55 at gmail.com Fri Oct 5 00:20:30 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 5 Oct 2018 09:50:30 +0530 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} In-Reply-To: References: Message-ID: What is more weird is that if I create a new realm in keycloak 4.4 and import client from keycloak 4.3 into this realm , then everything works fine. The issue appears only if I import complete realm. On Fri, Oct 5, 2018 at 6:41 AM Bruce Wings wrote: > Secondly, > > I manually added uma_protection role to my client in keycloak 4.4 like > this, but I still get the same exception. Is this role supposed to be added > in a different way? > > [image: image.png] > > > Firstly, > > uma_authorization > > role is present in both the installations (4.3 and 4.4)*. > uma_protection *role is *not *present in any. > Is it the case that keycloak 4.3 used to work without* uma_protection *and > 4.4 needs* uma_protection *role*?* > > On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings wrote: > >> uma_authorization >> >> role is present in both the installations (4.3 and 4.4)*. >> uma_protection *role is *not *present in any. >> Is it the case that keycloak 4.3 used to work without* uma_protection *and >> 4.4 needs* uma_protection *role*?* >> >> On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva >> wrote: >> >>> Please, check if your client is granted with a "uma_protection" client >>> role. I think client roles were not being exported correctly and we fixed >>> that in the latest release. >>> >>> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings >>> wrote: >>> >>>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the >>>> realm from 4.3 and imported in 4.4. >>>> >>>> The "policy-enforcer": {} in keycloak.json results in *403 >>>> : {"error":"invalid_scope","error_description":"Requires uma_protection >>>> scope."}* >>>> >>>> In keycloak 4.3 everything works fine. I have exported realm and used >>>> with >>>> keycloak 4.4, but the policy-enforcer does not work. Is there some extra >>>> step that is needed apart from exporting and importing json? >>>> If I remove policy-enforcer line the app works fine. >>>> >>>> *APP code:* >>>> final String KEYCLOAK_JSON = //json path; >>>> InputStream config = >>>> >>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); >>>> KeycloakInstalled keycloak = new KeycloakInstalled(config); >>>> >>>> >>>> >>>> *Stack trace thrown at the time of starting app:* >>>> >>>> java.lang.RuntimeException: Could not find resource >>>> Logged in... >>>> at >>>> >>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) >>>> at >>>> >>>> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) >>>> at >>>> >>>> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) >>>> at >>>> >>>> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) >>>> at >>>> >>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) >>>> at >>>> >>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) >>>> at >>>> >>>> org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) >>>> at >>>> >>>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) >>>> Caused by: >>>> org.keycloak.authorization.client.AuthorizationDeniedException: >>>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected >>>> response from server: 403 / Forbidden / Response from server: >>>> {"error":"invalid_scope","error_description":"Requires uma_protection >>>> scope."} >>>> at >>>> >>>> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) >>>> at >>>> >>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) >>>> at >>>> >>>> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) >>>> ... 7 more >>>> Caused by: org.keycloak.authorization.client.util.HttpResponseException: >>>> Unexpected response from server: 403 / Forbidden / Response from server: >>>> {"error":"invalid_scope","error_description":"Requires uma_protection >>>> scope."} >>>> at >>>> >>>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) >>>> at >>>> >>>> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) >>>> at >>>> >>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) >>>> ... 8 more >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 34068 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/8322b227/attachment-0001.png From testoauth55 at gmail.com Fri Oct 5 01:19:11 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 5 Oct 2018 10:49:11 +0530 Subject: [keycloak-user] Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."} In-Reply-To: References: Message-ID: Issue seems to be fixed in latest keycloak - 4.5. I just downloaded keycloak 4.5.0 and imported realm. It's working fine. On Fri, Oct 5, 2018 at 9:50 AM Bruce Wings wrote: > What is more weird is that if I create a new realm in keycloak 4.4 and > import client from keycloak 4.3 into this realm , then everything works > fine. The issue appears only if I import complete realm. > > > On Fri, Oct 5, 2018 at 6:41 AM Bruce Wings wrote: > >> Secondly, >> >> I manually added uma_protection role to my client in keycloak 4.4 like >> this, but I still get the same exception. Is this role supposed to be added >> in a different way? >> >> [image: image.png] >> >> >> Firstly, >> >> uma_authorization >> >> role is present in both the installations (4.3 and 4.4)*. >> uma_protection *role is *not *present in any. >> Is it the case that keycloak 4.3 used to work without* uma_protection *and >> 4.4 needs* uma_protection *role*?* >> >> On Fri, Oct 5, 2018 at 6:31 AM Bruce Wings wrote: >> >>> uma_authorization >>> >>> role is present in both the installations (4.3 and 4.4)*. >>> uma_protection *role is *not *present in any. >>> Is it the case that keycloak 4.3 used to work without* uma_protection *and >>> 4.4 needs* uma_protection *role*?* >>> >>> On Fri, Oct 5, 2018 at 12:12 AM Pedro Igor Silva >>> wrote: >>> >>>> Please, check if your client is granted with a "uma_protection" client >>>> role. I think client roles were not being exported correctly and we fixed >>>> that in the latest release. >>>> >>>> On Thu, Oct 4, 2018 at 11:12 AM Bruce Wings >>>> wrote: >>>> >>>>> I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the >>>>> realm from 4.3 and imported in 4.4. >>>>> >>>>> The "policy-enforcer": {} in keycloak.json results in *403 >>>>> : {"error":"invalid_scope","error_description":"Requires >>>>> uma_protection >>>>> scope."}* >>>>> >>>>> In keycloak 4.3 everything works fine. I have exported realm and used >>>>> with >>>>> keycloak 4.4, but the policy-enforcer does not work. Is there some >>>>> extra >>>>> step that is needed apart from exporting and importing json? >>>>> If I remove policy-enforcer line the app works fine. >>>>> >>>>> *APP code:* >>>>> final String KEYCLOAK_JSON = //json path; >>>>> InputStream config = >>>>> >>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON); >>>>> KeycloakInstalled keycloak = new KeycloakInstalled(config); >>>>> >>>>> >>>>> >>>>> *Stack trace thrown at the time of starting app:* >>>>> >>>>> java.lang.RuntimeException: Could not find resource >>>>> Logged in... >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228) >>>>> at >>>>> >>>>> org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225) >>>>> at >>>>> >>>>> org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157) >>>>> at >>>>> >>>>> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:77) >>>>> at >>>>> >>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143) >>>>> at >>>>> >>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) >>>>> at >>>>> >>>>> org.keycloak.adapters.installed.KeycloakInstalled.(KeycloakInstalled.java:94) >>>>> at >>>>> >>>>> com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138) >>>>> Caused by: >>>>> org.keycloak.authorization.client.AuthorizationDeniedException: >>>>> org.keycloak.authorization.client.util.HttpResponseException: >>>>> Unexpected >>>>> response from server: 403 / Forbidden / Response from server: >>>>> {"error":"invalid_scope","error_description":"Requires uma_protection >>>>> scope."} >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226) >>>>> ... 7 more >>>>> Caused by: >>>>> org.keycloak.authorization.client.util.HttpResponseException: >>>>> Unexpected response from server: 403 / Forbidden / Response from >>>>> server: >>>>> {"error":"invalid_scope","error_description":"Requires uma_protection >>>>> scope."} >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172) >>>>> at >>>>> >>>>> org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179) >>>>> ... 8 more >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 34068 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/4d178fd0/attachment-0001.png From sthorger at redhat.com Fri Oct 5 02:21:58 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Oct 2018 08:21:58 +0200 Subject: [keycloak-user] Public key for verifying JWT? In-Reply-To: References: Message-ID: It's by design and certainly not a bug. It's not always the case that applications verify tokens themselves directly, but rather through token introspection endpoints on Keycloak server. As I said in my last mail. If you want to verify tokens in your app just pick a better suited signing algorithm, like rs256 or es256. On Wed, 3 Oct 2018, 15:46 Wyllys Ingersoll, wrote: > Isnt that a rather important bug to be fixed? Whats the point of signing > something with a key that cannot be shared with the verifiers? > > On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen > wrote: > >> HS* signing algorithms can not be verified by the client today as it is >> not using a shared secret, rather a secret only Keycloak knows. You need to >> pick a different algorithm or use token introspection endpoint. >> >> On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, < >> wyllys.ingersoll at keepertech.com> wrote: >> >>> Im trying to verify a JWT access token from Keycloak using the python >>> jose-jwt library, but cannot seem to get it to succeed. When using the >>> HS512 algorithm, how does one retrieve the key needed to verify the JWT >>> tokens? >>> >>> The JWT header decodes to something like this: {"alg":"HS512","typ" : >>> "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see >>> how >>> to get the key associated with the given kid value above. >>> >>> I tried using the "client secret" from the credential section, but thats >>> not working. >>> >>> What am I missing? >>> >>> thanks! >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From amritha_amarnath at amritatech.com Fri Oct 5 03:15:18 2018 From: amritha_amarnath at amritatech.com (Amritha Amarnath) Date: Fri, 5 Oct 2018 12:45:18 +0530 (GMT+05:30) Subject: [keycloak-user] Too many redirects with remember me checked In-Reply-To: <28007012.572641538722488328.JavaMail.root@atmail.amritatech.com> Message-ID: <5225391.573371538723718188.JavaMail.root@atmail.amritatech.com> Hello, My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. Wildfly log says: Account was not in session, returning null , there was no code Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? -- With Regards, Amms From upananda.singha at motorolasolutions.com Fri Oct 5 03:36:12 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Fri, 5 Oct 2018 13:06:12 +0530 Subject: [keycloak-user] Keycloak standalone-ha cluster replication Timeout issue Message-ID: Hi All, I have been running Keycloak (4.0.0 Final) in standalone-ha mode with 2 instances in a cluster. I have been running the cluster of 2 nodes for more 3/4 months now. But suddenly I am facing a strange issue now with cache replication between the 2 nodes in the same cluster itself. Anybody faced this kind of issue or anyone can guide me why this is happening and how to resolve the issue. 2018-10-04 17:51:52.793 INFO [org.jboss.as.server] (ServerService Thread Pool -- 49) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 2018-10-04 17:51:52.932 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server 2018-10-04 17:51:52.934 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://192.168.190.77:10110/management 2018-10-04 17:51:52.935 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://192.168.190.77:10110 2018-10-04 17:51:52.935 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 4.0.0.Final (WildFly Core 3.0.8.Final) started in 21492ms - Started 645 of 996 services (707 services are lazy, passive or on-demand) 2018-10-04 18:07:02.670 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredEvents]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for keycloak-216 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) [rt.jar:1.8.0_162] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_162] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] 2018-10-04 18:07:12.694 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredEvents]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for keycloak-216 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) [rt.jar:1.8.0_162] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_162] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] 2018-10-04 18:07:22.712 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredEvents]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for keycloak-216 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) [rt.jar:1.8.0_162] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) [rt.jar:1.8.0_162] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [rt.jar:1.8.0_162] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_162] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] 2018-10-04 18:07:32.723 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredEvents]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for keycloak-216 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) [infinispan-core-8.2.8.Final.jar:8.2.8.Final] My cache configurations looks like: standalone-ha.xml ------------------------ ------------------------------------------ Thanks & Regds, Upananda Singha From francisco.bermejo.herrera at tecsisa.com Fri Oct 5 04:23:17 2018 From: francisco.bermejo.herrera at tecsisa.com (=?UTF-8?Q?Francisco_Jos=C3=A9_Bermejo_Herrera?=) Date: Fri, 5 Oct 2018 10:23:17 +0200 Subject: [keycloak-user] Question about application of protocol mappers when requesting an RPT In-Reply-To: References: Message-ID: Hi Pedro, Thanks for your quick reply. Here is the issue: https://issues.jboss.org/browse/KEYCLOAK-8489 Regards, Francisco Bermejo El jue., 4 oct. 2018 a las 20:50, Pedro Igor Silva () escribi?: > Hi, > > Good catch, could you file a JIRA please? > > Regards. > Pedro Igor > > On Thu, Oct 4, 2018 at 12:01 PM Francisco Jos? Bermejo Herrera < > francisco.bermejo.herrera at tecsisa.com> wrote: > >> Hello, >> >> Why are protocol mappers belonging to the token's Authorized Party (azp) >> applied when requesting an RPT instead of those belonging to its Audience >> (aud)? >> For example, when a Token Exchange is performed, the mappers belonging to >> the new Audience are applied, not the Authorized Party ones. >> >> Concretely, we have detected that this behavior is being enforced at this >> line of code: >> AuthorizationTokenService.java#L248 >> < >> https://github.com/keycloak/keycloak/blob/24e60747b694ab4d03e8e1cbf8e4da764337ff48/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L248 >> > >> >> Is that correct? Shouldn't mappers belonging to the Audience be applied >> instead? >> >> Thank you in advance! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From mkanis at redhat.com Fri Oct 5 04:32:36 2018 From: mkanis at redhat.com (Martin Kanis) Date: Fri, 5 Oct 2018 10:32:36 +0200 Subject: [keycloak-user] Too many redirects with remember me checked In-Reply-To: <5225391.573371538723718188.JavaMail.root@atmail.amritatech.com> References: <28007012.572641538722488328.JavaMail.root@atmail.amritatech.com> <5225391.573371538723718188.JavaMail.root@atmail.amritatech.com> Message-ID: Hello, what version of Keycloak do you have? Can you provide a Keycloak log? Regards, Martin On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath at amritatech.com> wrote: > > > > Hello, > > > My application have been deployed in Wildfly 11 and is integrated with > standalone Keycloak and works fine. But the issue is, when the application > is logged in with Remember-me checkbox checked, its showing too many > redirects when restart the browser , even though the user session is valid. > It leads to logout my application session manually from keycloak admin > console. > > Wildfly log says: Account was not in session, returning null , there was > no code > > > Once the user session also get expired its showing the login page with > pre-filled username and remember-me checked as expected. > > > I am new to keycloak. So any idea regarding too many redirects with > remember-me checked ? > > -- > With Regards, > Amms > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dean at edgewoodsoftware.com Fri Oct 5 04:43:33 2018 From: dean at edgewoodsoftware.com (Dean Poulin) Date: Fri, 5 Oct 2018 04:43:33 -0400 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? Message-ID: Hi everyone, First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here. For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.? I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 , https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 ). My prod/test environment uses an nginx reverse proxy in front of my apps. I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy . The url that was throwing that error looked like this (see the port of 0 in the url): https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com %3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid The keycloak logs contained this error for the above url: Oct 05 02:39:40 sso01.example.com standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com :0/sso/login As you can see for some reason the redirect_uri is being set with a port of 0. I put in the url with port 0 (https://www.example.com:0/sso/login ) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error: This site can?t be reached The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw might be temporarily down or it may have moved permanently to a new web address. ERR_ADDRESS_INVALID Here?s my architecture: USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE) USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final) Spring Boot App: org.keycloak.bom keycloak-adapter-bom 4.4.0.Final pom import ... org.keycloak keycloak-spring-boot-starter Config yaml: keycloak: auth-server-url: https://sso.example.com/auth realm: my-app public-client: true resource: my-client ssl-required: external Nginx is configured as a reverse proxy with these settings for the spring boot app: upstream app { server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; } server { listen 443; server_name www.example.com ; ... location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port 443; proxy_next_upstream error timeout invalid_header http_500; proxy_connect_timeout 2; proxy_pass http://app ; } } Nginx is configured as a reverse proxy with these settings for the keycloak server: upstream sso { server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; } server { listen 443; server_name sso.example.com ; ... location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port 443; proxy_next_upstream error timeout invalid_header http_500; proxy_connect_timeout 2; proxy_pass http://sso ; } } My keycloak configuration for standalone.xml has these settings: Undertow config: ? Socket Bindings: Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from. Dean Poulin Owner & Principal Software Engineer edgewood software email: dean at edgewoodsoftware.com From sblanc at redhat.com Fri Oct 5 04:52:08 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 5 Oct 2018 10:52:08 +0200 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? In-Reply-To: References: Message-ID: Hi, We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment). Sebi On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin wrote: > Hi everyone, > > First email to the group here. I?ve been heavily underway implementing > Keycloak for my app?s auth needs and very impressed with the product. I?ve > delayed emailing the group until I?ve spent hours of time trying to figure > out this weird issue I?m experiencing. This might not be the best place to > post this, but figured I?d start here. > > For some reason, when I visit my spring boot webapp that?s protected by > keycloak it?s redirecting to keycloak as expected but the redirect_uri is > being set with a port of 0 which is causing me to get an error on the > keycloak login page saying ?invalid redirect_uri.? > > I?ve googled this and I?ve found some people having similar issues, but > couldn?t find solutions (e.g. > https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 > < > https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>, > > https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 > < > https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 > >). > > My prod/test environment uses an nginx reverse proxy in front of my apps. > > I followed these steps: > https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > < > https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > >. > > The url that was throwing that error looked like this (see the port of 0 > in the url): > > > https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com > < > https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com > >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid > > The keycloak logs contained this error for the above url: > > Oct 05 02:39:40 sso01.example.com > standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default > task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, > ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri= > https://www.example.com :0/sso/login > > As you can see for some reason the redirect_uri is being set with a port > of 0. > > I put in the url with port 0 (https://www.example.com:0/sso/login < > https://www.example.com:0/sso/login>) into the keycloak client config > under Valid Redirect URIs and that removed the invalid redirect_url issue > and the login page was now rendering without an error. > > However, when the redirect is performed after login, the browser gets > screwed up with having port 0 in there? Google Chrome has this error: > > This site can?t be reached > The webpage at > https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw > < > https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw> > might be temporarily down or it may have moved permanently to a new web > address. > ERR_ADDRESS_INVALID > > Here?s my architecture: > > USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* > ?> SPRING BOOT APP (v2.0.5.RELEASE) > > USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* > ?> KEYCLOAK SERVER (v4.4.0.Final) > > Spring Boot App: > > > org.keycloak.bom > keycloak-adapter-bom > 4.4.0.Final > pom > import > > > ... > > > org.keycloak > keycloak-spring-boot-starter > > > Config yaml: > > keycloak: > auth-server-url: https://sso.example.com/auth < > https://sso.example.com/auth> > realm: my-app > public-client: true > resource: my-client > ssl-required: external > > > > Nginx is configured as a reverse proxy with these settings for the spring > boot app: > > upstream app { > server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; > server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; > } > > server { > listen 443; > server_name www.example.com ; > > ... > > location / { > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Port 443; > > proxy_next_upstream error timeout invalid_header http_500; > proxy_connect_timeout 2; > > proxy_pass http://app ; > } > } > > Nginx is configured as a reverse proxy with these settings for the > keycloak server: > > > upstream sso { > server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; > server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; > } > > server { > listen 443; > server_name sso.example.com ; > > ... > > location / { > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Port 443; > proxy_next_upstream error timeout invalid_header http_500; > proxy_connect_timeout 2; > > proxy_pass http://sso ; > } > } > > My keycloak configuration for standalone.xml has these settings: > > Undertow config: > > > redirect-socket="proxy-https" enable-http2="true" > proxy-address-forwarding="true"/> > security-realm="ApplicationRealm" enable-http2="true"/> > > > > > > ? > > Socket Bindings: > > port-offset="${jboss.socket.binding.port-offset:0}"> > port="${jboss.management.http.port:9990}"/> > port="${jboss.management.https.port:9993}"/> > > > > > > > > > > > > > > > > Thanks for your help, I must have missed something somewhere. I just can?t > for the life of me find out where that port 0 is coming from. > > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From l.lech at ringler.ch Fri Oct 5 04:53:17 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 5 Oct 2018 08:53:17 +0000 Subject: [keycloak-user] Using your SPI provider instead of default one Message-ID: <5E48B917000C984B86B77170F441903A11D8C70A@exch.ringler.ch> Hello, There is something that I have missed in provider's documentation ( https://www.keycloak.org/docs/3.3/server_development/topics/providers.htm ). I've implemented my own SPI (EmailTemplateProvider -mock implementation that logs on console using slf4j instead of sending anything). I've dropped jar in deployments folder. I see message my SPI got registerd and it's listed in server info. However, when I try to register, a default (freemarker) email template provider is called. How can I choose, which SPI will be used for my realm? Or there can be only one? Best regards, Lukasz Lech From dean at edgewoodsoftware.com Fri Oct 5 05:30:30 2018 From: dean at edgewoodsoftware.com (Dean Poulin) Date: Fri, 5 Oct 2018 05:30:30 -0400 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? In-Reply-To: References: Message-ID: <840F9999-4D16-420A-9E0B-FE37AF24DCFF@edgewoodsoftware.com> Hi, I?ve tried a couple things in that comment so far: 1) Verified I?m sending through the headers and the spring boot app is receiving the headers: Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController : host=www.example.com Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-real-ip=1.2.3.4 Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-for=1.2.3.4 Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-proto=https Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-host=www.example.com Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-port=443 I tried setting the spring boot keycloak config setting: keycloak.ssl-required = none That did remove the port 0 in the redirect_uri being generated but it also set the redirect uri to be http instead of https, which seems like it?d be bad. I do have nginx set to redirect all http requests to https anyway. Is there something else I need to do to get the spring boot app to generate the correct redirect_uri with https? There must be like some magic config setting I?ve missed somewhere. I?ll keep digging and share what I find. Thanks, Dean Poulin Owner & Principal Software Engineer edgewood software email: dean at edgewoodsoftware.com > On Oct 5, 2018, at 4:52 AM, Sebastien Blanc wrote: > > Hi, > > We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment). > > Sebi > > > On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin > wrote: > Hi everyone, > > First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here. > > For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.? > > I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >). > > My prod/test environment uses an nginx reverse proxy in front of my apps. > > I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >. > > The url that was throwing that error looked like this (see the port of 0 in the url): > > https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid > > The keycloak logs contained this error for the above url: > > Oct 05 02:39:40 sso01.example.com > standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com >:0/sso/login > > As you can see for some reason the redirect_uri is being set with a port of 0. > > I put in the url with port 0 (https://www.example.com:0/sso/login >) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. > > However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error: > > This site can?t be reached > The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw > might be temporarily down or it may have moved permanently to a new web address. > ERR_ADDRESS_INVALID > > Here?s my architecture: > > USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE) > > USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final) > > Spring Boot App: > > > org.keycloak.bom > keycloak-adapter-bom > 4.4.0.Final > pom > import > > > ... > > > org.keycloak > keycloak-spring-boot-starter > > > Config yaml: > > keycloak: > auth-server-url: https://sso.example.com/auth > > realm: my-app > public-client: true > resource: my-client > ssl-required: external > > > > Nginx is configured as a reverse proxy with these settings for the spring boot app: > > upstream app { > server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; > server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; > } > > server { > listen 443; > server_name www.example.com >; > > ... > > location / { > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Port 443; > > proxy_next_upstream error timeout invalid_header http_500; > proxy_connect_timeout 2; > > proxy_pass http://app >; > } > } > > Nginx is configured as a reverse proxy with these settings for the keycloak server: > > > upstream sso { > server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; > server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; > } > > server { > listen 443; > server_name sso.example.com >; > > ... > > location / { > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Port 443; > proxy_next_upstream error timeout invalid_header http_500; > proxy_connect_timeout 2; > > proxy_pass http://sso >; > } > } > > My keycloak configuration for standalone.xml has these settings: > > Undertow config: > > > > > > > > > > ? > > Socket Bindings: > > > > > > > > > > > > > > > > > > > > Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from. > > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Fri Oct 5 05:37:29 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 5 Oct 2018 11:37:29 +0200 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? In-Reply-To: <840F9999-4D16-420A-9E0B-FE37AF24DCFF@edgewoodsoftware.com> References: <840F9999-4D16-420A-9E0B-FE37AF24DCFF@edgewoodsoftware.com> Message-ID: TBH No idea if it helps in your case but there is a config property called "redirect-rewrite-rules" that may help you : https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin wrote: > Hi, > > I?ve tried a couple things in that comment so far: > > 1) Verified I?m sending through the headers and the spring boot app is > receiving the headers: > > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 > 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] > a.c.u.server.controller.IndexController : host=www.example.com > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: > x-real-ip=1.2.3.4 > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: > x-forwarded-for=1.2.3.4 > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: > x-forwarded-proto=https > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: > x-forwarded-host=www.example.com > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: > x-forwarded-port=443 > > I tried setting the spring boot keycloak config setting: > > keycloak.ssl-required = none > > That did remove the port 0 in the redirect_uri being generated but it also > set the redirect uri to be http instead of https, which seems like it?d be > bad. I do have nginx set to redirect all http requests to https anyway. > > Is there something else I need to do to get the spring boot app to > generate the correct redirect_uri with https? There must be like some magic > config setting I?ve missed somewhere. I?ll keep digging and share what I > find. > > Thanks, > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > > > On Oct 5, 2018, at 4:52 AM, Sebastien Blanc wrote: > > Hi, > > We have a ticket concerning the 0 added as port : > https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan > it to work on it. But look at the comments, looks like there are some > workarounds for now (the last comment). > > Sebi > > > On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin > wrote: > >> Hi everyone, >> >> First email to the group here. I?ve been heavily underway implementing >> Keycloak for my app?s auth needs and very impressed with the product. I?ve >> delayed emailing the group until I?ve spent hours of time trying to figure >> out this weird issue I?m experiencing. This might not be the best place to >> post this, but figured I?d start here. >> >> For some reason, when I visit my spring boot webapp that?s protected by >> keycloak it?s redirecting to keycloak as expected but the redirect_uri is >> being set with a port of 0 which is causing me to get an error on the >> keycloak login page saying ?invalid redirect_uri.? >> >> I?ve googled this and I?ve found some people having similar issues, but >> couldn?t find solutions (e.g. >> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >> < >> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>, >> >> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >> < >> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >> >). >> >> My prod/test environment uses an nginx reverse proxy in front of my apps. >> >> I followed these steps: >> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >> < >> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >> >. >> >> The url that was throwing that error looked like this (see the port of 0 >> in the url): >> >> >> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >> < >> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >> >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >> >> The keycloak logs contained this error for the above url: >> >> Oct 05 02:39:40 sso01.example.com >> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default >> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, >> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri= >> https://www.example.com :0/sso/login >> >> As you can see for some reason the redirect_uri is being set with a port >> of 0. >> >> I put in the url with port 0 (https://www.example.com:0/sso/login < >> https://www.example.com:0/sso/login>) into the keycloak client config >> under Valid Redirect URIs and that removed the invalid redirect_url issue >> and the login page was now rendering without an error. >> >> However, when the redirect is performed after login, the browser gets >> screwed up with having port 0 in there? Google Chrome has this error: >> >> This site can?t be reached >> The webpage at >> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw >> < >> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw> >> might be temporarily down or it may have moved permanently to a new web >> address. >> ERR_ADDRESS_INVALID >> >> Here?s my architecture: >> >> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* >> ?> SPRING BOOT APP (v2.0.5.RELEASE) >> >> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* >> ?> KEYCLOAK SERVER (v4.4.0.Final) >> >> Spring Boot App: >> >> >> org.keycloak.bom >> keycloak-adapter-bom >> 4.4.0.Final >> pom >> import >> >> >> ... >> >> >> org.keycloak >> keycloak-spring-boot-starter >> >> >> Config yaml: >> >> keycloak: >> auth-server-url: https://sso.example.com/auth < >> https://sso.example.com/auth> >> realm: my-app >> public-client: true >> resource: my-client >> ssl-required: external >> >> >> >> Nginx is configured as a reverse proxy with these settings for the spring >> boot app: >> >> upstream app { >> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >> } >> >> server { >> listen 443; >> server_name www.example.com ; >> >> ... >> >> location / { >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Forwarded-Port 443; >> >> proxy_next_upstream error timeout invalid_header http_500; >> proxy_connect_timeout 2; >> >> proxy_pass http://app ; >> } >> } >> >> Nginx is configured as a reverse proxy with these settings for the >> keycloak server: >> >> >> upstream sso { >> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >> } >> >> server { >> listen 443; >> server_name sso.example.com ; >> >> ... >> >> location / { >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Forwarded-Port 443; >> proxy_next_upstream error timeout invalid_header http_500; >> proxy_connect_timeout 2; >> >> proxy_pass http://sso ; >> } >> } >> >> My keycloak configuration for standalone.xml has these settings: >> >> Undertow config: >> >> >> > redirect-socket="proxy-https" enable-http2="true" >> proxy-address-forwarding="true"/> >> > security-realm="ApplicationRealm" enable-http2="true"/> >> >> >> >> >> >> ? >> >> Socket Bindings: >> >> > port-offset="${jboss.socket.binding.port-offset:0}"> >> > port="${jboss.management.http.port:9990}"/> >> > port="${jboss.management.https.port:9993}"/> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Thanks for your help, I must have missed something somewhere. I just >> can?t for the life of me find out where that port 0 is coming from. >> >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean at edgewoodsoftware.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From amritha_amarnath at amritatech.com Fri Oct 5 06:15:30 2018 From: amritha_amarnath at amritatech.com (Amritha Amarnath) Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30) Subject: [keycloak-user] Too many redirects with remember me checked In-Reply-To: <7673411.577151538734409359.JavaMail.root@atmail.amritatech.com> Message-ID: <3312779.577271538734530914.JavaMail.root@atmail.amritatech.com> Hello , Application is using keycloak-4.1.0.Final . For keycloak log please find attachment -- With Regards, Amms ----- Original Message ----- From: "Martin Kanis" To: "amritha amarnath" Cc: keycloak-user at lists.jboss.org Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi Subject: Re: [keycloak-user] Too many redirects with remember me checked Hello, what version of Keycloak do you have? Can you provide a Keycloak log? Regards, Martin On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath at amritatech.com > wrote: Hello, My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. Wildfly log says: Account was not in session, returning null , there was no code Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? -- With Regards, Amms _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak.log Type: text/x-log Size: 4017 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/098966fb/attachment.bin From l.lech at ringler.ch Fri Oct 5 06:19:14 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 5 Oct 2018 10:19:14 +0000 Subject: [keycloak-user] Custom password policy - i18n messages Message-ID: <5E48B917000C984B86B77170F441903A11D8D731@exch.ringler.ch> Hello, I've created my own password policy. It gives back PolicyError with i18n key. Where should I put the translations for that key? Do I need to append it to themes/base/login/messages/messages_XX.properties or I can provide them in other location (inside the jar, for example)? Best regards, Lukasz Lech From dean at edgewoodsoftware.com Fri Oct 5 06:26:52 2018 From: dean at edgewoodsoftware.com (Dean Poulin) Date: Fri, 5 Oct 2018 06:26:52 -0400 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? In-Reply-To: References: <840F9999-4D16-420A-9E0B-FE37AF24DCFF@edgewoodsoftware.com> Message-ID: <21D201FB-E437-473E-87D7-6F63E31B8D53@edgewoodsoftware.com> After a bit more trial and error the final setting that worked for me was to set: keycloak: ssl-required: external confidential-port: 443 Setting confidential-port to 443 is now generating the correct redirect_uri and having ssl-required set to external is using forcing https correctly. The redirect_uri no longer has port 0. https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsso%2Flogin&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid Thanks again for your help pointing me in the right direction. Dean Poulin Owner & Principal Software Engineer edgewood software email: dean at edgewoodsoftware.com > On Oct 5, 2018, at 5:37 AM, Sebastien Blanc wrote: > > TBH No idea if it helps in your case but there is a config property called "redirect-rewrite-rules" that may help you : https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config > > > On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin > wrote: > Hi, > > I?ve tried a couple things in that comment so far: > > 1) Verified I?m sending through the headers and the spring boot app is receiving the headers: > > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController : host=www.example.com > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-real-ip=1.2.3.4 > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-for=1.2.3.4 > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-proto=https > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-host=www.example.com > Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-port=443 > > I tried setting the spring boot keycloak config setting: > > keycloak.ssl-required = none > > That did remove the port 0 in the redirect_uri being generated but it also set the redirect uri to be http instead of https, which seems like it?d be bad. I do have nginx set to redirect all http requests to https anyway. > > Is there something else I need to do to get the spring boot app to generate the correct redirect_uri with https? There must be like some magic config setting I?ve missed somewhere. I?ll keep digging and share what I find. > > Thanks, > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > > >> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc > wrote: >> >> Hi, >> >> We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment). >> >> Sebi >> >> >> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin > wrote: >> Hi everyone, >> >> First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here. >> >> For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.? >> >> I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >). >> >> My prod/test environment uses an nginx reverse proxy in front of my apps. >> >> I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >. >> >> The url that was throwing that error looked like this (see the port of 0 in the url): >> >> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >> >> The keycloak logs contained this error for the above url: >> >> Oct 05 02:39:40 sso01.example.com > standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com >:0/sso/login >> >> As you can see for some reason the redirect_uri is being set with a port of 0. >> >> I put in the url with port 0 (https://www.example.com:0/sso/login >) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. >> >> However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error: >> >> This site can?t be reached >> The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw > might be temporarily down or it may have moved permanently to a new web address. >> ERR_ADDRESS_INVALID >> >> Here?s my architecture: >> >> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE) >> >> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final) >> >> Spring Boot App: >> >> >> org.keycloak.bom >> keycloak-adapter-bom >> 4.4.0.Final >> pom >> import >> >> >> ... >> >> >> org.keycloak >> keycloak-spring-boot-starter >> >> >> Config yaml: >> >> keycloak: >> auth-server-url: https://sso.example.com/auth > >> realm: my-app >> public-client: true >> resource: my-client >> ssl-required: external >> >> >> >> Nginx is configured as a reverse proxy with these settings for the spring boot app: >> >> upstream app { >> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >> } >> >> server { >> listen 443; >> server_name www.example.com >; >> >> ... >> >> location / { >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Forwarded-Port 443; >> >> proxy_next_upstream error timeout invalid_header http_500; >> proxy_connect_timeout 2; >> >> proxy_pass http://app >; >> } >> } >> >> Nginx is configured as a reverse proxy with these settings for the keycloak server: >> >> >> upstream sso { >> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >> } >> >> server { >> listen 443; >> server_name sso.example.com >; >> >> ... >> >> location / { >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Host $host; >> proxy_set_header X-Forwarded-Port 443; >> proxy_next_upstream error timeout invalid_header http_500; >> proxy_connect_timeout 2; >> >> proxy_pass http://sso >; >> } >> } >> >> My keycloak configuration for standalone.xml has these settings: >> >> Undertow config: >> >> >> >> >> >> >> >> >> >> ? >> >> Socket Bindings: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from. >> >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean at edgewoodsoftware.com > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From jernej.porenta at 3fs.si Fri Oct 5 07:03:59 2018 From: jernej.porenta at 3fs.si (Jernej Porenta) Date: Fri, 5 Oct 2018 13:03:59 +0200 Subject: [keycloak-user] Restricting access to the Keycloak Admin Console In-Reply-To: References: Message-ID: <9145DD8A-A036-4191-8C13-D00D8B97D8C7@3fs.si> Hey, you can read more about that here: https://www.keycloak.org/docs/latest/server_admin/index.html#admin-endpoints-and-console br, Jernej > On 4 Oct 2018, at 22:59, hugh shangguan wrote: > > Hi there, > > Is there any way to configure Keycloak so that the admin console is not > accessible from a remote IP? > > Basically, I'd like to set it up Keycloak admin console where you can > access it locally on the server but cannot access it remotely. This process > is just like that setup your Keycloak admin console at the first time. > > For the authentication, users still can login remotely to Keycloak server > for tokens. > > Any help? > > > Cheers. > > -- > Hugh > Zhaohui Shangguan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3802 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/aab1d53c/attachment.bin From mkanis at redhat.com Fri Oct 5 07:06:21 2018 From: mkanis at redhat.com (Martin Kanis) Date: Fri, 5 Oct 2018 13:06:21 +0200 Subject: [keycloak-user] Too many redirects with remember me checked In-Reply-To: <3312779.577271538734530914.JavaMail.root@atmail.amritatech.com> References: <7673411.577151538734409359.JavaMail.root@atmail.amritatech.com> <3312779.577271538734530914.JavaMail.root@atmail.amritatech.com> Message-ID: Thanks, I tried to reproduced it with only admin console but with no success. Maybe it's reproducible only with wildfly. My guess was that it's related to cookies and recent changes to cookie's path. Can you have a look to dev console in you browser if you can see multiple cookies with same name but different path i.e with trailing "/" and without? If you have a reliable steps to reproduce it feel free to create a Jira as this sounds like regression/bug to me. Thank you On Fri, Oct 5, 2018 at 11:49 AM Amritha Amarnath < amritha_amarnath at amritatech.com> wrote: > Hello , > > Application is using keycloak-4.1.0.Final . For keycloak log please > find attachment > > -- > With Regards, > Amms > > > ----- Original Message ----- > From: "Martin Kanis" > To: "amritha amarnath" > Cc: keycloak-user at lists.jboss.org > Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, > Mumbai, New Delhi > Subject: Re: [keycloak-user] Too many redirects with remember me checked > > Hello, > > what version of Keycloak do you have? Can you provide a Keycloak log? > > Regards, > Martin > > On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < > amritha_amarnath at amritatech.com> wrote: > >> >> >> >> Hello, >> >> >> My application have been deployed in Wildfly 11 and is integrated with >> standalone Keycloak and works fine. But the issue is, when the application >> is logged in with Remember-me checkbox checked, its showing too many >> redirects when restart the browser , even though the user session is valid. >> It leads to logout my application session manually from keycloak admin >> console. >> >> Wildfly log says: Account was not in session, returning null , there was >> no code >> >> >> Once the user session also get expired its showing the login page with >> pre-filled username and remember-me checked as expected. >> >> >> I am new to keycloak. So any idea regarding too many redirects with >> remember-me checked ? >> >> -- >> With Regards, >> Amms >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > From Don.Reynolds at quest.com Fri Oct 5 09:50:11 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Fri, 5 Oct 2018 13:50:11 +0000 Subject: [keycloak-user] Using your SPI provider instead of default one In-Reply-To: <5E48B917000C984B86B77170F441903A11D8C70A@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A11D8C70A@exch.ringler.ch> Message-ID: Hello Lukasz, While I am not sure you can select the EmailTemplateProvider on a per realm basis, based on an old keycloak-user mailing list item, it looks like you can set it system wide in the standalone.xml. In http://keycloak-user.88327.x6.nabble.com/keycloak-user-Custom-Email-Provider-td2702.html, it mentions adding an entry for the emailTemplate SPI in the " " node which references your custom spi provider. Hope that helps. If you find a way to set it on a per realm basis I would also be interested in that solution also. Don -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Lukasz Lech Sent: Friday, October 5, 2018 4:53 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Using your SPI provider instead of default one Hello, There is something that I have missed in provider's documentation ( https://www.keycloak.org/docs/3.3/server_development/topics/providers.htm ). I've implemented my own SPI (EmailTemplateProvider -mock implementation that logs on console using slf4j instead of sending anything). I've dropped jar in deployments folder. I see message my SPI got registerd and it's listed in server info. However, when I try to register, a default (freemarker) email template provider is called. How can I choose, which SPI will be used for my realm? Or there can be only one? Best regards, Lukasz Lech _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From l.lech at ringler.ch Fri Oct 5 10:11:04 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 5 Oct 2018 14:11:04 +0000 Subject: [keycloak-user] Using your SPI provider instead of default one In-Reply-To: References: <5E48B917000C984B86B77170F441903A11D8C70A@exch.ringler.ch> Message-ID: <5E48B917000C984B86B77170F441903A11D8E7A7@exch.ringler.ch> Thank you, I've just found out that myself by looking at the examples in source code repository. It looks it's not in the official documentation, or it's hard to find... Now I'm scratching my head how to do that modification during docker image build without using regex-based tools like sed... Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Don Reynolds (dreynold) Sent: Freitag, 5. Oktober 2018 15:50 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Using your SPI provider instead of default one Hello Lukasz, While I am not sure you can select the EmailTemplateProvider on a per realm basis, based on an old keycloak-user mailing list item, it looks like you can set it system wide in the standalone.xml. In http://keycloak-user.88327.x6.nabble.com/keycloak-user-Custom-Email-Provider-td2702.html, it mentions adding an entry for the emailTemplate SPI in the " " node which references your custom spi provider. Hope that helps. If you find a way to set it on a per realm basis I would also be interested in that solution also. Don -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Lukasz Lech Sent: Friday, October 5, 2018 4:53 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Using your SPI provider instead of default one Hello, There is something that I have missed in provider's documentation ( https://www.keycloak.org/docs/3.3/server_development/topics/providers.htm ). I've implemented my own SPI (EmailTemplateProvider -mock implementation that logs on console using slf4j instead of sending anything). I've dropped jar in deployments folder. I see message my SPI got registerd and it's listed in server info. However, when I try to register, a default (freemarker) email template provider is called. How can I choose, which SPI will be used for my realm? Or there can be only one? Best regards, Lukasz Lech _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Don.Reynolds at quest.com Fri Oct 5 11:21:04 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Fri, 5 Oct 2018 15:21:04 +0000 Subject: [keycloak-user] Using your SPI provider instead of default one In-Reply-To: <5E48B917000C984B86B77170F441903A11D8E7A7@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A11D8C70A@exch.ringler.ch> <5E48B917000C984B86B77170F441903A11D8E7A7@exch.ringler.ch> Message-ID: We apply xsl transforms in the Dockerfile to update xml files during the dockerfile build process. Here is an example that involves the keycloak image where several updates are being applied to the xml file: https://github.com/devsu/docker-keycloak/tree/master/server-ha-mysql > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Lukasz Lech > Sent: Friday, October 5, 2018 10:11 AM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Using your SPI provider instead of default one > > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > Thank you, > > I've just found out that myself by looking at the examples in source code > repository. > > It looks it's not in the official documentation, or it's hard to find... > > Now I'm scratching my head how to do that modification during docker image > build without using regex-based tools like sed... > > Best regards, > Lukasz Lech > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user- > bounces at lists.jboss.org] On Behalf Of Don Reynolds (dreynold) > Sent: Freitag, 5. Oktober 2018 15:50 > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Using your SPI provider instead of default one > > Hello Lukasz, > While I am not sure you can select the EmailTemplateProvider on a per realm > basis, based on an old keycloak-user mailing list item, it looks like you can set > it system wide in the standalone.xml. > > In http://keycloak-user.88327.x6.nabble.com/keycloak-user-Custom-Email- > Provider-td2702.html, it mentions adding an entry for the emailTemplate SPI > in the " " node > which references your custom spi provider. > > Hope that helps. > If you find a way to set it on a per realm basis I would also be interested in > that solution also. > > Don > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Lukasz Lech > Sent: Friday, October 5, 2018 4:53 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Using your SPI provider instead of default one > > Hello, > > There is something that I have missed in provider's documentation ( > https://www.keycloak.org/docs/3.3/server_development/topics/providers. > htm ). > > I've implemented my own SPI (EmailTemplateProvider -mock > implementation that logs on console using slf4j instead of sending anything). > I've dropped jar in deployments folder. I see message my SPI got registerd > and it's listed in server info. > However, when I try to register, a default (freemarker) email template > provider is called. > > How can I choose, which SPI will be used for my realm? Or there can be only > one? > > Best regards, > Lukasz Lech > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From luca1988 at gmail.com Fri Oct 5 12:10:35 2018 From: luca1988 at gmail.com (Luca Luca) Date: Fri, 5 Oct 2018 18:10:35 +0200 Subject: [keycloak-user] Keycloak ACL data access Message-ID: Hello, Is there a way to manage fine grained authorizations with Keycloak like in the following scenario? There are Users and Reports. If i'm logged in as "user1", I can only view my reports So there is REST endpoint on Resource Server: GET /reports/ - Return set of reports that belong to logged user How can i use Keycloak to filter data records by user? Thank you for your help From uo67113 at gmail.com Fri Oct 5 13:14:19 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Fri, 5 Oct 2018 19:14:19 +0200 Subject: [keycloak-user] SamlAuthenticatorValve in apache tomee for a ear application Message-ID: Hello there, OS Version: CentOS Linux release 7.5.1804 (Core) 3.10.0-862.11.6.el7.x86_64 Server version: Apache Tomcat/8.5.32 (TomEE 7.0.5) Keycloak: 4.2.1 final Tomcat SAML adapter: org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve The adapter is working, great, piece of cake, thank you keycloack crew! However I have a big .ear application composed by multiple modules (.war). Some modules use resources (.js, .css, images, etc) from other modules and this resources are protected. For instance: /Document/Claims/TravelRequest wants to use a calendar.gif that is stored in the /main application. This last one declares "/*" as the url-pattern in its security-constraint and is also secured with the SamlAuthenticatorValve. I have tried enabling at the same time the "org.apache.catalina.authenticator.SingleSignOn in tomcat but no luck. Also forcing "/" via the tomcat global context (sessionCookiePath="/"), no luck either, sigh... Any thoughts on this? Thanks in advance, Luis -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From graham.burgess at razer.com Fri Oct 5 15:04:46 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 5 Oct 2018 19:04:46 +0000 Subject: [keycloak-user] Private Address ranges Message-ID: I know that Keycloak, if configured to, will allow HTTP traffic (instead of HTTPS) from private address ranges. Is there a way to add to that list? Use case: My K8s cluster uses 100.64.0.0/10 for containers and for short while I would like to allow HTTP from that range too. Longer term, I am going to implement TLS but that isn't quite at the top of the roadmap yet. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com | Razer Game Store | Razer Insider | Razer zVault [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png] [Twitter_Social_Icon_Rounded_Square_Color] [glyph-logo_May2016] [youtube_social_squircle_red] Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 33672 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/e6c1b612/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: image010.png Type: image/png Size: 1087 bytes Desc: image010.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/e6c1b612/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image011.png Type: image/png Size: 1190 bytes Desc: image011.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/e6c1b612/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image012.png Type: image/png Size: 930 bytes Desc: image012.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/e6c1b612/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image013.png Type: image/png Size: 1337 bytes Desc: image013.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/e6c1b612/attachment-0007.png From graham.burgess at razer.com Fri Oct 5 16:02:33 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 5 Oct 2018 20:02:33 +0000 Subject: [keycloak-user] Keycloak and Kubernetes In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C1B365B@EX10MBOX03.pnnl.gov>, , <1A3C52DFCD06494D8528644858247BF01C1B3A52@EX10MBOX03.pnnl.gov> Message-ID: So just if you are curious, here is my values for the Keycloak Helm chart to get HA working with KUBE_PING and Keycloak 4.5: init: image: repository: alpine tag: 3.7 pullPolicy: IfNotPresent keycloak: replicas: 3 image: repository: jboss/keycloak tag: 4.5.0.Final pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## pullSecrets: [] # - myRegistrKeySecretName securityContext: runAsUser: 1000 fsGroup: 1000 runAsNonRoot: true ## The path keycloak will be served from. To serve keycloak from the root path, use two quotes (e.g. ""). basepath: "auth" ## Additional init containers, e. g. for providing custom themes extraInitContainers: |- - name: pg-isready image: "{{ .Values.global.db.image }}:{{ .Values.global.db.tag }}" env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: {{ .Release.Name }}-pg-auth key: POSTGRES_PASSWORD command: - sh - -c - | sleep 10; until pg_isready -h {{ .Release.Name }}-pg -U postgres -d postgres; do sleep 1; done; echo 'PostgreSQL OK ?' ## Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy extraContainers: | ## Custom script that is run before Keycloak is started. preStartScript: | ln /opt/jboss/tools/docker-entrypoint.sh /opt/jboss/docker-entrypoint.sh exec /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 exit "$?" ## Additional arguments to start command e.g. -Dkeycloak.import= to load a realm extraArgs: "" ## Username for the initial Keycloak admin user username: keycloak ## Password for the initial Keycloak admin user ## If not set, a random 10 characters password will be used password: "" ## Allows the specification of additional environment variables for Keycloak extraEnv: | - name: KEYCLOAK_LOGLEVEL value: DEBUG - name: WILDFLY_LOGLEVEL value: DEBUG - name: PROXY_ADDRESS_FORWARDING value: "true" # - name: CACHE_OWNERS # value: "2" - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: JAVA_OPTS value: "-server -Xms128m -Xmx1024m -XX:MetaspaceSize=192M -XX:MaxMetaspaceSize=512m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true" affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: {{ template "keycloak.name" . }} release: "{{ .Release.Name }}" matchExpressions: - key: role operator: NotIn values: - test topologyKey: kubernetes.io/hostname preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: app: {{ template "keycloak.name" . }} release: "{{ .Release.Name }}" matchExpressions: - key: role operator: NotIn values: - test topologyKey: failure-domain.beta.kubernetes.io/zone nodeSelector: {} tolerations: [] livenessProbe: initialDelaySeconds: 120 timeoutSeconds: 5 readinessProbe: initialDelaySeconds: 30 timeoutSeconds: 1 resources: limits: cpu: "1" memory: "4096Mi" requests: cpu: "500m" memory: "1024Mi" ## WildFly CLI configurations. They all end up in the file 'keycloak.cli' configured in the configmap whichn is ## executed on server startup. cli: ## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a ## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly. nodeIdentifier: | # Makes node identifier unique getting rid of a warning in the logs /subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name}) logging: | # Allow log level to be configured via environment variable /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) /subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) # Log only to console /subsystem=logging/root-logger=ROOT:write-attribute(name=handlers, value=[CONSOLE]) reverseProxy: | /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true) # discovery: "" discovery: | /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=jgroups/stack=tcp:remove() /subsystem=jgroups/stack=tcp:add() /subsystem=jgroups/stack=tcp/transport=TCP:add(socket-binding="jgroups-tcp") /subsystem=jgroups/stack=tcp/protocol=kubernetes.KUBE_PING: add() /subsystem=jgroups/stack=tcp/protocol=kubernetes.KUBE_PING/property=namespace: add(value=${env.POD_NAMESPACE:default}) /subsystem=jgroups/stack=tcp/protocol=MERGE3:add() /subsystem=jgroups/stack=tcp/protocol=FD_SOCK:add() /subsystem=jgroups/stack=tcp/protocol=FD_ALL:add() /subsystem=jgroups/stack=tcp/protocol=VERIFY_SUSPECT:add() /subsystem=jgroups/stack=tcp/protocol=pbcast.NAKACK2:add() /subsystem=jgroups/stack=tcp/protocol=UNICAST3:add() /subsystem=jgroups/stack=tcp/protocol=pbcast.STABLE:add() /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:add() /subsystem=jgroups/stack=tcp/protocol=MFC:add() /subsystem=jgroups/stack=tcp/protocol=FRAG2:add() /subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp) /subsystem=jgroups/stack=udp:remove() /socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() /interface=private:write-attribute(name=nic, value=eth0) /interface=private:undefine-attribute(name=inet-address) postgresql: "" # postgresql: | # # Statements must be adapted for PostgreSQL. Additionally, we add a 'creation_timestamp' column. # /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=initialize_sql:add(value="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, creation_timestamp timestamp NOT NULL, cluster_name varchar(200) NOT NULL, ping_data bytea, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))") # /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=insert_single_sql:add(value="INSERT INTO JGROUPSPING (own_addr, creation_timestamp, cluster_name, ping_data) values (?, NOW(), ?, ?)") # Custom CLI script custom: "" ## Add additional volumes and mounts, e. g. for custom themes extraVolumes: | extraVolumeMounts: | podDisruptionBudget: {} # maxUnavailable: 1 # minAvailable: 1 service: annotations: {} # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" labels: {} # key: value ## ServiceType ## ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types type: ClusterIP ## Optional static port assignment for service type NodePort. # nodePort: 30000 port: 80 ## Ingress configuration. ## ref: https://kubernetes.io/docs/user-guide/ingress/ ingress: enabled: true path: /auth annotations: zalando.org/skipper-predicate: Source("34.218.139.139/32", "35.163.194.239/32", "52.39.154.222/32", "69.170.21.2/32", "71.6.10.107/32", "182.23.151.172/32", "202.73.58.90/32") # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # ingress.kubernetes.io/affinity: cookie ## List of hosts for the ingress hosts: - dev.domain.com ## TLS configuration tls: [] # - hosts: # - keycloak.example.com # secretName: tls-keycloak ## Persistence configuration persistence: # If true, the Postgres chart is deployed deployPostgres: false # The database vendor. Can be either "postgres", "mysql", "mariadb", or "h2" dbVendor: postgres ## The following values only apply if "deployPostgres" is set to "false" # Specifies an existing secret to be used for the database password existingSecret: "auth-pg-auth" # The key in the existing secret that stores the password existingSecretKey: POSTGRES_PASSWORD dbHost: auth-pg dbPort: 5432 dbName: postgres dbUser: postgres # Only used if no existing secret is specified. In this case a new secret is created dbPassword: "" test: image: repository: unguiculus/docker-python3-phantomjs-selenium tag: v1 pullPolicy: IfNotPresent Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Graham Burgess Sent: Thursday, October 4, 2018 8:58 AM To: keycloak-user at lists.jboss.org; Fox, Kevin M Subject: Re: [keycloak-user] Keycloak and Kubernetes Totally would agree, that is how I became a OSS contributor. I could have sworn the chart needed something but the docker container definitely needs work. It even looks like the did work on it for the containers too :) Well that is today's project. Graham From: Fox, Kevin M Sent: Thursday, October 4, 8:46 AM Subject: RE: Keycloak and Kubernetes To: Graham Burgess, keycloak-user at lists.jboss.org Oh, and the upstream charts developers seem pretty open to contributions. so if you do have to jerry rig something, lets try and get that upstream? Either you could try or let me know what you did and maybe I can? Thanks, Kevin ________________________________________ From: Graham Burgess [graham.burgess at razer.com] Sent: Thursday, October 04, 2018 12:54 AM To: Fox, Kevin M; keycloak-user at lists.jboss.org Subject: RE: Keycloak and Kubernetes I don't know what is recommended, however I am in the process of using the Helm chart. That said, neither the Helm chart or the container used currently support HA, so I am going to be probably "jerry rigging" something to get that to work based on the work done in both. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Fox, Kevin M Sent: Wednesday, October 3, 2018 4:36 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak and Kubernetes I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dean at edgewoodsoftware.com Fri Oct 5 20:51:18 2018 From: dean at edgewoodsoftware.com (Dean Poulin) Date: Fri, 5 Oct 2018 20:51:18 -0400 Subject: [keycloak-user] Keycloak invalid redirect_uri with port 0? In-Reply-To: <21D201FB-E437-473E-87D7-6F63E31B8D53@edgewoodsoftware.com> References: <840F9999-4D16-420A-9E0B-FE37AF24DCFF@edgewoodsoftware.com> <21D201FB-E437-473E-87D7-6F63E31B8D53@edgewoodsoftware.com> Message-ID: TL;DR I finally tracked this down. Ultimately, my issue was caused by my reverse proxy server IP not being trusted by the default proxy IP addresses used by tomcat in the org.apache.catalina.valves.RemoteIpValve. Specifically needed to set server.tomcat.internal-proxies. Once I set this setting in my configuration, and added the appropriate trusted upstream proxy address, the application now trusts the http requests and the spring boot app views the protocol as https and the OAuthRequestAuthenticator works properly. I was also able to remove other settings that were just side effects of the ultimate misconfiguration. This now works properly for me: server: use-forward-headers: true tomcat: internal-proxies: 192\\.168\\.\\d{1,3}\\.\\d{1,3}|10\\.0\\.\\d{1,3}\\.\\d{1,3}|1.2.3.4 keycloak: auth-server-url: https://sso.example.com/auth resource: my-client ssl-required: external realm: my-app public-client: true principal-attribute: preferred_username ---------------------------- That previous change got me up to being able see the login page without an error. After login now the keycloak server redirects me to my spring boot app and it throws an exception in the keycloak adapter OAuthRequestAuthenticator thinking it?s not on SSL: "Adapter requires SSL." I must be missing something simple to get the spring boot app to think it?s running on SSL. I have tried all the settings with nginx and spring boot for x-forwarded-for and x-forwarded-proto but for some reason the HttpFacade still thinks that the requests are http and not https. I?m using embedded tomcat with spring boot config: server: use-forward-headers: true tomcat: remote_ip_header: x-forwarded-for protocol_header: x-forwarded-proto keycloak: auth-server-url: https://www.example.com:443/auth confidential-port: 443 ssl-required: none realm: my-app public-client: true resource: my-client principal-attribute: preferred_username I verified my upstream proxy is sending the x-forwarded-* headers and that the spring boot app is getting the headers. If I set keycloak.ssl-required: none along with confidential-port: 443 in Spring Boot Config that causes the redirect_uri to be set as http and I have to add http://www.example.com/* as a Valid Redirect URI in keycloak for the client. Which I?m assuming is a HUGE security hole correct? I am able to login and the app works and tokens are exchanged, but I feel like sending redirects over HTTP in the browser and using my reverse proxy to redirect those HTTP requests back over to HTTPS is leaking what should be secure url parameters over HTTP. Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.813 ERROR 32174 --- [nio-8042-exec-7] o.k.adapters.OAuthRequestAuthenticator : Adapter requires SSL. Request: http://www.example.com/sso/login?state=a80b5a61-1925-44dd-8f6c-aa18bf0c7572&session_state=a4ae0c2b-85e9-40f8-bcac-0268d6d2f6ea&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ZLQ1jT3Cvpr4Y0bZyGP3aw.jlxhpMDDQKu8Gqe9Y9bv0es8T15E2Dou7CLAZqVH1tieRWzyaoIulKAmhOKyF6FuDt-2m_AvLtOTZPhR1LtWqYXPkVWHotgKmMXYw-xazagqTkLDd_BSPN0DB1vX5H9P5LC_KwyZNaBVY1OLSmwr-hQb5eTlqKN0OPrg1l4rJBsPIxFl1esiKL1ToasLRHlKOn0JwD6ULXfSZuYWTOGd2JZDxiGZ9A-f3-XqEAvCbGMmH_s4Bsmy4HjGq6xl6iPl.DMug3aYjzcSEclqCCHlvAQ Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.814 DEBUG 32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Auth outcome: FAILED Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.820 DEBUG 32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157) ~[keycloak-spring-security-adapter-4.4.0.Final.jar!/:4.4.0.Final] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84) [keycloak-spring-security-adapter-4.4.0.Final.jar!/:4.4.0.Final] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155) [spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123) [spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) [spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67) [spring-boot-container-bundle-4.4.0.Final.jar!/:4.4.0.Final] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181) [spring-boot-container-bundle-4.4.0.Final.jar!/:4.4.0.Final] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_151] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_151] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar!/:8.5.34] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.822 DEBUG 32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Updated SecurityContextHolder to contain null Authentication Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.822 DEBUG 32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Delegating to authentication failure handler org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler at 3fceae8c Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.827 DEBUG 32174 --- [nio-8042-exec-7] o.k.adapters.PreAuthActionsHandler : adminRequest http://www.example.com/error?state=a80b5a61-1925-44dd-8f6c-aa18bf0c7572&session_state=a4ae0c2b-85e9-40f8-bcac-0268d6d2f6ea&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..ZLQ1jT3Cvpr4Y0bZyGP3aw.jlxhpMDDQKu8Gqe9Y9bv0es8T15E2Dou7CLAZqVH1tieRWzyaoIulKAmhOKyF6FuDt-2m_AvLtOTZPhR1LtWqYXPkVWHotgKmMXYw-xazagqTkLDd_BSPN0DB1vX5H9P5LC_KwyZNaBVY1OLSmwr-hQb5eTlqKN0OPrg1l4rJBsPIxFl1esiKL1ToasLRHlKOn0JwD6ULXfSZuYWTOGd2JZDxiGZ9A-f3-XqEAvCbGMmH_s4Bsmy4HjGq6xl6iPl.DMug3aYjzcSEclqCCHlvAQ Dean Poulin Owner & Principal Software Engineer edgewood software email: dean at edgewoodsoftware.com > On Oct 5, 2018, at 6:26 AM, Dean Poulin wrote: > > After a bit more trial and error the final setting that worked for me was to set: > > keycloak: > ssl-required: external > confidential-port: 443 > > Setting confidential-port to 443 is now generating the correct redirect_uri and having ssl-required set to external is using forcing https correctly. The redirect_uri no longer has port 0. > > https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsso%2Flogin&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid > > Thanks again for your help pointing me in the right direction. > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > > >> On Oct 5, 2018, at 5:37 AM, Sebastien Blanc > wrote: >> >> TBH No idea if it helps in your case but there is a config property called "redirect-rewrite-rules" that may help you : https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config >> >> >> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin > wrote: >> Hi, >> >> I?ve tried a couple things in that comment so far: >> >> 1) Verified I?m sending through the headers and the spring boot app is receiving the headers: >> >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController : host=www.example.com >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-real-ip=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-for=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-proto=https >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-host=www.example.com >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-port=443 >> >> I tried setting the spring boot keycloak config setting: >> >> keycloak.ssl-required = none >> >> That did remove the port 0 in the redirect_uri being generated but it also set the redirect uri to be http instead of https, which seems like it?d be bad. I do have nginx set to redirect all http requests to https anyway. >> >> Is there something else I need to do to get the spring boot app to generate the correct redirect_uri with https? There must be like some magic config setting I?ve missed somewhere. I?ll keep digging and share what I find. >> >> Thanks, >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean at edgewoodsoftware.com >> >> >>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc > wrote: >>> >>> Hi, >>> >>> We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment). >>> >>> Sebi >>> >>> >>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin > wrote: >>> Hi everyone, >>> >>> First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here. >>> >>> For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.? >>> >>> I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >). >>> >>> My prod/test environment uses an nginx reverse proxy in front of my apps. >>> >>> I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >. >>> >>> The url that was throwing that error looked like this (see the port of 0 in the url): >>> >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >>> >>> The keycloak logs contained this error for the above url: >>> >>> Oct 05 02:39:40 sso01.example.com > standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com >:0/sso/login >>> >>> As you can see for some reason the redirect_uri is being set with a port of 0. >>> >>> I put in the url with port 0 (https://www.example.com:0/sso/login >) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. >>> >>> However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error: >>> >>> This site can?t be reached >>> The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw > might be temporarily down or it may have moved permanently to a new web address. >>> ERR_ADDRESS_INVALID >>> >>> Here?s my architecture: >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE) >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final) >>> >>> Spring Boot App: >>> >>> >>> org.keycloak.bom >>> keycloak-adapter-bom >>> 4.4.0.Final >>> pom >>> import >>> >>> >>> ... >>> >>> >>> org.keycloak >>> keycloak-spring-boot-starter >>> >>> >>> Config yaml: >>> >>> keycloak: >>> auth-server-url: https://sso.example.com/auth > >>> realm: my-app >>> public-client: true >>> resource: my-client >>> ssl-required: external >>> >>> >>> >>> Nginx is configured as a reverse proxy with these settings for the spring boot app: >>> >>> upstream app { >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name www.example.com >; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://app >; >>> } >>> } >>> >>> Nginx is configured as a reverse proxy with these settings for the keycloak server: >>> >>> >>> upstream sso { >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name sso.example.com >; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://sso >; >>> } >>> } >>> >>> My keycloak configuration for standalone.xml has these settings: >>> >>> Undertow config: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ? >>> >>> Socket Bindings: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from. >>> >>> >>> Dean Poulin >>> Owner & Principal Software Engineer >>> edgewood software >>> email: dean at edgewoodsoftware.com > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From jpperata at gmail.com Sat Oct 6 09:33:51 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Sat, 6 Oct 2018 10:33:51 -0300 Subject: [keycloak-user] CDI weld subsystem not enabled by default Message-ID: Hi, I wonder why CDI subsystem is not enabled in keycloak standalone.xml by default? Any inconvenients? Thanks, Juan From warrior7089 at gmail.com Sun Oct 7 11:00:56 2018 From: warrior7089 at gmail.com (Roman O) Date: Sun, 7 Oct 2018 18:00:56 +0300 Subject: [keycloak-user] Could not obtain grant code: 401:Unauthorized on access to protected url behind reverse proxy Message-ID: Hi, would be happy if you can help me. I'm trying to access protected by Keycloak url - */hello* in the browser. The url is served by the node.js app This error is thrown by the following code : after the following sequence of actions: 1) adding client and user to keycloak to KeyCloak master realm 2) protecting express node.js app's url: var Keycloak = require('keycloak-connect'); let kcConfig = { clientId: 'test_ui', // secret : "d31c4718-12e9-407b-9bf2-cb72734a23f0", public: true, serverUrl: https://127.0.0.1/auth, resource: "test_ui", realm: 'master'}var session = require('express-session');var memoryStore = new session.MemoryStore() var keycloak = new Keycloak( {store : memoryStore}, kcConfig); this.app.use(session({ secret: 'mySecret', // resave: false, // saveUninitialized: true, store: memoryStore })); this.app.use( keycloak.middleware() );this.app.get( '/hello', keycloak.protect()); 3) accessing the protected url in the browser, being redirected to Keycloak login screen, authenticating... then ther error is popped. The following sequence of requests is seen in the wireshark: /auth/realms/master/protocol/openid-connect/auth?client_id=test_ui&state=504b250d-8616-4685-8c8d-5032713c883a&redirect_uri=https://127.0.0.1/hello/auth_callback&scope=openid&response_type=code after the authentication in login screen: /auth/realms/master/login-actions/authenticate?session_code=TwhsWxUig85PFHfiv-31OTHQl3aApD6z0lMdOr8hgDc&execution=d58a2cad-2be2-4797-b35a-d7b606945b14&client_id=test_ui&tab_id=ywQfz51qnM0 I thought about adding sslRequired: "none" to kcConfig, but doing seems to have no effect. Tried to use also confidential client instead of the public one to no avail. *package.json* contents: "express": "4.16.2","keycloak-connect" : "4.3.0","express-session" : "1.15.6" Keycloak 4.3 is used. What is the cause of the issue and how to fix this error? *Update* Added process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; to *node.js* app following response in Keycloak mailing list and now getting error: Could not obtain grant code: 401:Unauthorized I tried to use the the example . It works without using the proxy (getting access token, etc...) But when the same code is run behind reverse proxy, getting the same error as above. Manually exchanging the authorization code extracted from the request which results in error for token using PostMan works as well. How to cause the example app to work behind reverse proxy. Regards Thanks in advance. From upananda.singha at motorolasolutions.com Mon Oct 8 02:24:57 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Mon, 8 Oct 2018 11:54:57 +0530 Subject: [keycloak-user] Moving from Keycloak higher version to RHSSo(lower version of Keycloak) Message-ID: Hi All We are planning to deploy Keycloak community version (4.0.0. Final) in production and later on if we want to go for support (RHSSO) and want to deploy the Supported version of the same which might be actually an earlier version of Keycloak, will there be any problem with Keycloak version downgrade. I can see RHSSO always integrates a lower version of Keycloak what's available in the Community version. e.g. Current Community Keycloak version is 4.5.0.Final but Keycloak integrated into RHSSO 7.2.x seems to Keycloak version 3.4.3.Final. Thanks & Regds, *Upananda Singha* From andreas.lau at outlook.com Mon Oct 8 04:34:43 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Mon, 8 Oct 2018 08:34:43 +0000 Subject: [keycloak-user] Java admin client API - encrypt password Message-ID: Hey community, I have a program that has to create user accounts programmatically. So I use the keycloak java client api like this: Keycloak kc = KeycloakBuilder.builder() .serverUrl("http://your.keycloak.domain/auth") .realm("master") .username("admin") .password("secret") .clientId("admin-cli") .resteasyClient( new ResteasyClientBuilder() .connectionPoolSize(10).build() ).build(); UserRepresentation userRepresentation = new UserRepresentation(); String email = "test at test.de"; userRepresentation.setEmail(email); userRepresentation.setUsername(email); kc.realm("myclientapp").users().create(userRepresentation); I have a couple of questions regarding the code: - Is this a proper way of using the java client api? - Is there a way of encrypt the password (I am usually not a big fan of dealing with clear text passwords inside the code)? - Currently I use the master admin user to connect to keycloak. How can I create, and restrict a user-mgmt-admin that is restricted to only handle user mgmt tasks? I hope some of you can provide me some help, Thanks in advance. Andreas From Mattia.Bello at horsa.it Mon Oct 8 05:02:49 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Mon, 8 Oct 2018 09:02:49 +0000 Subject: [keycloak-user] Problem with login using Keycloak + Spring Security Adapter in Multi Tenancy mode Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F16342@barcellona.horsa.local> Hello, i am using keycloak with the keycloak Spring Security adapter and a multi tenancy configuration. I need to manage the following use case: I want to use only a single login page where user must enter the realm, username and password. I can't use the standard keycloak login page because keycloak needs to know the realm before showing the relative login page. How can I do that? Does exist a way to pass to keycloak these three fields in a single form ? Thank's to all. Mattia Bello Developer [Descrizione: cid:image001.jpg at 01CEB308.188717E0] Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 347 37 64 875 www.horsa.it From testoauth55 at gmail.com Mon Oct 8 05:46:12 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 8 Oct 2018 15:16:12 +0530 Subject: [keycloak-user] keycloak CORS setup Message-ID: The link mentioned in the article on keycloak mailing list has expired: http://lists.jboss.org/pipermail/keycloak-user/2016-December/008534.html Can you please share working link for keycloak CORS setup? From sblanc at redhat.com Mon Oct 8 05:50:40 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 8 Oct 2018 11:50:40 +0200 Subject: [keycloak-user] keycloak CORS setup In-Reply-To: References: Message-ID: Just remove the "." at the end of the link, it's still there ;) https://github.com/keycloak/keycloak/tree/master/examples/cors On Mon, Oct 8, 2018 at 11:49 AM Bruce Wings wrote: > The link mentioned in the article on keycloak mailing list has expired: > http://lists.jboss.org/pipermail/keycloak-user/2016-December/008534.html > > Can you please share working link for keycloak CORS setup? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From amritha_amarnath at amritatech.com Mon Oct 8 06:26:26 2018 From: amritha_amarnath at amritatech.com (Amritha Amarnath) Date: Mon, 8 Oct 2018 15:56:26 +0530 (GMT+05:30) Subject: [keycloak-user] Too many redirects with remember me checked In-Reply-To: <7816822.611931538994336863.JavaMail.root@atmail.amritatech.com> Message-ID: <31121834.611961538994386514.JavaMail.root@atmail.amritatech.com> Thanks, Application's redirect path configured in keycloak is http://:8080>/medvisionapp/* and access the same with http://:8080>/medvisionapp/ , is actually redirects to either /medvisionapp/view/MOBILE.html#search or /medvisionapp/view/desk.html#dsearch depending on screen width. Eg : http:// :8080/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=medvisionapp&redirect_uri =http%3A%2F%2F %3A8080%2Fmedvisionapp%2Fview%2Fdesk.html%23dsearch &state=f8687b35-092f-4d78-82de-553b2af49057&response_mode=fragment&response_type=code&scope=openid&nonce=8fc3449b-6488-4417-a9c5-8df58e578937 But when the 'too many direct issue' occurs, in the browser console the redirect path in the url is the one that configured in keycloak. Eg: http://:8080/auth/realms/dcm4che/protocol/openid-connect/auth?response_type=code&client_id=medvisionapp&redirect_uri= http%3A%2F%2F %3A8080%2Fmedvisionapp% 2F&state=250229a7-0d03-4309-8747-6ca201a44473&login=true&scope=openid Am i doing anything wrong in the configuration? -- With Regards, Amms ----- Original Message ----- From: "Amritha Amarnath" To: "Martin Kanis" Cc: keycloak-user at lists.jboss.org Sent: Friday, October 5, 2018 3:45:30 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi Subject: Re: [keycloak-user] Too many redirects with remember me checked Hello , Application is using keycloak-4.1.0.Final . For keycloak log please find attachment -- With Regards, Amms ----- Original Message ----- From: "Martin Kanis" To: "amritha amarnath" Cc: keycloak-user at lists.jboss.org Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi Subject: Re: [keycloak-user] Too many redirects with remember me checked Hello, what version of Keycloak do you have? Can you provide a Keycloak log? Regards, Martin On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath at amritatech.com > wrote: Hello, My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. Wildfly log says: Account was not in session, returning null , there was no code Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? -- With Regards, Amms _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From henning.waack at codecentric.de Mon Oct 8 06:17:51 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Mon, 8 Oct 2018 12:17:51 +0200 Subject: [keycloak-user] Deadlock on KC 4.0 with Mysql 5.7 In-Reply-To: References: Message-ID: Any input on this? Nobody stumbled over this when doing load-tests? Thanks a lot in advance! Henning Am Di., 2. Okt. 2018 um 22:29 Uhr schrieb Henning Waack < henning.waack at codecentric.de>: > Dear all. > > Using KC 4.0 with Mysql 5.7 (both not clustered) I get the following > Deadlock exception in Wildfly when running a minor load test (in which I > create new KC users concurrently): > > 22:01:24,843 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-87) Uncaught server error: > javax.persistence.PersistenceException: > org.hibernate.exception.LockAcquisitionException: could not execute > statement > > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) > > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) > > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700) > > at > org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:70) > > at > org.keycloak.models.jpa.UserAdapter.removeAttribute(UserAdapter.java:162) > > at org.keycloak.models.jpa.UserAdapter.setAttribute(UserAdapter.java:138) > > at > org.keycloak.services.resources.admin.UserResource.updateUserFromRep(UserResource.java:224) > > at > org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:121) > > at sun.reflect.GeneratedMethodAccessor735.invoke(Unknown Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: org.hibernate.exception.LockAcquisitionException: could not > execute statement > > at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) > > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) > > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) > > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) > > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) > > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) > > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2999) > > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) > > at > org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) > > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) > > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) > > at > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) > > at > org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:50) > > at > org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264) > > at org.hibernate.internal.SessionImpl.executeUpdate(SessionImpl.java:1356) > > at org.hibernate.internal.QueryImpl.executeUpdate(QueryImpl.java:102) > > at > org.hibernate.jpa.internal.QueryImpl.internalExecuteUpdate(QueryImpl.java:405) > > at > org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:61) > > ... 65 more > > Caused by: java.sql.SQLTransactionRollbackException: (conn=1038) Deadlock > found when trying to get lock; try restarting transaction > > at > org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:179) > > at > org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) > > at > org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) > > at > org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) > > at > org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) > > at > org.mariadb.jdbc.MariaDbPreparedStatementClient.executeUpdate(MariaDbPreparedStatementClient.java:183) > > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) > > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) > > ... 78 more > > Caused by: java.sql.SQLException: Deadlock found when trying to get lock; > try restarting transaction > > Query is: insert into USER_ATTRIBUTE (NAME, USER_ID, VALUE, ID) values (?, > ?, ?, ?), parameters > ['systemReferenceId','177a0641-8214-41a5-b919-678f636392cb','fqYtvpMXRs','4a84a120-648e-4003-bca6-4335ddc77c35'] > > at > org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:153) > > at > org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:255) > > at > org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) > > ... 82 more > > The respective codes (UserAdapter.java and UserAttributeEntity.java) have > not been touch for some time, so I wonder if I have configured > Wildfly/Mysql/Keycloak wrongly, or if this is an ill-advised combination > (KC 4.x with Mysql 5.7). Any ideas? > > Thanks & greetings > > Henning > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From slaskawi at redhat.com Mon Oct 8 07:12:30 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 8 Oct 2018 13:12:30 +0200 Subject: [keycloak-user] Keycloak standalone-ha cluster replication Timeout issue In-Reply-To: References: Message-ID: Replication Timeout happens when a node can not replicate data to other cluster members withing a certain amount of time. There might be many different causes including: - long GC pause on one of the nodes - network delays - firewall problems - problems with physical network interfaces I highly encourage you to try to look up some solution in the Internet. When it comes to the replication timeouts, here's my personal list of things to do: - Turn the GC logs on, so that you can correlate GC pauses with the exceptions - Increase timeout in the XML configuration - Observe JGroups "view" messages from the server logs. Make sure it's stable. If not, tune FD_* protocol settings Good luck and cheers, Sebastian On Fri, Oct 5, 2018 at 9:38 AM Upananda Singha < upananda.singha at motorolasolutions.com> wrote: > Hi All, > > I have been running Keycloak (4.0.0 Final) in standalone-ha mode with 2 > instances in a cluster. > > I have been running the cluster of 2 nodes for more 3/4 months now. But > suddenly > I am facing a strange issue now with cache replication between the 2 nodes > in the same cluster itself. > Anybody faced this kind of issue or anyone can guide me why this is > happening and how to resolve the issue. > > > 2018-10-04 17:51:52.793 INFO [org.jboss.as.server] (ServerService Thread > Pool -- 49) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > 2018-10-04 17:51:52.932 INFO [org.jboss.as.server] (Controller Boot > Thread) WFLYSRV0212: Resuming server > 2018-10-04 17:51:52.934 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0060: Http management interface listening on > http://192.168.190.77:10110/management > 2018-10-04 17:51:52.935 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0051: Admin console listening on http://192.168.190.77:10110 > 2018-10-04 17:51:52.935 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0025: Keycloak 4.0.0.Final (WildFly Core 3.0.8.Final) started in > 21492ms - Started 645 of 996 services (707 services are lazy, passive or > on-demand) > 2018-10-04 18:07:02.670 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredEvents]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > keycloak-216 > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [rt.jar:1.8.0_162] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [rt.jar:1.8.0_162] > at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] > > 2018-10-04 18:07:12.694 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredEvents]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > keycloak-216 > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [rt.jar:1.8.0_162] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [rt.jar:1.8.0_162] > at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] > > 2018-10-04 18:07:22.712 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredEvents]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > keycloak-216 > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [rt.jar:1.8.0_162] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [rt.jar:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [rt.jar:1.8.0_162] > at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_162] > > 2018-10-04 18:07:32.723 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredEvents]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > keycloak-216 > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > [infinispan-core-8.2.8.Final.jar:8.2.8.Final] > > > My cache configurations looks like: > > standalone-ha.xml > ------------------------ > > jndi-name="infinispan/Keycloak"> > > > > > > > > > mode="SYNC" owners="2"/> > owners="2"> > > > owners="2"> > > > owners="2"> > > > owners="2"> > > > > > > > > > > > owners="2"> > > > > > > default-cache="default" module="org.wildfly.clustering.server"> > > > > > > module="org.wildfly.clustering.web.infinispan"> > > > > > > > > module="org.wildfly.clustering.ejb.infinispan"> > > > > > > > > > module="org.hibernate.infinispan"> > > > > > > > > > > > > > > ------------------------------------------ > > > > Thanks & Regds, > > Upananda Singha > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Don.Reynolds at quest.com Mon Oct 8 07:57:45 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Mon, 8 Oct 2018 11:57:45 +0000 Subject: [keycloak-user] Keycloak ACL data access In-Reply-To: References: Message-ID: Hello Luca, I believe what you will want to do is pass the user's authentication token into your call in your "GET /reports/" call on the resource server and have it pull the relevant user information from the token, such as user name or email, and then use it to limit the query you do to for a filter reports for that user. Another mechanism would be to create realm roles in keycloak that correspond to various application functionality and assign those roles to your users. Once a user is authenticated and the token is returned, the role assigned to the user will also appear in the token, so you can use those to control what the user has access to on your resource server. > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Luca Luca > Sent: Friday, October 5, 2018 12:11 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Keycloak ACL data access > > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > Hello, > > Is there a way to manage fine grained authorizations with Keycloak like in the > following scenario? > There are Users and Reports. > If i'm logged in as "user1", I can only view my reports > > So there is REST endpoint on Resource Server: > > GET /reports/ - Return set of reports that belong to logged user > > How can i use Keycloak to filter data records by user? > > Thank you for your help > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Don.Reynolds at quest.com Mon Oct 8 08:07:43 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Mon, 8 Oct 2018 12:07:43 +0000 Subject: [keycloak-user] Moving from Keycloak higher version to RHSSo(lower version of Keycloak) In-Reply-To: References: Message-ID: Hello, I do not believe there is a supported downgrade process. Part of the upgrade process updates the database tables with upgrade scripts for which I do not believe there are corresponding downgrade scripts. If that is the case, you could also try using the cli to manually export your realm(s) into json from the more recent version of keycloak and then re-importing them into the lower version of keycloak. > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Upananda Singha > Sent: Monday, October 8, 2018 2:25 AM > To: keycloak-user > Subject: [keycloak-user] Moving from Keycloak higher version to > RHSSo(lower version of Keycloak) > > Hi All > > We are planning to deploy Keycloak community version (4.0.0. Final) in > production and later on if we want to go for support (RHSSO) and want to > deploy the Supported version of the same which might be actually an earlier > version of Keycloak, will there be any problem with Keycloak version > downgrade. > I can see RHSSO always integrates a lower version of Keycloak what's > available in the Community version. > e.g. Current Community Keycloak version is 4.5.0.Final but Keycloak > integrated into RHSSO 7.2.x seems to Keycloak version 3.4.3.Final. > > > Thanks & Regds, > > *Upananda Singha* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From c.leppelt at campus.tu-berlin.de Mon Oct 8 08:33:09 2018 From: c.leppelt at campus.tu-berlin.de (Leppelt, Christian) Date: Mon, 8 Oct 2018 12:33:09 +0000 Subject: [keycloak-user] Exception when using the keycloak java libraries with maven Message-ID: <1539001989142.49186@campus.tu-berlin.de> Hi, I wrote a bit of code to get a JWT from keycloak. That works perfectly fine when executed in Eclipse. But if I try to run the jar file I created using Maven, I get an exception RESTEASY003215: could not find writer for content-type application/x-www-form-urlencoded I have explained everything in more detail here: https://stackoverflow.com/questions/52610464/java-keycloak-library-fails-in-jar-file I hope you guys can help me. I have absolutely no idea what went wrong and it's driving me insane. Best regards Christian Leppelt From craig at baseventure.com Mon Oct 8 11:04:23 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 8 Oct 2018 10:04:23 -0500 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> <1533171048.2094.15.camel@acutus.pro> Message-ID: Following up on this conversation. I was unable to find a way to do this via the Freemarker templates unfortunately. The templates are not receiving anything useful in determining the full path and query parameters. The only approach that I've found to do what I need is to add a small Javascript snippet to my theme that is able to look at the query parameters and insert a new stylesheet reference into the code based on a query parameter. Ugly, but seems effective assuming I can get my query parameter set in all of the URL's that matter. ================================= *Craig Setera* *Chief Technology Officer* On Wed, Aug 29, 2018 at 9:36 AM Craig Setera wrote: > Dmitry, > > I've put Keycloak on the back burner for the moment. I do intend to pick > it back up toward the end of the year and I expect I will be digging into > this heavily. If I figure anything out, I will be sure to report back. > > Craig > > > ================================= > *Craig Setera* > > *Chief Technology Officer* > > *415-324-5861**craig at baseventure.com * > > > > > On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin
wrote: > >> Craig, Will, >> >> Sorry for having fooled you :-\ turns out that the ${url} object is >> actually not what it seems. >> >> I'd suggest the following trick. Could someone please try dumping all the >> available FTL variables using the below approach? >> >> https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 >> >> This is for Liferay, but I hope it works with Keycloak FTLs without any >> major modifications. So hopefully we can fish something useful out of there. >> >> Cheers, >> Dmitry Telegin >> CTO, Acutus s.r.o. >> Keycloak Consulting and Training >> >> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> +42 (022) 888-30-71 >> E-mail: info at acutus.pro >> >> On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: >> > Hi Dmitry, >> > >> > I have a use case for this same need: conditionally rendering a block >> of HTML in in the login.ftl based on the value of a query string param. >> > >> > I have an a question with more details here: >> https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 >> > >> > I attempted to use ${ur} as you suggested, however it does not have a >> public method that provides the request url :( >> > >> > >> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java >> > >> > I am missing something? Or is there any other way to access the login >> request url in login.ftl? >> > >> > Thanks, Will >> > >> > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin
>> wrote: >> > > >> > > Hi Craig, sorry for late response, >> > > >> > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: >> > > > We build and host a multitenant application that is currently using >> > > > homegrown authentication and authorization (using Picketlink). We >> are >> > > > considering a move to Keycloak. My preference would be to use the >> login >> > > > flows that are built in to Keycloak rather than building our own, >> however >> > > > that is dependent on whether we can properly brand those login >> flows on a >> > > > per-customer basis in some dynamic way. >> > > >> > > In Keycloak parlance, the term "login flow" has a very particular >> > > meaning. Basically, it's what you see in the Authentication section in >> > > the Admin Console. It defines how authentication *works* rather than >> > > how it *looks like* (i.e. logic rather than appearance). >> > > >> > > Do you really mean "login flows"? From the second part of your message >> > > I can deduce you're mainly interested in customizing the GUI. >> > > >> > > > In looking at the theme SPI support, it appears to be mostly >> targeted to >> > > > supporting mulitple "static" themes. Is it possible to make a >> theme that >> > > > is dynamic based on, for example, a query parameter? >> > > >> > > By default, Keycloak uses FreeMarker templates for login screens. In >> > > the templates, the URL object is exposed as ${url}, so you can analyze >> > > it and add conditional statements. If you're ok with that, probably >> you >> > > won't need to implement any SPIs. >> > > >> > > Otherwise, you can either implement custom theme selection logic based >> > > on request parameters (Theme Selector SPI), or completely redefine >> > > theming mechanism (Theme SPI). >> > > >> > > > Are there any >> > > > examples anywhere on how that might be possible? >> > > >> > > Well, builtin Keycloak themes are the best example IMO :) you can find >> > > the default login theme under >> > > themes/src/main/resources/theme/base/login in the source tree. >> > > >> > > > Would Keycloak carry >> > > > through query parameters if they were provided when launching the >> login >> > > > flow? >> > > >> > > It's best to create a custom theme and see :) >> > > >> > > Good luck! >> > > Dmitry Telegin >> > > CTO, Acutus s.r.o. >> > > Keycloak Consulting and Training >> > > >> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> > > +42 (022) 888-30-71 >> > > E-mail: info at acutus.pro >> > > >> > > > Thanks, >> > > > Craig >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > From warrior7089 at gmail.com Tue Oct 9 07:06:38 2018 From: warrior7089 at gmail.com (Roman O) Date: Tue, 9 Oct 2018 14:06:38 +0300 Subject: [keycloak-user] redirect based authentication flow in secured by keycloak node.js app behind application gateway Message-ID: I'm getting access denied errors in secured node.js app which is an official keycloak example app Secured app was dockerized and put behind application gateway which is itself dockerized. The application gateway is node.js express application which uses http/https packages and routes incoming traffic to node.js secured app. So, to access app url mapped urls were added to the gateway: mappings: - /:/ - /login:/login - /logout:/logout - /protected/resource:/protected/resource Gateway does ssl offloading. Keycloak was dockerized too and its */auth* endpoint was mapped inside the gateway. The app code is below: var Keycloak = require('keycloak-nodejs-connect');var hogan = require('hogan-express');var express = require('express');var session = require('express-session'); var app = express(); var server = app.listen(3005, function () { var host = server.address().address; var port = server.address().port; console.log('Example app listening at http://%s:%s', host, port);}); app.set('view engine', 'html'); app.set('views', require('path').join(__dirname, '/view')); app.engine('html', hogan); app.enable('trust proxy')var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore})); app.get('/', function (req, res) { res.render('index');}); var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore})); // Additional configuration is read from keycloak.json file// installed from the Keycloak web console. var keycloak = new Keycloak({ store: memoryStore}); app.use(keycloak.middleware({ logout: '/logout', admin: '/', protected: '/protected/resource'})); app.get('/login', keycloak.protect(), function (req, res) { res.render('index', { result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null, 4), event: '1. Authentication\n2. Login' });}); app.get('/protected/resource', keycloak.enforcer(['resource:view', 'resource:write'], { resource_server_id: 'nodejs-apiserver'}), function (req, res) { res.render('index', { result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null, 4), event: '1. Access granted to Default Resource\n' });}); *keycloak.json* is: { "realm" : "nodejs-example", "realm-public-key" : "[public_key]", "auth-server-url" : "https://[https://[gateway_url]]/auth", "ssl-required" : "none", "resource" : "nodejs-connect", "public-client" : true} When *https://[gateway_url]/ * is accessed in the browser, KeyCloak redirects to login ui, user/password is entered in the login ui and after that access denied error is seen in the browser. Below error is popped in the app logs: Could not obtain grant code error: { Error: self signed certificate in certificate chain So basically the app fails to exchange authorization code for access token. *What i tried:* 1) Accessing Keycloak token endpoint with curl as follows succeeds (Access/Refresh token is returned): curl -k --key [keypath] --cert [certpath:passphrase] -d "grant_type=authorization_code&client_id=nodejs-connect&redirect_uri=https://[gw_url]/login?auth_callback=1&client_session_state=[client_state]&code=[authz_code] 2) changing "*auth-server-url*" to "*https**://[gateway_url]:8080/auth*" in *keycloak.json* helped too. Access token is returned. 8080 is published port of Keycloak docker container. So, i guess the issue is that node.js adapter in the app doesn't present ssl ceritificate to gateway when it wants to replace the authz code with access token. So i tried to change auth-server-url to relative /auth. However Could not obtain grant code error: { Error: connect ECONNREFUSED 127.0.0.1:80 is popped inside the logs of the app. How to configure keycloak node.js adapter correctly to secure services behind the application gateway? From warrior7089 at gmail.com Tue Oct 9 07:08:27 2018 From: warrior7089 at gmail.com (Roman O) Date: Tue, 9 Oct 2018 14:08:27 +0300 Subject: [keycloak-user] How to specify refresh tokens lifespan in Keycloak Message-ID: Keycloak refresh token lifetime is 1800 seconds: "refresh_expires_in": 1800 How to specify different default expiry time? In Keycloak admin ui, only access token lifespan can be specified: [image: enter image description here] oauth-2.0 access-token openid-connect keycloak refresh-token From warrior7089 at gmail.com Tue Oct 9 07:09:02 2018 From: warrior7089 at gmail.com (Roman O) Date: Tue, 9 Oct 2018 14:09:02 +0300 Subject: [keycloak-user] redirect based authentication flow in secured by keycloak node.js app behind application gateway Message-ID: I'm getting access denied errors in secured node.js app which is an official keycloak example app Secured app was dockerized and put behind application gateway which is itself dockerized. The application gateway is node.js express application which uses http/https packages and routes incoming traffic to node.js secured app. So, to access app url mapped urls were added to the gateway: mappings: - /:/ - /login:/login - /logout:/logout - /protected/resource:/protected/resource Gateway does ssl offloading. Keycloak was dockerized too and its */auth* endpoint was mapped inside the gateway. The app code is below: var Keycloak = require('keycloak-nodejs-connect');var hogan = require('hogan-express');var express = require('express');var session = require('express-session'); var app = express(); var server = app.listen(3005, function () { var host = server.address().address; var port = server.address().port; console.log('Example app listening at http://%s:%s', host, port);}); app.set('view engine', 'html'); app.set('views', require('path').join(__dirname, '/view')); app.engine('html', hogan); app.enable('trust proxy')var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore})); app.get('/', function (req, res) { res.render('index');}); var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore})); // Additional configuration is read from keycloak.json file// installed from the Keycloak web console. var keycloak = new Keycloak({ store: memoryStore}); app.use(keycloak.middleware({ logout: '/logout', admin: '/', protected: '/protected/resource'})); app.get('/login', keycloak.protect(), function (req, res) { res.render('index', { result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null, 4), event: '1. Authentication\n2. Login' });}); app.get('/protected/resource', keycloak.enforcer(['resource:view', 'resource:write'], { resource_server_id: 'nodejs-apiserver'}), function (req, res) { res.render('index', { result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null, 4), event: '1. Access granted to Default Resource\n' });}); *keycloak.json* is: { "realm" : "nodejs-example", "realm-public-key" : "[public_key]", "auth-server-url" : "https://[https://[gateway_url]]/auth", "ssl-required" : "none", "resource" : "nodejs-connect", "public-client" : true} When *https://[gateway_url]/ * is accessed in the browser, KeyCloak redirects to login ui, user/password is entered in the login ui and after that access denied error is seen in the browser. Below error is popped in the app logs: Could not obtain grant code error: { Error: self signed certificate in certificate chain So basically the app fails to exchange authorization code for access token. *What i tried:* 1) Accessing Keycloak token endpoint with curl as follows succeeds (Access/Refresh token is returned): curl -k --key [keypath] --cert [certpath:passphrase] -d "grant_type=authorization_code&client_id=nodejs-connect&redirect_uri=https://[gw_url]/login?auth_callback=1&client_session_state=[client_state]&code=[authz_code] 2) changing "*auth-server-url*" to "*https**://[gateway_url]:8080/auth*" in *keycloak.json* helped too. Access token is returned. 8080 is published port of Keycloak docker container. So, i guess the issue is that node.js adapter in the app doesn't present ssl ceritificate to gateway when it wants to replace the authz code with access token. So i tried to change auth-server-url to relative /auth. However Could not obtain grant code error: { Error: connect ECONNREFUSED 127.0.0.1:80 is popped inside the logs of the app. How to configure keycloak node.js adapter correctly to secure services behind the application gateway? From adesbiaux at vente-privee.com Tue Oct 9 07:25:53 2018 From: adesbiaux at vente-privee.com (Adrien DESBIAUX) Date: Tue, 9 Oct 2018 11:25:53 +0000 Subject: [keycloak-user] Custom Account/Login Theme manual OTP issue - totp.policy.getAlgorithmKey() Message-ID: Hi everyone, I am facing an issue with custom Account and login theme. I am not sure I am doing something wrong or if there is an actual "bug". The issue is about the OTP manual setting. When running in a custom theme (copy paste of Base Account or Login themes), as stated in the documentation: https://www.keycloak.org/docs/3.4/server_development/index.html#creating-a-theme it sounds like `totp.policy.getAlgorithmKey()` for example is not found. Same in the Login theme that reuse the OTP setup. An example of error trace: keycloak_1 | 11:13:24,178 ERROR [freemarker.runtime] (default task-20) Error executing FreeMarker template: freemarker.core.InvalidReferenceException: The following has evaluated to null or missing: keycloak_1 | ==> totp.policy.getAlgorithmKey [in template "login-config-totp.ftl" at line 37, column 74] keycloak_1 | keycloak_1 | ---- keycloak_1 | Tip: It's the step after the last dot that caused this error, not those before it. keycloak_1 | ---- keycloak_1 | Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? keycloak_1 | ---- keycloak_1 | keycloak_1 | ---- keycloak_1 | FTL stack trace ("~" means nesting-related): keycloak_1 | - Failed at: ${totp.policy.getAlgorithmKey()} [in template "login-config-totp.ftl" at line 37, column 72] keycloak_1 | ~ Reached through: #nested "form" [in template "template.ftl" in macro "registrationLayout" at line 60, column 17] keycloak_1 | ~ Reached through: @layout.registrationLayout displayInf... [in template "login-config-totp.ftl" at line 2, column 1] The issue is easly reproducible by: - Copy paste theme/base/login or theme/base/account to the custom theme folder - Force OTP for users - On OTP setup page choose "manual mode" - The server will throw a 500 error What can be done to overcome that issue? I don't have any ideas at the moment on how to workaround it. Cheers, From sidney.beekhoven at info.nl Tue Oct 9 07:30:39 2018 From: sidney.beekhoven at info.nl (Sidney Beekhoven) Date: Tue, 9 Oct 2018 11:30:39 +0000 Subject: [keycloak-user] LDAP user federation with AD range retrieval Message-ID: <043E0808-92C9-4016-80E8-AD2117C786CD@info.nl> Hello, We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this: Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) ? Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval. When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role. For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil for more info about this. The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that. Did anyone else maybe run into this issue, and if so had another solution for it? Kind regards, Sidney Beekhoven From l.lech at ringler.ch Tue Oct 9 10:21:25 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Tue, 9 Oct 2018 14:21:25 +0000 Subject: [keycloak-user] Custom SPI (emailSender) working under Windows, not working in docker image Message-ID: <5E48B917000C984B86B77170F441903A11D8FE42@exch.ringler.ch> Hello, I've created my own version of emailService, deployed it via copying into standalone/deployments and added section in standalone.xml: multipart Under both Windows and docker I get the warning that I'm implementing internal API, and confirmation that module was deployed. Under Windows: in server-info I see now only my implementation of emailSender, sending emails goes through my sender. In Docker image, I see BOTH default provider (default) and my own (emailSender), and sending email causes NullPointerException when FreeMarker tries to use the sender: protected void send(Map config, String subject, String textBody, String htmlBody) throws EmailException { EmailSenderProvider emailSender = session.getProvider(EmailSenderProvider.class); emailSender.send(config, user, subject, textBody, htmlBody); } In both cases, I'm using keycloak 4.5.0.Final and JDK 8. I don't see any other errors or warnings in log. What could have gone wrong in docker image? Why keycloak behaves otherwise in both cases, and why switching SPI implementation didn't worked in dockerized version? Best regards, Lukasz Lech From uo67113 at gmail.com Tue Oct 9 11:40:37 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Tue, 9 Oct 2018 17:40:37 +0200 Subject: [keycloak-user] Keycloak SAML tomcat adapter and correct log-out In-Reply-To: References: Message-ID: Hello Leonind, Sorry for being so late to the GLO party... For me the keycloak global logout works, except for the "tiny little detail" that keycloak fails veryfing my IdP signature response, you can have a look here [1] Apart from [2] there is no other documentation. For me setting validateResponseSignature="false" in SingleLogoutService works. However I would like to make it work with the signature verification. Did you manage to make it fully working on your side? Cheers, Luis [1] http://lists.jboss.org/pipermail/keycloak-user/2018-September/015420.html [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#logout-2 El lun., 21 may. 2018 a las 11:51, Leonid Rozenblyum () escribi?: > Hello! > > I'm using a keycloak tomcat SAML adapter and I have a question related to > ?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE > stack, request.logout() is not the way to go, right?). > > When I use GLO=true, my session inside the Keycloak is indeed invalidated > however the local session in Tomcat is not. > > When I try session.invalidate() and then redirect to GLO=true, sometimes my > protected page still can be loaded. > > Is there a robust documented way to do the logout with help of Keycloak > SAML tomcat adapter? > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From wyllys.ingersoll at keepertech.com Tue Oct 9 16:11:32 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Tue, 9 Oct 2018 16:11:32 -0400 Subject: [keycloak-user] restricting user registration? Message-ID: Is it possible to configure user self-registration to a new realm such that only users with specific token or link can register? We want to allow self-registration, but do not want it to be open-ended, but rather by invitation where the invitation would be an email or some OOB mechanism that provides the user with a unique 1-time-only code to use to authorize their registration. Is this possible? Thanks, Wyllys Ingersoll From ratna at qualica.com Tue Oct 9 17:35:05 2018 From: ratna at qualica.com (Ratna Kamireddy) Date: Tue, 9 Oct 2018 23:35:05 +0200 Subject: [keycloak-user] is Entitlement API deprecated Message-ID: Hi folks, Thanks for accepting my request. Here is my first question. We were looking at entitlement API documentation and by mistake we started looking at Entitlement API documentation in 3.3 and tried to test below API http://localhost:8081/auth/realms/development/authz/entitlement/masterdata or GET /auth/realms/development/authz/entitlement/masterdata HTTP/1.1 Host: localhost Content-Type: application/json cache-control: no-cache Postman-Token: 0dd585f5-f2e5-447a-99a9-3e7281856b6a We getting 404 exception, after a while I found that we were looking at 3.3 and check latest docs and found that there is no Entitlement API but I see in the architecture diagram. Please let me know what am i Missing here. Regards Ratna From psilva at redhat.com Tue Oct 9 17:47:22 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 9 Oct 2018 18:47:22 -0300 Subject: [keycloak-user] is Entitlement API deprecated In-Reply-To: References: Message-ID: Yeah, it does not exists anymore. We have a JIRA [1] to fix that in docs. [1] https://issues.jboss.org/browse/KEYCLOAK-8353 Regards. Pedro Igor On Tue, Oct 9, 2018 at 6:41 PM Ratna Kamireddy wrote: > Hi folks, > > Thanks for accepting my request. Here is my first question. > > We were looking at entitlement API documentation and by mistake we started > looking at Entitlement API documentation in 3.3 and tried to test below API > http://localhost:8081/auth/realms/development/authz/entitlement/masterdata > or > GET /auth/realms/development/authz/entitlement/masterdata HTTP/1.1 > Host: localhost > Content-Type: application/json > cache-control: no-cache > Postman-Token: 0dd585f5-f2e5-447a-99a9-3e7281856b6a > > We getting 404 exception, after a while I found that we were looking at 3.3 > and check latest docs and found that there is no Entitlement API but I see > in the architecture diagram. > > Please let me know what am i Missing here. > > Regards > Ratna > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From victor.bail at gmail.com Tue Oct 9 18:23:25 2018 From: victor.bail at gmail.com (Victor Bail) Date: Wed, 10 Oct 2018 08:53:25 +1030 Subject: [keycloak-user] Keycloak as an LDAP server Message-ID: Hi all, I wanted to know if Keycloak can act as an LDAP server. I mean, after sync Keycloak with an LDAP server, will we be able to query keycloak in the same way as we query a LDAP server? Can I configure keycloak as an LDAP server in a remote device? For example, with a printer so the printer can sync all users with keycloak and sync once per day to keep the users updated? Thanks! Victor. From sthorger at redhat.com Wed Oct 10 02:11:51 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Oct 2018 08:11:51 +0200 Subject: [keycloak-user] Keycloak as an LDAP server In-Reply-To: References: Message-ID: No, Keycloak is a web idp, not a LDAP server. On Wed, 10 Oct 2018, 00:32 Victor Bail, wrote: > Hi all, > > I wanted to know if Keycloak can act as an LDAP server. I mean, after sync > Keycloak with an LDAP server, will we be able to query keycloak in the same > way as we query a LDAP server? > Can I configure keycloak as an LDAP server in a remote device? For example, > with a printer so the printer can sync all users with keycloak and sync > once per day to keep the users updated? > > Thanks! > > Victor. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kedar.budukh at ericsson.com Wed Oct 10 02:55:12 2018 From: kedar.budukh at ericsson.com (kedar.budukh at ericsson.com) Date: Tue, 9 Oct 2018 23:55:12 -0700 (MST) Subject: [keycloak-user] Scalability of Keycloak Access Mgmt system for Self-care users Message-ID: <1539154512808-0.post@n6.nabble.com> Hi, I am currently evaluating Keycloak as one of IdM and Access Management system. My client is Telecom Service Provider and have a requirement to support the Self-care users with expected volume of 60 to 80 million users with approximately 2000 to 3000 login requests per second. I want to use Keycloak to Authenticate and Authorize (RBAC) end users using OpenID Connect. I tried searching for information on Keycloak scalability with Relational DB or Directory Services and the performance, however, I did not find much information about the same. The Keycloak documentation talks about Clustering feature but the stats are not given. Can someone please help me as per your experience with Keycloak performance and scalability to support the Self-care users of 60 to 80 million volume? Also, kindly suggest if I should consider any other IdM and Access Management system with above requirement of scalability for my evaluation. Thanks and Regards, Kedar -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From testoauth55 at gmail.com Wed Oct 10 06:50:05 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Wed, 10 Oct 2018 16:20:05 +0530 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: Any one else faced this issue? On Thu, Oct 4, 2018 at 9:50 AM Bruce Wings wrote: > Yes. Please find below: > > > 2018-10-04 09:48:43,985 ERROR > [org.keycloak.authorization.authorization.AuthorizationTokenService] > (default task-3) Unexpected error while evaluating permissions: > java.lang.RuntimeException: Error while reading attributes from security > token. > at > org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) > at > org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) > at > org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) > at > org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) > at > org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) > at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.NullPointerException > at > org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) > ... 65 more > > > > > > > > > On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva wrote: > >> Do you have a stacktrace ? >> >> On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings wrote: >> >>> Has anyone else come across this issue? >>> >>> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >>> wrote: >>> >>> > Steps: >>> > >>> > 1. After obtaining a token from keycloak, I am able to >>> > authenticate/authorize user with this token. >>> > 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce >>> > policy decisions"*. If the same token was valid a few minutes before, >>> > shouldn't I get the "*token expired*" message instead of "*Failed to >>> > enforce policy decisions*"? >>> > >>> > My access token lifespan is set to 8 hours. Still I see this behavior >>> > after just 15-20 minutes. Attached image for token expiry settings: >>> > >>> > >>> > [image: image.png] >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From eb at tonik.pl Wed Oct 10 07:00:16 2018 From: eb at tonik.pl (Ernest Bursa) Date: Wed, 10 Oct 2018 13:00:16 +0200 Subject: [keycloak-user] Keycloak docker issue (via k8s Helm install) Message-ID: Hi! I tried to install Kkeycloak using stable/keycloak Helm Chart with official docker image tagged 4.4.0.Final, after running I found the following error while starting up docker container. */opt/jboss/docker-entrypoint.sh: No such file or directory* I must note that with a previous version (4.3.0.Final) everything works as supposed. Here are runtime configuration details for this Helm Chart https://github.com/helm/charts/blob/master/stable/keycloak/templates/statefulset.yaml#L58 if you would like to know. Thanks for the great contribution to open source! Ernest. From Sebastian.Schuster at bosch-si.com Wed Oct 10 07:10:39 2018 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS)) Date: Wed, 10 Oct 2018 11:10:39 +0000 Subject: [keycloak-user] Keycloak docker issue (via k8s Helm install) In-Reply-To: References: Message-ID: <1782319f8bb24add83205f697d425bfd@bosch-si.com> The docker-entrypoint.sh moved to /opt/jboss/tools/docker-entrypoint.sh in 4.4.0.Final Best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Open Source Services (INST-CSS/BSV-OS) Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ernest Bursa Sent: Mittwoch, 10. Oktober 2018 13:00 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak docker issue (via k8s Helm install) Hi! I tried to install Kkeycloak using stable/keycloak Helm Chart with official docker image tagged 4.4.0.Final, after running I found the following error while starting up docker container. */opt/jboss/docker-entrypoint.sh: No such file or directory* I must note that with a previous version (4.3.0.Final) everything works as supposed. Here are runtime configuration details for this Helm Chart https://github.com/helm/charts/blob/master/stable/keycloak/templates/statefulset.yaml#L58 if you would like to know. Thanks for the great contribution to open source! Ernest. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From eb at tonik.pl Wed Oct 10 07:34:04 2018 From: eb at tonik.pl (Ernest Bursa) Date: Wed, 10 Oct 2018 13:34:04 +0200 Subject: [keycloak-user] Keycloak docker issue (via k8s Helm install) In-Reply-To: <1782319f8bb24add83205f697d425bfd@bosch-si.com> References: <1782319f8bb24add83205f697d425bfd@bosch-si.com> Message-ID: Thanks! I reported issue for helm chart version update https://github.com/helm/charts/issues/8326 . [image: Mailtrack] Sender notified by Mailtrack 10.10.18, 13:34:00 From eb at tonik.pl Wed Oct 10 07:55:32 2018 From: eb at tonik.pl (Ernest Bursa) Date: Wed, 10 Oct 2018 13:55:32 +0200 Subject: [keycloak-user] Keycloak docker issue (via k8s Helm install) In-Reply-To: References: <1782319f8bb24add83205f697d425bfd@bosch-si.com> Message-ID: I submitted PR for the issue mentioned above https://github.com/helm/charts/pull/8331, if we got any helm charts developer it would be great to look at this changes :). From psilva at redhat.com Wed Oct 10 08:46:13 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 10 Oct 2018 09:46:13 -0300 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: How your authorization request looks like ? It seems you are sending the ID Token as claim_token parameter ? On Wed, Oct 10, 2018 at 7:50 AM Bruce Wings wrote: > Any one else faced this issue? > > On Thu, Oct 4, 2018 at 9:50 AM Bruce Wings wrote: > >> Yes. Please find below: >> >> >> 2018-10-04 09:48:43,985 ERROR >> [org.keycloak.authorization.authorization.AuthorizationTokenService] >> (default task-3) Unexpected error while evaluating permissions: >> java.lang.RuntimeException: Error while reading attributes from security >> token. >> at >> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) >> at >> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) >> at >> org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) >> at >> org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) >> at >> org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) >> at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >> at >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >> at >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> at >> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) >> ... 65 more >> >> >> >> >> >> >> >> >> On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva >> wrote: >> >>> Do you have a stacktrace ? >>> >>> On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings >>> wrote: >>> >>>> Has anyone else come across this issue? >>>> >>>> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >>>> wrote: >>>> >>>> > Steps: >>>> > >>>> > 1. After obtaining a token from keycloak, I am able to >>>> > authenticate/authorize user with this token. >>>> > 2. After sometime(15-20 minutes), I start receiving *"Failed to >>>> enforce >>>> > policy decisions"*. If the same token was valid a few minutes before, >>>> > shouldn't I get the "*token expired*" message instead of "*Failed to >>>> > enforce policy decisions*"? >>>> > >>>> > My access token lifespan is set to 8 hours. Still I see this behavior >>>> > after just 15-20 minutes. Attached image for token expiry settings: >>>> > >>>> > >>>> > [image: image.png] >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> From David.Erie at datapath.com Wed Oct 10 10:34:09 2018 From: David.Erie at datapath.com (David Erie (US)) Date: Wed, 10 Oct 2018 14:34:09 +0000 Subject: [keycloak-user] invalid_code error when using openidconnect.net to test auth code flow Message-ID: Hello, I am using https://openidconnect.net to test out the authorization code flow on my Keycloak installation, but I am always getting this error in the log and no token in the response: type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=..., error=invalid_code Here's an example of the request: POST http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token grant_type=authorization_code &client_id=oidc-playground &client_secret=19709e24-cac8-4ece-8b03-0a40e5c0c765 &redirect_url=https://openidconnect.net/callback &code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..w7Pc9yB_htF5F2_cgqDtZA.Ru7B5B-MgYT6mbGy8ykT2dyFVPRSj11HvgJV6rrFownvVUjKYQ90FaiU17rCxpREWC-znDyhzsz4gV7thmz2okswrIUezzgCtzzRqiXo8EidSFZk51qrs1C7UiYklQjMdqyt0qcDRtuhv6eV8YE-t31l3eeuMmKKrT6ikGy_HazJpoOamGyKbGQBGqaJoi8-dNmTVORC7mVHcvX7IEECA0RaSY-gAoNEFPy4ViaGX0JvHGUjUByFsOrQHUea9Fgm.TZbp9Kkt8IEB_JrOALBCYg Any help would be appreciated. Thanks, Dave From ratna at qualica.com Wed Oct 10 10:43:54 2018 From: ratna at qualica.com (Ratna Kamireddy) Date: Wed, 10 Oct 2018 16:43:54 +0200 Subject: [keycloak-user] invalid_code error when using openidconnect.net to test auth code flow In-Reply-To: References: Message-ID: Well we got it working so I might help to sort out the issue. But more information would help to solve the problem like client setup etc Regards Ratna On Wed, 10 Oct 2018 at 16:35, David Erie (US) wrote: > Hello, > I am using https://openidconnect.net to test out the authorization code > flow on my Keycloak installation, but I am always getting this error in the > log and no token in the response: > > type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, > ipAddress=..., error=invalid_code > > Here's an example of the request: > > POST > http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token > grant_type=authorization_code > > &client_id=oidc-playground > &client_secret=19709e24-cac8-4ece-8b03-0a40e5c0c765 > &redirect_url=https://openidconnect.net/callback > > &code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..w7Pc9yB_htF5F2_cgqDtZA.Ru7B5B-MgYT6mbGy8ykT2dyFVPRSj11HvgJV6rrFownvVUjKYQ90FaiU17rCxpREWC-znDyhzsz4gV7thmz2okswrIUezzgCtzzRqiXo8EidSFZk51qrs1C7UiYklQjMdqyt0qcDRtuhv6eV8YE-t31l3eeuMmKKrT6ikGy_HazJpoOamGyKbGQBGqaJoi8-dNmTVORC7mVHcvX7IEECA0RaSY-gAoNEFPy4ViaGX0JvHGUjUByFsOrQHUea9Fgm.TZbp9Kkt8IEB_JrOALBCYg > > Any help would be appreciated. > > Thanks, > Dave > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From David.Erie at datapath.com Wed Oct 10 10:55:23 2018 From: David.Erie at datapath.com (David Erie (US)) Date: Wed, 10 Oct 2018 14:55:23 +0000 Subject: [keycloak-user] invalid_code error when using openidconnect.net to test auth code flow In-Reply-To: References: Message-ID: Hi Ratna, Thanks for helping. Here is an export of my client setup in Keycloak: { "id": "0ea6f92b-1157-4662-9752-9c502feaf74c", "clientId": "oidc-playground", "name": "OpenID Connect Playground", "description": "Use with https://openidconnect.net to test", "rootUrl": "https://openidconnect.net", "baseUrl": "/callback", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**********", "redirectUris": [ "/callback" ], "webOrigins": [ "*" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": true, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { "saml.assertion.signature": "false", "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "false", "saml.authnstatement": "false", "display.on.consent.screen": "false", "saml.onetimeuse.condition": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, "protocolMappers": [ { "id": "5bd43ddf-b7be-4147-bdac-bd1b8e1deacf", "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientAddress", "jsonType.label": "String" } }, { "id": "8880a28d-8a8c-4090-9192-faccff12bbb6", "name": "Client ID", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientId", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientId", "jsonType.label": "String" } }, { "id": "caf8a3cd-d16e-4484-9b75-ad5d8171bacc", "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientHost", "jsonType.label": "String" } } ], "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] } And here is my setup on openidconnect.net: { "currentStep": 2, "server": "custom", "domain": "http://myserver:8447/auth/realms/myrealm/.well-known/openid-configuration", "authEndpoint": "http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/auth", "tokenEndpoint": "http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token", "scopes": "openid", "stateToken": "fb366344d63b687945d9954771a3775ac5d2a81a", "redirectURI": "https://openidconnect.net/callback", "clientID": "oidc-playground", "clientSecret": "19709e24-cac8-4ece-8b03-0a40e5c0c765", "authCode": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.._-2Ecj5Eu3nOnRbFoZazOQ.qZk8ZcqYv1oyuMQrlKbn85JQnR5c-XtbLXtXA6KtEiwW91SwxrBZryg5i7yktIW2c2tJUbKwGUsi7PXXMZN5XPHEWWLf732sEzZyf5_VjhbLRDL05fkoGxYXM3sHKSjZsLrADNgYNXJiQ57JlCKRe4jHTlxUMTXFYBaQQfv750-EmUqLMuEq7DCM8h6a7DTmHaehEL81cBDscKx3Yd9SVACFvqo6-QhovE3AXCU3et_BYWc7rAvJS-qfiPrAwK-b.4Yz5RZTeXoGqYAAQkS31Pg", "idTokenHeader": "", "configurationModalOpen": true, "validated": false, "exchangeResult": "", "discoveryURL": "http://myserver:8447/auth/realms/myrealm/.well-known/openid-configuration", "tokenKeysEndpoint": "", "userInfoEndpoint": "https://samples.auth0.com/userinfo" } Thanks, Dave From: Ratna Kamireddy Sent: Wednesday, October 10, 2018 10:44 AM To: David Erie (US) Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] invalid_code error when using openidconnect.net to test auth code flow Well we got it working so I might help to sort out the issue. But more information would help to solve the problem like client setup etc Regards Ratna On Wed, 10 Oct 2018 at 16:35, David Erie (US) > wrote: Hello, I am using https://openidconnect.net to test out the authorization code flow on my Keycloak installation, but I am always getting this error in the log and no token in the response: type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=..., error=invalid_code Here's an example of the request: POST http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token grant_type=authorization_code &client_id=oidc-playground &client_secret=19709e24-cac8-4ece-8b03-0a40e5c0c765 &redirect_url=https://openidconnect.net/callback &code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..w7Pc9yB_htF5F2_cgqDtZA.Ru7B5B-MgYT6mbGy8ykT2dyFVPRSj11HvgJV6rrFownvVUjKYQ90FaiU17rCxpREWC-znDyhzsz4gV7thmz2okswrIUezzgCtzzRqiXo8EidSFZk51qrs1C7UiYklQjMdqyt0qcDRtuhv6eV8YE-t31l3eeuMmKKrT6ikGy_HazJpoOamGyKbGQBGqaJoi8-dNmTVORC7mVHcvX7IEECA0RaSY-gAoNEFPy4ViaGX0JvHGUjUByFsOrQHUea9Fgm.TZbp9Kkt8IEB_JrOALBCYg Any help would be appreciated. Thanks, Dave _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From schissdraeck at rmm.li Wed Oct 10 10:59:46 2018 From: schissdraeck at rmm.li (Michael Meier) Date: Wed, 10 Oct 2018 09:59:46 -0500 Subject: [keycloak-user] Is it possible to update a Password using SAML Message-ID: <10fa414a-818e-8936-88df-c60c77d7e86b@rmm.li> Hi all Maybe it's a stupid question and that's maybe the reason I couldn't find an answer for it on the internet. But is it possible, that a service provider (in my case Nextcloud) uses the SAML protocol to update the current users password on the IdP (keycloak)? If yes, does Keycloak support that? thanks a lot for the information Michael Meier From testoauth55 at gmail.com Wed Oct 10 11:30:25 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Wed, 10 Oct 2018 21:00:25 +0530 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: As mentioned earlier, 1. After obtaining a token from keycloak, I am able to authenticate/authorize user with this token. 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce policy decisions"*. If the same token was valid a few minutes before, shouldn't I get the "*token expired*" message instead of "*Failed to enforce policy decisions*"? On Wed, Oct 10, 2018 at 6:16 PM Pedro Igor Silva wrote: > How your authorization request looks like ? It seems you are sending the > ID Token as claim_token parameter ? > > On Wed, Oct 10, 2018 at 7:50 AM Bruce Wings wrote: > >> Any one else faced this issue? >> >> On Thu, Oct 4, 2018 at 9:50 AM Bruce Wings wrote: >> >>> Yes. Please find below: >>> >>> >>> 2018-10-04 09:48:43,985 ERROR >>> [org.keycloak.authorization.authorization.AuthorizationTokenService] >>> (default task-3) Unexpected error while evaluating permissions: >>> java.lang.RuntimeException: Error while reading attributes from security >>> token. >>> at >>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) >>> at >>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) >>> at >>> org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) >>> at >>> org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) >>> at >>> org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) >>> at >>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) >>> at >>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) >>> at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>> at >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>> at >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>> at >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>> at >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>> at >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at >>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>> at >>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >>> at >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >>> at >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>> at >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) >>> at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: java.lang.NullPointerException >>> at >>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) >>> ... 65 more >>> >>> >>> >>> >>> >>> >>> >>> >>> On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva >>> wrote: >>> >>>> Do you have a stacktrace ? >>>> >>>> On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings >>>> wrote: >>>> >>>>> Has anyone else come across this issue? >>>>> >>>>> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >>>>> wrote: >>>>> >>>>> > Steps: >>>>> > >>>>> > 1. After obtaining a token from keycloak, I am able to >>>>> > authenticate/authorize user with this token. >>>>> > 2. After sometime(15-20 minutes), I start receiving *"Failed to >>>>> enforce >>>>> > policy decisions"*. If the same token was valid a few minutes before, >>>>> > shouldn't I get the "*token expired*" message instead of "*Failed to >>>>> > enforce policy decisions*"? >>>>> > >>>>> > My access token lifespan is set to 8 hours. Still I see this behavior >>>>> > after just 15-20 minutes. Attached image for token expiry settings: >>>>> > >>>>> > >>>>> > [image: image.png] >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> From z_88 at yahoo.com Wed Oct 10 11:39:13 2018 From: z_88 at yahoo.com (ZKX) Date: Wed, 10 Oct 2018 15:39:13 +0000 (UTC) Subject: [keycloak-user] keycloak 4.5 client integration with spring boot and spring security problem In-Reply-To: References: <499851086.4769611.1538668229109.ref@mail.yahoo.com> <499851086.4769611.1538668229109@mail.yahoo.com> Message-ID: <756894295.238161.1539185953866@mail.yahoo.com> Just found I forgot to cc the mailing list the reply below: ---------------------------------------------Thanks Pedro.? ?Somehow I missed that thread.? Could you please share more details about the?SimpleKeycloakSpringBootConfigResolver mentioned in?https://issues.jboss.org/browse/KEYCLOAK-8444?? I tried something like:?public class SimpleKeycloakSpringBootConfigResolver implements KeycloakConfigResolver{?...? @Override? ? public KeycloakDeployment resolve(HttpFacade.Request request)? ? {? ? ? ? if (keycloakProperties != null)? ?{? ? ? ? ? ? return KeycloakDeploymentBuilder.build(keycloakProperties);? ? ? ? } else {? ? ? ? ? ? return null;? ? ? ? }? ? }} But still get "Requested bean is currently in creation error". Thanks. On Thursday, October 4, 2018 2:45 PM, Pedro Igor Silva wrote: Hi, Please, see?http://lists.jboss.org/pipermail/keycloak-user/2018-September/015688.html. I'm working in a fix, right now. Regards.Pedro Igor On Thu, Oct 4, 2018 at 1:43 PM ZKX wrote: We are doing a POC with a spring boot/security project with keycloak.? Initially we only had keycloak-spring-boot-starter without directly reference with spring security. It is very straightforward with just setting the keycloak properties in the application.properties file. Later on we need to use?@PreAuthorize("hasRole('admin')") to enforce security check on some services, therefore, we added spring security library with additional security configuration: as mentioned in the keycloak document.? Mostly as the described in this tutorial:?https://www.baeldung.com/spring-boot-keycloak Everything works fine with keycloak 4.3/4.4, we still can use the keycloak config in application.properties file together with spring security, since we had following code in our spring boot configuration:? ? @Bean? ? public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {? ? ? ? return new KeycloakSpringBootConfigResolver();? ? } However, recently we upgrade our spring boot keycloak starter to 4.5, and our application failed to start with following error: Error creating bean with name 'KeycloakSpringBootConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference? Just wondering how to resolve this?Anyone use spring boot with spring security together with keycloak starter 4.5 successfully?? Thanks,Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Oct 10 13:03:33 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 10 Oct 2018 14:03:33 -0300 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: You are right, I'm going to fix that message. I could not reproduce this error, but I'm probably missing something. Are you using offline tokens ? Could you show how your authorization request looks like ? On Wed, Oct 10, 2018 at 12:31 PM Bruce Wings wrote: > As mentioned earlier, > > 1. After obtaining a token from keycloak, I am able to > authenticate/authorize user with this token. > 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce > policy decisions"*. If the same token was valid a few minutes before, > shouldn't I get the "*token expired*" message instead of "*Failed to > enforce policy decisions*"? > > On Wed, Oct 10, 2018 at 6:16 PM Pedro Igor Silva > wrote: > >> How your authorization request looks like ? It seems you are sending the >> ID Token as claim_token parameter ? >> >> On Wed, Oct 10, 2018 at 7:50 AM Bruce Wings >> wrote: >> >>> Any one else faced this issue? >>> >>> On Thu, Oct 4, 2018 at 9:50 AM Bruce Wings >>> wrote: >>> >>>> Yes. Please find below: >>>> >>>> >>>> 2018-10-04 09:48:43,985 ERROR >>>> [org.keycloak.authorization.authorization.AuthorizationTokenService] >>>> (default task-3) Unexpected error while evaluating permissions: >>>> java.lang.RuntimeException: Error while reading attributes from security >>>> token. >>>> at >>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) >>>> at >>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) >>>> at >>>> org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) >>>> at >>>> org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) >>>> at >>>> org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) >>>> at >>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) >>>> at >>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) >>>> at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at >>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >>>> at >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >>>> at >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>> at >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) >>>> at >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) >>>> at >>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) >>>> at >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>> at >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>> at >>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>> at >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>> at >>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>> at >>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >>>> at >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>> at >>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>> at >>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>> at >>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>> at >>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>> at >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>> at >>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>> at >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>> at >>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>> at >>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> at >>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>> at >>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>> at >>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>> at >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>> at >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >>>> at >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >>>> at >>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >>>> at >>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>>> at >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>>> at >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>> at >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>> at >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>> at >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>> at >>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) >>>> at >>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: java.lang.NullPointerException >>>> at >>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) >>>> ... 65 more >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva >>>> wrote: >>>> >>>>> Do you have a stacktrace ? >>>>> >>>>> On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings >>>>> wrote: >>>>> >>>>>> Has anyone else come across this issue? >>>>>> >>>>>> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >>>>>> wrote: >>>>>> >>>>>> > Steps: >>>>>> > >>>>>> > 1. After obtaining a token from keycloak, I am able to >>>>>> > authenticate/authorize user with this token. >>>>>> > 2. After sometime(15-20 minutes), I start receiving *"Failed to >>>>>> enforce >>>>>> > policy decisions"*. If the same token was valid a few minutes >>>>>> before, >>>>>> > shouldn't I get the "*token expired*" message instead of "*Failed to >>>>>> > enforce policy decisions*"? >>>>>> > >>>>>> > My access token lifespan is set to 8 hours. Still I see this >>>>>> behavior >>>>>> > after just 15-20 minutes. Attached image for token expiry settings: >>>>>> > >>>>>> > >>>>>> > [image: image.png] >>>>>> > >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> From fabio.ebner at lumera.com.br Wed Oct 10 15:49:54 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Wed, 10 Oct 2018 16:49:54 -0300 Subject: [keycloak-user] Helps Message-ID: Someone can help me to secure my project? I have one springboot rest api (my backend) and one front-end in vuejs So I wanna to when my user try to access my app, he wanna to get a token in keycloak and with this token access my rest-api and in my rest-api I need to get the user's info (name, email and etc) tks From testoauth55 at gmail.com Wed Oct 10 23:37:35 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 11 Oct 2018 09:07:35 +0530 Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime In-Reply-To: References: Message-ID: I am using postman to create request. Attached screenshot of request. Basically, I am generating token through KEYCLOAKINSTALLED.loginDesktop and sending token in authorization bearer header to jetty adapter. On Wed, Oct 10, 2018 at 10:33 PM Pedro Igor Silva wrote: > You are right, I'm going to fix that message. > > I could not reproduce this error, but I'm probably missing something. Are > you using offline tokens ? Could you show how your authorization request > looks like ? > > On Wed, Oct 10, 2018 at 12:31 PM Bruce Wings > wrote: > >> As mentioned earlier, >> >> 1. After obtaining a token from keycloak, I am able to >> authenticate/authorize user with this token. >> 2. After sometime(15-20 minutes), I start receiving *"Failed to enforce >> policy decisions"*. If the same token was valid a few minutes before, >> shouldn't I get the "*token expired*" message instead of "*Failed to >> enforce policy decisions*"? >> >> On Wed, Oct 10, 2018 at 6:16 PM Pedro Igor Silva >> wrote: >> >>> How your authorization request looks like ? It seems you are sending the >>> ID Token as claim_token parameter ? >>> >>> On Wed, Oct 10, 2018 at 7:50 AM Bruce Wings >>> wrote: >>> >>>> Any one else faced this issue? >>>> >>>> On Thu, Oct 4, 2018 at 9:50 AM Bruce Wings >>>> wrote: >>>> >>>>> Yes. Please find below: >>>>> >>>>> >>>>> 2018-10-04 09:48:43,985 ERROR >>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService] >>>>> (default task-3) Unexpected error while evaluating permissions: >>>>> java.lang.RuntimeException: Error while reading attributes from security >>>>> token. >>>>> at >>>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:139) >>>>> at >>>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:68) >>>>> at >>>>> org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) >>>>> at >>>>> org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:349) >>>>> at >>>>> org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:153) >>>>> at >>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1143) >>>>> at >>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) >>>>> at sun.reflect.GeneratedMethodAccessor590.invoke(Unknown Source) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>> at >>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >>>>> at >>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >>>>> at >>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >>>>> at >>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) >>>>> at >>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) >>>>> at >>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) >>>>> at >>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>> at >>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>>> at >>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >>>>> at >>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>>> at >>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>>> at >>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >>>>> at >>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>>> at >>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>>> at >>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>>> at >>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>>> at >>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>>> at >>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at >>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>>> at >>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>>> at >>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at >>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>>> at >>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>>> at >>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>> at >>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>>> at >>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>>> at >>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>>> at >>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at >>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>> at >>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >>>>> at >>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >>>>> at >>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >>>>> at >>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>>>> at >>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>>> at >>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >>>>> at >>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) >>>>> at >>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> Caused by: java.lang.NullPointerException >>>>> at >>>>> org.keycloak.authorization.common.KeycloakIdentity.(KeycloakIdentity.java:121) >>>>> ... 65 more >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Oct 3, 2018 at 5:48 PM Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Do you have a stacktrace ? >>>>>> >>>>>> On Wed, Oct 3, 2018 at 3:50 AM Bruce Wings >>>>>> wrote: >>>>>> >>>>>>> Has anyone else come across this issue? >>>>>>> >>>>>>> On Fri, Sep 28, 2018 at 12:14 PM Bruce Wings >>>>>>> wrote: >>>>>>> >>>>>>> > Steps: >>>>>>> > >>>>>>> > 1. After obtaining a token from keycloak, I am able to >>>>>>> > authenticate/authorize user with this token. >>>>>>> > 2. After sometime(15-20 minutes), I start receiving *"Failed to >>>>>>> enforce >>>>>>> > policy decisions"*. If the same token was valid a few minutes >>>>>>> before, >>>>>>> > shouldn't I get the "*token expired*" message instead of "*Failed >>>>>>> to >>>>>>> > enforce policy decisions*"? >>>>>>> > >>>>>>> > My access token lifespan is set to 8 hours. Still I see this >>>>>>> behavior >>>>>>> > after just 15-20 minutes. Attached image for token expiry settings: >>>>>>> > >>>>>>> > >>>>>>> > [image: image.png] >>>>>>> > >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> -------------- next part -------------- A non-text attachment was scrubbed... Name: request.JPG Type: image/jpeg Size: 36703 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181011/7aef710c/attachment-0001.jpe From kedar.budukh at ericsson.com Thu Oct 11 00:42:07 2018 From: kedar.budukh at ericsson.com (kedar.budukh at ericsson.com) Date: Wed, 10 Oct 2018 21:42:07 -0700 (MST) Subject: [keycloak-user] Scalability of Keycloak Access Mgmt system for Self-care users Message-ID: <1539232927072-0.post@n6.nabble.com> Hi, I am currently evaluating Keycloak as one of IdM and Access Management system. My client is Telecom Service Provider and have a requirement to support the Self-care users with expected volume of 60 to 80 million users with approximately 2000 to 3000 login requests per second. I want to use Keycloak to Authenticate and Authorize (RBAC) end users using OpenID Connect. I tried searching for information on Keycloak scalability with Relational DB or LDAP Services and the performance, however, I did not find much information about the same. The Keycloak documentation talks about Clustering feature but the stats are not given. Can someone please help me as per your experience with Keycloak performance and scalability to support the Self-care users of 60 to 80 million volume? Also, kindly suggest if I should consider any other IdM and Access Management system with above requirement of scalability for my evaluation. Thanks and Regards, Kedar -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From tillcandc at gmail.com Thu Oct 11 03:21:05 2018 From: tillcandc at gmail.com (Nuanced Actor) Date: Thu, 11 Oct 2018 09:21:05 +0200 Subject: [keycloak-user] Using impersonation API to obtain token for public client Message-ID: Hi! I have webapp1 which has to authenticate against a legacy backend,and won't be integrated with Keycloak for the foreseeable future. So, upon successful authentication, i use the impersonate API to get an access token for the current user. Later on, the user will open webapp2 from webapp1. The user should not have to perform a login in Webapp2. Webapp2 uses the Keycloak Javascript adapter. I use the access/refresh token i gained earlier to initialize the adapter. It sends the refresh token to the token endpoint, but gets a statuscode 400 error "Unmatching clients". Request: grant_type=refresh_token refresh_token= client_id=webapp2 These are the relevant fields from the token: aud: "webapp2" azp: "impersonator" So i guess the problem is, that azp does not match client_id. In order to get a token for the correct client, i use the token exchange endpoint and the access token i got via the impersonation API map.add("client_id", impersonator) map.add("client_secret", ) map.add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange") map.add("subject_token",) map.add("audience", "webapp2") That gives me a new token, but for the same client. At this point i'm stumped and pretty sure i misunderstood something basic. Can anybody give me a pointer in the right direction? Cheers, Till From nicolas.delsaux at gmx.fr Thu Oct 11 08:41:37 2018 From: nicolas.delsaux at gmx.fr (Nicolas Delsaux) Date: Thu, 11 Oct 2018 14:41:37 +0200 Subject: [keycloak-user] How to have identity provider configuration page visible in Keycloak? Message-ID: <1417c659-f23b-427a-db73-fb732b6b0756@gmx.fr> Hi all, I'm writing a custom identity provider for Keycloa that I want to deploy using the [deployer][1] method (since I want to deploy it in [Docker containers][2]). Following an [example][3] I found on the web, I've created a maven project where, using the maven-assembly-plugin, I build a jar with dependencies (but I've filtered out the various services implementations my dependencies provide me to just keep the identity provider service). Things seems to work partly correctly : * Keycloak log indicates my id provider is loading/loaded : `keycloak_1??????? | 09:23:20,056 INFO? [org.jboss.as.server] (ServerService Thread Pool -- 29) WFLYSRV0010: Deployed "mycompnay-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar" (runtime-name :"mycompany-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar")` * When I go in the *Identity Providers* panel, the new provider is visible in the "Add provider ..." But when I try to configure it, Keycloak redirects me to the resource not found error page The problem is that Keycloak outputs strictly no logs (even when I configure log level to the max). In my project, I have he following code organization (which gets replicated in jar-with-dependencies) ??? +---src ??? ??? +---build ??? ??? |?? \---assembly ??? ??? +---main ??? ??? |?? +---java ??? ??? |?? |?? \---com ??? ??? |?? |?????? \---mycompany ??? ??? |?? |?????????? \---mygroup ??? ??? |?? |?????????????? \---security ??? ??? |?? |?????????????????? \---oidc ??? ??? |?? \---resources ??? ??? |?????? +---META-INF ??? ??? |?????? |?? \---services ??? ??? |?????? \---themes ??? ??? |?????????? \---base ??? ??? |?????????????? \---admin ??? ??? |?????????????????? \---resources ??? ??? |?????????????????????? \---partials ??? ??? \---test ??? ??? ??? +---java ??? ??? ??? \---resources What am I missing ? I've already asked this question on StackOverflow (there https://stackoverflow.com/q/52757115/15619) - and that's why the formatting is quite poor, but Sebastien Blanc redirected me here (thanks a lot Sebastien !) Thanks a lot ! ? [1]: https://www.keycloak.org/docs/4.5/server_development/index.html#using-the-keycloak-deployer ? [2]: https://hub.docker.com/r/jboss/keycloak/ ? [3]: https://github.com/Reventl0v/KeycloakCAS From David.Erie at datapath.com Thu Oct 11 16:30:08 2018 From: David.Erie at datapath.com (David Erie (US)) Date: Thu, 11 Oct 2018 20:30:08 +0000 Subject: [keycloak-user] Probable bug in permissions evaluation Message-ID: Hello, I believe I found a bug in the permissions evaluation engine, and I didn't see anything in JIRA about this. I am running Keycloak 4.3.0.Final. I configured some permissions such that a user would have access to the read scope on one resource, but not on another. When I evaluate permissions on each of the resources and read scope by themselves, they are properly granted and denied, as expected. However, when I evaluate both resources at the same time, the result is wrong, and it depends on the order in which I add the resources. If I add the allowed resource first, then they are both granted, but if I add the forbidden resource first, then they are both denied. What I expected is that one is allowed and the other is denied, regardless of the order I add them to the request. I have verified this in the admin console and the REST and Java APIs, and it produces the same broken result. Unless I'm missing something, this is a critical bug that would impact our planned usage of Keycloak. Thank you, Dave From craig at baseventure.com Thu Oct 11 16:36:11 2018 From: craig at baseventure.com (Craig Setera) Date: Thu, 11 Oct 2018 15:36:11 -0500 Subject: [keycloak-user] Testing SAML Identity Brokering Message-ID: I'm attempting to set up a test of identity brokering all within a single Keycloak server. I have two realms set up. The "saml-demo" realm is set up with a SAML client. I've exported the SAML definition from that client and imported it into the Identity Brokering for the second realm. Unfortunately, I can't seem to get to the login page of the "saml-demo" when navigating from the second realm. When I click on the identity broker realm link, I'm seeing the following in the logs: keycloak_1 | Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 128 keycloak_1 | at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) keycloak_1 | at java.security.Signature$Delegate.engineVerify(Signature.java:1222) keycloak_1 | at java.security.Signature.verify(Signature.java:655) keycloak_1 | at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236) I've turned up logging for all of the Keycloak SAML functionality as well as for java.security. However, I'm struggling to figure out where the mismatch is located in the configuration and not quite sure where to even look. Can anyone offer suggestions on how to go about setting this up or troubleshooting what I'm doing? Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From fabio.ebner at lumera.com.br Thu Oct 11 20:59:09 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Thu, 11 Oct 2018 21:59:09 -0300 Subject: [keycloak-user] 2 Doubts Message-ID: I follow this sample to create my app ( https://sandor-nemeth.github.io/java/spring/2017/06/15/spring-boot-with-keycloak.html) , this works fine. but now I have 2 doubt 1 - How can I from my api create user in keycloak? 2 - With the token how can I get the user's info? tks From kedar.budukh at ericsson.com Fri Oct 12 05:02:30 2018 From: kedar.budukh at ericsson.com (kedar.budukh at ericsson.com) Date: Fri, 12 Oct 2018 02:02:30 -0700 (MST) Subject: [keycloak-user] user storage ldap or keycloak In-Reply-To: <1424da64-3570-39ba-8200-1e3fb95716f9@redhat.com> References: <1424da64-3570-39ba-8200-1e3fb95716f9@redhat.com> Message-ID: <1539334950214-0.post@n6.nabble.com> Hi Bill, I have a question related to scalability of Keycloak. I understand that Keycloak has Cluster feature ofr HA and to achieve Scalability. However, I want to know the maximum user DB that Keycloak can handle and the maximum number of concurrent Keycloak transactions handled? Can you please respond on these queries? -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From simonpayne58 at gmail.com Fri Oct 12 06:58:22 2018 From: simonpayne58 at gmail.com (Simon Payne) Date: Fri, 12 Oct 2018 11:58:22 +0100 Subject: [keycloak-user] roles in the user-info response Message-ID: Hi, We have an existing system which we would like to integrate with keycloak. This system has a legacy authorization model, which is fairly complex and fine grained. Users of this system have many hundreds of roles which in some cases results in the token being too large, breaking the header size. I was hoping that by limiting the roles within the token, through scope, and an endpoint similar to user-info or token introspection, we could determine which roles or resources the user is allowed to access through validated identity. however, i found that by limiting the scope for the access token, the roles are not returned as part of the user-info response. is anyone aware of any alternatives which will allow me to test roles associated with the user , at the resource server, without them being present in the access token? thanks Simon. From dt at acutus.pro Fri Oct 12 08:49:59 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 12 Oct 2018 15:49:59 +0300 Subject: [keycloak-user] Testing SAML Identity Brokering In-Reply-To: References: Message-ID: <1539348599.9707.1.camel@acutus.pro> Hi Craig, On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote: > I'm attempting to set up a test of identity brokering all within a single > Keycloak server.??I have two realms set up.??The "saml-demo" realm is set > up with a SAML client.??I've exported the SAML definition from that client > and imported it into the Identity Brokering for the second realm. In the brokering scenario,?your webapp should remain the client of the saml-demo realm, and this realm itself should become a client of another realm. This is how brokering actually works. Let's assume there are realms "foo" and "bar", and the former should broker to the latter. The exact steps are: 1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider; 2. Scroll down to "Import from URL", enter the following: http://:/auth/realms/bar/protocol/saml/descriptor (replace "bar" with the actual name of your second realm) 3. Go to Export tab, save EntityDescriptor XML; 4. Go to "bar" realm -> Clients, create one, import the XML from the previous step, provide some meaningful name; 5. Create some users in "bar". After that, try accessing your SAML client. You'll be presented with the Keycloak login screen where you'll be able to either authenticate against "saml-demo", or to choose another realm. Some notes: - you can avoid first login screen and redirect automatically to the second realm, using custom authentication flow with IDP redirector + flow override at the client level; - upon the first brokered login, the user will be presented with the Update account details screen. If you want to bypass that, you can enable identity auto-linking. It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski: https://issues.jboss.org/browse/KEYCLOAK-7270 For KC <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > Unfortunately, I can't seem to get to the login page of the "saml-demo" > when navigating from the second realm.??When I click on the identity broker > realm link, I'm seeing the following in the logs: > > keycloak_1??| Caused by: java.security.SignatureException: Signature length > not correct: got 256 but was expecting 128 > keycloak_1??|?????at > sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) > keycloak_1??|?????at > java.security.Signature$Delegate.engineVerify(Signature.java:1222) > keycloak_1??|?????at java.security.Signature.verify(Signature.java:655) > keycloak_1??|?????at > org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236) > > I've turned up logging for all of the Keycloak SAML functionality as well > as for java.security.??However, I'm struggling to figure out where the > mismatch is located in the configuration and not quite sure where to even > look. > > Can anyone offer suggestions on how to go about setting this up or > troubleshooting what I'm doing? > > Thanks, > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Oct 12 09:14:17 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 12 Oct 2018 16:14:17 +0300 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> <1533171048.2094.15.camel@acutus.pro> Message-ID: <1539350057.9707.4.camel@acutus.pro> Craig, Will, Indeed, in the out-of-the-box configuration the URI info is not accessible in FTL templates. But I was able to provide it with the help of the custom LoginFormsProvider, which was trivial to implement. Yep this adds another entity, but as long as you're deploying your custom theme as a module or via deployments dir (which is the recommended way), you should be ok with this, as theme+provider could be packaged as a single JAR. Since it turns out to be kind of popular topic, I think I'll publish the PoC and maybe even write an article on that. In a few words, you extend FreeMarkerLoginFormsProvider and override createCommonAttributes(), where you can push any arbitrary data to the FTL context. 2 Craig: is your use case similar to that of Will? I mean your URL is like this: http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?...&customvar=1 I'm asking because if you append a query param to your client URL, it won't be propagated to the Keycloak auth URL directly, but rather as a part of redirect_uri param (from where it can be parsed of course). P.S. if anyone from the dev team reads this: do you think we can have this OOTB? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-08 at 10:04 -0500, Craig Setera wrote: > Following up on this conversation.? I was unable to find a way to do this via the Freemarker templates unfortunately.? The templates are not receiving anything useful in determining the full path and query parameters.? The only approach that I've found to do what I need is to add a small Javascript snippet to my theme that is able to look at the query parameters and insert a new stylesheet reference into the code based on a query parameter.? Ugly, but seems effective assuming I can get my query parameter set in all of the URL's that matter. > > ================================= > Craig Setera > Chief Technology Officer > > > > > > On Wed, Aug 29, 2018 at 9:36 AM Craig Setera wrote: > > Dmitry, > > > > I've put Keycloak on the back burner for the moment.? I do intend to pick it back up toward the end of the year and I expect I will be digging into this heavily.? If I figure anything out, I will be sure to report back. > > > > Craig > > > > > > ================================= > > Craig Setera > > Chief Technology Officer > > 415-324-5861 > > craig at baseventure.com > > > > > > > > > > > > On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin
wrote: > > > Craig, Will, > > > > > > Sorry for having fooled you :-\ turns out that the ${url} object is actually not what it seems. > > > > > > I'd suggest the following trick. Could someone please try dumping all the available FTL variables using the below approach? > > > https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 > > > > > > This is for Liferay, but I hope it works with Keycloak FTLs without any major modifications. So hopefully we can fish something useful out of there. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: > > > > Hi Dmitry, > > > >? > > > > I have a use case for this same need: conditionally rendering a block of HTML in in the login.ftl based on the value of a query string param. > > > >? > > > > I have an a question with more details here:?https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 > > > >? > > > > I attempted to use ${ur} as you suggested, however it does not have a public method that provides the request url :(? > > > >? > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java > > > >? > > > > I am missing something? Or is there any other way to access the login request url in login.ftl?? > > > >? > > > > Thanks, Will? > > > >? > > > > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin
wrote: > > > > >? > > > > > Hi Craig, sorry for late response, > > > > >? > > > > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: > > > > > > We build and host a multitenant application that is currently using > > > > > > homegrown authentication and authorization (using Picketlink).??We are > > > > > > considering a move to Keycloak.??My preference would be to use the login > > > > > > flows that are built in to Keycloak rather than building our own, however > > > > > > that is dependent on whether we can properly brand those login flows on a > > > > > > per-customer basis in some dynamic way. > > > > >? > > > > > In Keycloak parlance, the term "login flow" has a very particular > > > > > meaning. Basically, it's what you see in the Authentication section in > > > > > the Admin Console. It defines how authentication *works* rather than > > > > > how it *looks like* (i.e. logic rather than appearance). > > > > >? > > > > > Do you really mean "login flows"? From the second part of your message > > > > > I can deduce you're mainly interested in customizing the GUI. > > > > >? > > > > > > In looking at the theme SPI support, it appears to be mostly targeted to > > > > > > supporting mulitple "static" themes.??Is it possible to make a theme that > > > > > > is dynamic based on, for example, a query parameter? > > > > >? > > > > > By default, Keycloak uses FreeMarker templates for login screens. In > > > > > the templates, the URL object is exposed as ${url}, so you can analyze > > > > > it and add conditional statements. If you're ok with that, probably you > > > > > won't need to implement any SPIs. > > > > >? > > > > > Otherwise, you can either implement custom theme selection logic based > > > > > on request parameters (Theme Selector SPI), or completely redefine > > > > > theming mechanism (Theme SPI). > > > > >? > > > > > > ???Are there any > > > > > > examples anywhere on how that might be possible??? > > > > >? > > > > > Well, builtin Keycloak themes are the best example IMO :) you can find > > > > > the default login theme under > > > > > themes/src/main/resources/theme/base/login in the source tree. > > > > >? > > > > > > Would Keycloak carry > > > > > > through query parameters if they were provided when launching the login > > > > > > flow? > > > > >? > > > > > It's best to create a custom theme and see :) > > > > >? > > > > > Good luck! > > > > > Dmitry Telegin > > > > > CTO, Acutus s.r.o. > > > > > Keycloak Consulting and Training > > > > >? > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > +42 (022) 888-30-71 > > > > > E-mail: info at acutus.pro > > > > >? > > > > > > Thanks, > > > > > > Craig > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >? > > > >? > > > From craig at baseventure.com Fri Oct 12 10:46:35 2018 From: craig at baseventure.com (Craig Setera) Date: Fri, 12 Oct 2018 09:46:35 -0500 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: <1539350057.9707.4.camel@acutus.pro> References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> <1533171048.2094.15.camel@acutus.pro> <1539350057.9707.4.camel@acutus.pro> Message-ID: The URL you call out is how I'm solving for this. I'm hopeful to be able to do something similar for the account management pages as well, but I haven't tried that at all to this point. I would love to see something more "official", but I understand if that isn't something easily handled in the core. ================================= *Craig Setera* *Chief Technology Officer* On Fri, Oct 12, 2018 at 8:14 AM Dmitry Telegin
wrote: > Craig, Will, > > Indeed, in the out-of-the-box configuration the URI info is not accessible > in FTL templates. But I was able to provide it with the help of the custom > LoginFormsProvider, which was trivial to implement. > Yep this adds another entity, but as long as you're deploying your custom > theme as a module or via deployments dir (which is the recommended way), > you should be ok with this, as theme+provider could be packaged as a single > JAR. > > Since it turns out to be kind of popular topic, I think I'll publish the > PoC and maybe even write an article on that. In a few words, you extend > FreeMarkerLoginFormsProvider and override createCommonAttributes(), where > you can push any arbitrary data to the FTL context. > > 2 Craig: is your use case similar to that of Will? I mean your URL is like > this: > > http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?...&customvar=1 > > I'm asking because if you append a query param to your client URL, it > won't be propagated to the Keycloak auth URL directly, but rather as a part > of redirect_uri param (from where it can be parsed of course). > > P.S. if anyone from the dev team reads this: do you think we can have this > OOTB? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2018-10-08 at 10:04 -0500, Craig Setera wrote: > > Following up on this conversation. I was unable to find a way to do > this via the Freemarker templates unfortunately. The templates are not > receiving anything useful in determining the full path and query > parameters. The only approach that I've found to do what I need is to add > a small Javascript snippet to my theme that is able to look at the query > parameters and insert a new stylesheet reference into the code based on a > query parameter. Ugly, but seems effective assuming I can get my query > parameter set in all of the URL's that matter. > > > > ================================= > > Craig Setera > > Chief Technology Officer > > > > > > > > > > > On Wed, Aug 29, 2018 at 9:36 AM Craig Setera > wrote: > > > Dmitry, > > > > > > I've put Keycloak on the back burner for the moment. I do intend to > pick it back up toward the end of the year and I expect I will be digging > into this heavily. If I figure anything out, I will be sure to report back. > > > > > > Craig > > > > > > > > > ================================= > > > Craig Setera > > > Chief Technology Officer > > > 415-324-5861 > > > craig at baseventure.com > > > > > > > > > > > > > > > > > On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin
> wrote: > > > > Craig, Will, > > > > > > > > Sorry for having fooled you :-\ turns out that the ${url} object is > actually not what it seems. > > > > > > > > I'd suggest the following trick. Could someone please try dumping > all the available FTL variables using the below approach? > > > > > https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 > > > > > > > > This is for Liferay, but I hope it works with Keycloak FTLs without > any major modifications. So hopefully we can fish something useful out of > there. > > > > > > > > Cheers, > > > > Dmitry Telegin > > > > CTO, Acutus s.r.o. > > > > Keycloak Consulting and Training > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > +42 (022) 888-30-71 > > > > E-mail: info at acutus.pro > > > > > > > > On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: > > > > > Hi Dmitry, > > > > > > > > > > I have a use case for this same need: conditionally rendering a > block of HTML in in the login.ftl based on the value of a query string > param. > > > > > > > > > > I have an a question with more details here: > https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 > > > > > > > > > > I attempted to use ${ur} as you suggested, however it does not > have a public method that provides the request url :( > > > > > > > > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java > > > > > > > > > > I am missing something? Or is there any other way to access the > login request url in login.ftl? > > > > > > > > > > Thanks, Will > > > > > > > > > > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin
> wrote: > > > > > > > > > > > > Hi Craig, sorry for late response, > > > > > > > > > > > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: > > > > > > > We build and host a multitenant application that is currently > using > > > > > > > homegrown authentication and authorization (using > Picketlink). We are > > > > > > > considering a move to Keycloak. My preference would be to use > the login > > > > > > > flows that are built in to Keycloak rather than building our > own, however > > > > > > > that is dependent on whether we can properly brand those login > flows on a > > > > > > > per-customer basis in some dynamic way. > > > > > > > > > > > > In Keycloak parlance, the term "login flow" has a very particular > > > > > > meaning. Basically, it's what you see in the Authentication > section in > > > > > > the Admin Console. It defines how authentication *works* rather > than > > > > > > how it *looks like* (i.e. logic rather than appearance). > > > > > > > > > > > > Do you really mean "login flows"? From the second part of your > message > > > > > > I can deduce you're mainly interested in customizing the GUI. > > > > > > > > > > > > > In looking at the theme SPI support, it appears to be mostly > targeted to > > > > > > > supporting mulitple "static" themes. Is it possible to make a > theme that > > > > > > > is dynamic based on, for example, a query parameter? > > > > > > > > > > > > By default, Keycloak uses FreeMarker templates for login > screens. In > > > > > > the templates, the URL object is exposed as ${url}, so you can > analyze > > > > > > it and add conditional statements. If you're ok with that, > probably you > > > > > > won't need to implement any SPIs. > > > > > > > > > > > > Otherwise, you can either implement custom theme selection logic > based > > > > > > on request parameters (Theme Selector SPI), or completely > redefine > > > > > > theming mechanism (Theme SPI). > > > > > > > > > > > > > Are there any > > > > > > > examples anywhere on how that might be possible? > > > > > > > > > > > > Well, builtin Keycloak themes are the best example IMO :) you > can find > > > > > > the default login theme under > > > > > > themes/src/main/resources/theme/base/login in the source tree. > > > > > > > > > > > > > Would Keycloak carry > > > > > > > through query parameters if they were provided when launching > the login > > > > > > > flow? > > > > > > > > > > > > It's best to create a custom theme and see :) > > > > > > > > > > > > Good luck! > > > > > > Dmitry Telegin > > > > > > CTO, Acutus s.r.o. > > > > > > Keycloak Consulting and Training > > > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > +42 (022) 888-30-71 > > > > > > E-mail: info at acutus.pro > > > > > > > > > > > > > Thanks, > > > > > > > Craig > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > From craig at baseventure.com Fri Oct 12 11:47:52 2018 From: craig at baseventure.com (Craig Setera) Date: Fri, 12 Oct 2018 10:47:52 -0500 Subject: [keycloak-user] Testing SAML Identity Brokering In-Reply-To: <1539348599.9707.1.camel@acutus.pro> References: <1539348599.9707.1.camel@acutus.pro> Message-ID: Dmitry, This is great! I was able to finally see a working SAML identity broker and I can therefore, start to understand how it works. One other question: I understand how to provide a "hint" about which identity provider to use when initiating login from my client application. Is there a way to "start" login at the SAML service and have it redirect back to Keycloak or must the login processing always start at Keycloak? Thanks again, Craig ================================= *Craig Setera* *Chief Technology Officer* On Fri, Oct 12, 2018 at 7:50 AM Dmitry Telegin
wrote: > Hi Craig, > > On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote: > > I'm attempting to set up a test of identity brokering all within a single > > Keycloak server. I have two realms set up. The "saml-demo" realm is set > > up with a SAML client. I've exported the SAML definition from that > client > > and imported it into the Identity Brokering for the second realm. > > In the brokering scenario, your webapp should remain the client of the > saml-demo realm, and this realm itself should become a client of another > realm. This is how brokering actually works. > > Let's assume there are realms "foo" and "bar", and the former should > broker to the latter. The exact steps are: > 1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider; > 2. Scroll down to "Import from URL", enter the following: > http:// > :/auth/realms/bar/protocol/saml/descriptor > (replace "bar" with the actual name of your second realm) > 3. Go to Export tab, save EntityDescriptor XML; > 4. Go to "bar" realm -> Clients, create one, import the XML from the > previous step, provide some meaningful name; > 5. Create some users in "bar". > > After that, try accessing your SAML client. You'll be presented with the > Keycloak login screen where you'll be able to either authenticate against > "saml-demo", or to choose another realm. > > Some notes: > - you can avoid first login screen and redirect automatically to the > second realm, using custom authentication flow with IDP redirector + flow > override at the client level; > - upon the first brokered login, the user will be presented with the > Update account details screen. If you want to bypass that, you can enable > identity auto-linking. > It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski: > https://issues.jboss.org/browse/KEYCLOAK-7270 > For KC <4.5.0, you can use this: > https://github.com/ohioit/keycloak-link-idp-with-user > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > Unfortunately, I can't seem to get to the login page of the "saml-demo" > > when navigating from the second realm. When I click on the identity > broker > > realm link, I'm seeing the following in the logs: > > > > keycloak_1 | Caused by: java.security.SignatureException: Signature > length > > not correct: got 256 but was expecting 128 > > keycloak_1 | at > > sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) > > keycloak_1 | at > > java.security.Signature$Delegate.engineVerify(Signature.java:1222) > > keycloak_1 | at java.security.Signature.verify(Signature.java:655) > > keycloak_1 | at > > > org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236) > > > > I've turned up logging for all of the Keycloak SAML functionality as well > > as for java.security. However, I'm struggling to figure out where the > > mismatch is located in the configuration and not quite sure where to even > > look. > > > > Can anyone offer suggestions on how to go about setting this up or > > troubleshooting what I'm doing? > > > > Thanks, > > Craig > > > > ================================= > > *Craig Setera* > > > > *Chief Technology Officer* > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From David.Erie at datapath.com Fri Oct 12 13:30:20 2018 From: David.Erie at datapath.com (David Erie (US)) Date: Fri, 12 Oct 2018 17:30:20 +0000 Subject: [keycloak-user] Probable bug in permissions evaluation In-Reply-To: References: Message-ID: I have tracked down where the problem is; whether it's by design or a flaw, I don't know: org.keycloak.authorization.policy.evaluation.DefaultEvaluation.getDecisionCache() - Map> The key to the decision cache Map is a Policy object, so when more than one resource in the same request match on the same Policy, only one result ends up in the cache-the first permission that is evaluated. A solution would be to change the Map key to some kind of wrapper around the Policy that contains the permission object on which the Policy matched, e.g. the resource. This would result in what I expect, which is a decision on each permission sent in the request. Does this make sense? Thanks, Dave From: David Erie (US) Sent: Thursday, October 11, 2018 4:30 PM To: keycloak-user at lists.jboss.org Subject: Probable bug in permissions evaluation Hello, I believe I found a bug in the permissions evaluation engine, and I didn't see anything in JIRA about this. I am running Keycloak 4.3.0.Final. I configured some permissions such that a user would have access to the read scope on one resource, but not on another. When I evaluate permissions on each of the resources and read scope by themselves, they are properly granted and denied, as expected. However, when I evaluate both resources at the same time, the result is wrong, and it depends on the order in which I add the resources. If I add the allowed resource first, then they are both granted, but if I add the forbidden resource first, then they are both denied. What I expected is that one is allowed and the other is denied, regardless of the order I add them to the request. I have verified this in the admin console and the REST and Java APIs, and it produces the same broken result. Unless I'm missing something, this is a critical bug that would impact our planned usage of Keycloak. Thank you, Dave From dt at acutus.pro Fri Oct 12 17:11:10 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 00:11:10 +0300 Subject: [keycloak-user] roles in the user-info response In-Reply-To: References: Message-ID: <1539378670.5223.1.camel@acutus.pro> Hi Simon, Seems like you've hit a bug. I was able to reproduce it, please let me know if the use case is similar to yours: 1. created an OIDC client; 2. created some client roles for that client; 3. assigned?them to the user; 4. added two protocol mappers, User Client Role and User Realm Role; 5. obtained access token for the user via direct grant; 6. used the token to query Keycloak userinfo endpoint. If Full scope is enabled in client settings -> Scope, I can see all the roles in the returned userinfo. If Full scope is disabled, there is no way to add roles from step 2 to the scope. In the scope config, they show up in Effective roles, but neither in Assigned roles nor Available roles. I think this is because in the latter mode userinfo returns only direct roles, not effective ones. It's easy to proof; you can add, say, "admin" realm role to the scope, but the userinfo won't include it's child role, "create-realm", even if the user is admin. OTOH, you have added protocol mappers to the client, right? You can go to mapper settings and turn off "Add to access token" (leaving Full scope on). Thus, your access token won't include role info anymore, but it will remain in the ID token and userinfo endpoint response. As the last resort, you can use Keycloak Admin REST API [1] to query for user roles. [1] https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote: > Hi, > > We have an existing system which we would like to integrate with keycloak. > This system has a legacy authorization model, which is fairly complex and > fine grained. > > Users of this system have many hundreds of roles which in some cases > results in the token being too large, breaking the header size. > > I was hoping that by limiting the roles within the token, through scope, > and an endpoint similar to user-info or token introspection, we could > determine which roles or resources the user is allowed to access through > validated identity. > > however, i found that by limiting the scope for the access token, the roles > are not returned as part of the user-info response. > > is anyone aware of any alternatives which will allow me to test roles > associated with the user , at the resource server, without them being > present in the access token? > > thanks > > Simon. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From polochepu at gmail.com Fri Oct 12 17:22:34 2018 From: polochepu at gmail.com (paolo lizarazu) Date: Fri, 12 Oct 2018 17:22:34 -0400 Subject: [keycloak-user] Spring boot application with keycloak Message-ID: Hi All, I have an spring boot application that use keycloak adapter to handle the security, here the scenario. Kecloak 4.2.0 - has a realm and a client configured to confidential and secret generated running in docker container - the spring boot application run in my local machine and has configured the secret and the required keycloak properties -- spring boot app has @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); }@Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.authorizeRequests() .antMatchers("/customers*","/users*") .hasAnyRole("USER", "ADMIN", "user", "admin", "users") .anyRequest() .permitAll(); } on KeycloakWebSecurityConfigurerAdapter, as you can see we are validating /customer* and users* path to has roles. when I go to localhost:8080/users the application is redirected to keycloak login page and after login success the page show 403 error, the log show the connection with keycloak was well but seems i have user anonimus in my request. I think my user get session and this should save the token? sorry if this is beginner question. any help would be appreciate. From dt at acutus.pro Fri Oct 12 17:25:01 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 00:25:01 +0300 Subject: [keycloak-user] 2 Doubts In-Reply-To: References: Message-ID: <1539379501.5223.3.camel@acutus.pro> Hi Fabio, answers inline, On Thu, 2018-10-11 at 21:59 -0300, Fabio Ebner wrote: > I follow this sample to create my app ( > https://sandor-nemeth.github.io/java/spring/2017/06/15/spring-boot-with-keycloak.html) > , this works fine. but now I have 2 doubt > > 1 - How can I from my api create user in keycloak? You mean, from your Spring Boot app??Like from any Java app, you can use Keycloak Admin Client [1] or any REST client to talk to Keycloak Admin REST API [2]. Users endpoint is what you're looking for. > 2 - With the token how can I get the user's info? That's what the UserInfo endpoint [3] is for :) see also example [4]. [1] https://www.keycloak.org/docs/latest/server_development/index.html#example-using-java [2] https://www.keycloak.org/docs-api/4.5/rest-api/ [3] https://www.keycloak.org/docs/latest/securing_apps/#userinfo-endpoint [4] http://lists.jboss.org/pipermail/keycloak-user/2016-July/006793.html Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > tks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Oct 12 17:38:15 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 00:38:15 +0300 Subject: [keycloak-user] How to have identity provider configuration page visible in Keycloak? In-Reply-To: <1417c659-f23b-427a-db73-fb732b6b0756@gmx.fr> References: <1417c659-f23b-427a-db73-fb732b6b0756@gmx.fr> Message-ID: <1539380295.5223.5.camel@acutus.pro> Hi Nicolas, I'm afraid Keycloak won't let you override/extend base theme the way you do it now (themes/base/...) I'd recommend that you use Theme Resources [1], it seems to be exactly your use case. However, it's a fairly recent feature [2]. If you're on KC 3.x, you'll rather need to create a custom theme based on the stock one. See Keycloak examples [3] and BeerCloak [4] for that. [1] https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource [2] https://issues.jboss.org/browse/KEYCLOAK-6519 [3] https://github.com/keycloak/keycloak/tree/master/examples/themes [4] https://github.com/dteleguin/beercloak Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-10-11 at 14:41 +0200, Nicolas Delsaux wrote: > Hi all, > > I'm writing a custom identity provider for Keycloa that I want to deploy? > using the [deployer][1] method (since I want to deploy it in [Docker? > containers][2]). Following an [example][3] I found on the web, I've? > created a maven project where, using the maven-assembly-plugin, I build? > a jar with dependencies (but I've filtered out the various services? > implementations my dependencies provide me to just keep the identity? > provider service). > > Things seems to work partly correctly : > > * Keycloak log indicates my id provider is loading/loaded :? > `keycloak_1??????? | 09:23:20,056 INFO? [org.jboss.as.server]? > (ServerService Thread Pool -- 29) WFLYSRV0010: Deployed? > "mycompnay-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar"? > (runtime-name? > :"mycompany-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar")` > * When I go in the *Identity Providers* panel, the new provider is? > visible in the "Add provider ..." > > But when I try to configure it, Keycloak redirects me to the resource? > not found error page > > The problem is that Keycloak outputs strictly no logs (even when I? > configure log level to the max). > > In my project, I have he following code organization (which gets? > replicated in jar-with-dependencies) > > ???? +---src > ???? ??? +---build > ???? ??? |?? \---assembly > ???? ??? +---main > ???? ??? |?? +---java > ???? ??? |?? |?? \---com > ???? ??? |?? |?????? \---mycompany > ???? ??? |?? |?????????? \---mygroup > ???? ??? |?? |?????????????? \---security > ???? ??? |?? |?????????????????? \---oidc > ???? ??? |?? \---resources > ???? ??? |?????? +---META-INF > ???? ??? |?????? |?? \---services > ???? ??? |?????? \---themes > ???? ??? |?????????? \---base > ???? ??? |?????????????? \---admin > ???? ??? |?????????????????? \---resources > ???? ??? |?????????????????????? \---partials > ???? ??? \---test > ???? ??? ??? +---java > ???? ??? ??? \---resources > > What am I missing ? > I've already asked this question on StackOverflow (there? > https://stackoverflow.com/q/52757115/15619) - and that's why the? > formatting is quite poor, but Sebastien Blanc redirected me here (thanks? > a lot Sebastien !) > > Thanks a lot ! > > > ?? [1]:? > https://www.keycloak.org/docs/4.5/server_development/index.html#using-the-keycloak-deployer > ?? [2]: https://hub.docker.com/r/jboss/keycloak/ > ?? [3]: https://github.com/Reventl0v/KeycloakCAS > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Oct 12 17:51:49 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 00:51:49 +0300 Subject: [keycloak-user] Scalability of Keycloak Access Mgmt system for Self-care users In-Reply-To: <1539232927072-0.post@n6.nabble.com> References: <1539232927072-0.post@n6.nabble.com> Message-ID: <1539381109.5223.7.camel@acutus.pro> Hi Kedar, Unfortunately, there isn't much info on Keycloak scalability (well, it does scale, the question is what hardware you'll need to satisfy your requirements). Public Keycloak benchmarking is something that we at our company have had on our backlog for a long time, but I'm afraid we can't expect results soon. There is a benchmarking suite for Keycloak [1], however it hasn't been updated for a long time. Maybe it will need to be updated for compatibility with recent Keycloak versions. After all, you're free to try it and to share the results :) I understand that you probably won't be benchmarking it for 60M users, but lower numbers will allow you to understand the overall scalability law and kind of predict the final h/w requirements for your customer. [1] https://github.com/rvansa/keycloak-benchmark Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-10-10 at 21:42 -0700, kedar.budukh at ericsson.com wrote: > Hi, > I am currently evaluating Keycloak as one of IdM and Access Management > system. My client is Telecom Service Provider and have a requirement to > support the Self-care users with expected volume of 60 to 80 million users > with approximately 2000 to 3000 login requests per second. I want to use > Keycloak to Authenticate and Authorize (RBAC) end users using OpenID > Connect. > > I tried searching for information on Keycloak scalability with Relational DB > or LDAP Services and the performance, however, I did not find much > information about the same. > The Keycloak documentation talks about Clustering feature but the stats are > not given. > > Can someone please help me as per your experience with Keycloak performance > and scalability to support the Self-care users of 60 to 80 million volume? > > Also, kindly suggest if I should consider any other IdM and Access > Management system with above requirement of scalability for my evaluation. > > Thanks and Regards, > Kedar > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From fabio.ebner at lumera.com.br Fri Oct 12 17:55:35 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Fri, 12 Oct 2018 18:55:35 -0300 Subject: [keycloak-user] 401 when try to create an user Message-ID: I trying to use the keycloak admin client to create one user: my keycloak user are: keycloak and password are k3ycl0 at k So in using this code: String serverUrl = "http://localhost:9090/auth/admin"; String realm = "Lumera"; String clientId = "admin-cli"; String clientSecret = "b1bc8d8e-2cff-4d6d-9cbd-d5fcfe82d1bc"; Keycloak keycloak = KeycloakBuilder.builder() // .serverUrl(serverUrl) .realm(realm) .clientId(clientId) // .clientSecret(clientSecret) .username("keycloak") .password("k3ycl0 at k") .build(); UserRepresentation user = new UserRepresentation(); user.setEnabled(true); user.setUsername("tester1"); user.setEmail("te at teste.com.br"); user.setAttributes(Collections.singletonMap("origin", Arrays.asList("demo"))); RealmResource realmResource = keycloak.realm(realm); UsersResource userRessource = realmResource.users(); javax.ws.rs.core.Response response = userRessource.create(user); System.out.println(response.getLocation()); String userId = response.getLocation().getPath().replaceAll(".*/([^/]+)$", "$1"); RoleRepresentation testerRealmRole = realmResource.roles().get("tester").toRepresentation(); userRessource.get(userId).roles().realmLevel().add(Arrays.asList(testerRealmRole)); ClientRepresentation app1Client = realmResource.clients().findByClientId("app1").get(0); RoleRepresentation userClientRole = realmResource.clients().get(app1Client.getId()).roles().get("user").toRepresentation(); userRessource.get(userId).roles().clientLevel(app1Client.getId()).add(Arrays.asList(userClientRole)); CredentialRepresentation passwordCred = new CredentialRepresentation(); passwordCred.setTemporary(false); passwordCred.setType(CredentialRepresentation.PASSWORD); passwordCred.setValue("test"); userRessource.get(userId).resetPassword(passwordCred); But returns: Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized in line javax.ws.rs.core.Response response = userRessource.create(user); I using springboot 1.5.16 From dt at acutus.pro Fri Oct 12 18:21:04 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 01:21:04 +0300 Subject: [keycloak-user] Is it possible to update a Password using SAML In-Reply-To: <10fa414a-818e-8936-88df-c60c77d7e86b@rmm.li> References: <10fa414a-818e-8936-88df-c60c77d7e86b@rmm.li> Message-ID: <1539382864.5223.11.camel@acutus.pro> Hi Michael, SAML is a single sign-on protocol, not an identity management one. These notions are normally clearly separated in the IAM world. So SAML definitely won't let you change passwords and manipulate other identity data, since it wasn't designed for this. SCIM [1] would be a perfect solution; unfortunately, it isn't implemented in Keycloak OOTB (however, there's an ongoing effort for that [2], so stay tuned). Currently, the recommended way to manipulate identity data (including changing passwords) is to use Keycloak Admin REST API [3]. [1] http://www.simplecloud.info/ [2] http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011178.html [3] https://www.keycloak.org/docs-api/4.5/rest-api/ Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-10-10 at 09:59 -0500, Michael Meier wrote: > Hi all > > Maybe it's a stupid question and that's maybe the reason I couldn't find? > an answer for it on the internet. > But is it possible, that a service provider (in my case Nextcloud) uses? > the SAML protocol to update the current users password on the IdP? > (keycloak)? > If yes, does Keycloak support that? > > thanks a lot for the information > > Michael Meier > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Oct 12 18:28:32 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 01:28:32 +0300 Subject: [keycloak-user] restricting user registration? In-Reply-To: References: Message-ID: <1539383312.5223.13.camel@acutus.pro> Hi Wyllys, Unfortunately, there's no such functionality OOTB. The feature has been requested long ago, you can track progress here: https://issues.jboss.org/browse/KEYCLOAK-439 I was planning to work on it for my personal project, but can't promise it will happen soon. Stay tuned, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-09 at 16:11 -0400, Wyllys Ingersoll wrote: > Is it possible to configure user self-registration to a new realm such that > only users with specific token or link can register? > > We want to allow self-registration, but do not want it to be open-ended, > but rather by invitation where the invitation would be an email or some OOB > mechanism that provides the user with a unique 1-time-only code to use to > authorize their registration. > > Is this possible? > > Thanks, > ?Wyllys Ingersoll > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Oct 12 18:33:35 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 13 Oct 2018 01:33:35 +0300 Subject: [keycloak-user] Custom SPI (emailSender) working under Windows, not working in docker image In-Reply-To: <5E48B917000C984B86B77170F441903A11D8FE42@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A11D8FE42@exch.ringler.ch> Message-ID: <1539383615.5223.15.camel@acutus.pro> Hi Lukasz, In Docker, how do you supply a modified standalone.xml to Keycloak? Do you map the whole $KEYCLOAK/standalone/configuration as a volume? For testing purposes, could you please "burn" standalone.xml into the image and let us know of the results? Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-09 at 14:21 +0000, Lukasz Lech wrote: > Hello, > > I've created my own version of emailService, deployed it via copying into standalone/deployments and added section in standalone.xml: > > ???????????? > ????????????????multipart > ???????????? > > Under both Windows and docker I get the warning that I'm implementing internal API, and confirmation that module was deployed. > > Under Windows: in server-info I see now only my implementation of emailSender, sending emails goes through my sender. > > In Docker image, I see BOTH default provider (default) and my own (emailSender), and sending email causes NullPointerException when FreeMarker tries to use the sender: > > ????protected void send(Map config, String subject, String textBody, String htmlBody) throws EmailException { > ????????EmailSenderProvider emailSender = session.getProvider(EmailSenderProvider.class); > ????????emailSender.send(config, user, subject, textBody, htmlBody); > ????} > > In both cases, I'm using keycloak 4.5.0.Final and JDK 8. I don't see any other errors or warnings in log. > > What could have gone wrong in docker image? Why keycloak behaves otherwise in both cases, and why switching SPI implementation didn't worked in dockerized version? > > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From fabio.ebner at lumera.com.br Fri Oct 12 22:18:08 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Fri, 12 Oct 2018 23:18:08 -0300 Subject: [keycloak-user] Unrecognized field "authenticationFlowBindingOverrides" Message-ID: When I try to get my client wit this code: ClientRepresentation app1Client = realmResource.clients().findByClientId("central-api").get(0); that error return: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "authenticationFlowBindingOverrides" (class org.keycloak.representations.idm.ClientRepresentation), not marked as ignorable (38 known properties: "enabled", "clientAuthenticatorType", "redirectUris", "clientId", "authorizationServicesEnabled", "name", "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", "publicClient", "attributes", "protocol", "webOrigins", "protocolMappers", "id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", "secret", "useTemplateMappers", "notBefore", "useTemplateScope", "standardFlowEnabled", "description", "directAccessGrantsEnabled", "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", "access", "bearerOnly", "registrationAccessToken", "defaultRoles", "authorizationSettings"]) this is my pom. org.keycloak keycloak-spring-security-adapter 3.4.3.Final org.keycloak keycloak-spring-boot-starter 3.4.3.Final org.keycloak keycloak-admin-client 3.4.3.Final javax.ws.rs javax.ws.rs-api 2.1 org.jboss.resteasy resteasy-client 3.1.3.Final org.jboss.resteasy resteasy-jackson2-provider 3.1.3.Final From ramonpadilla1 at yahoo.co.uk Sun Oct 14 12:33:02 2018 From: ramonpadilla1 at yahoo.co.uk (ksl) Date: Sun, 14 Oct 2018 09:33:02 -0700 (MST) Subject: [keycloak-user] Keycloak CORS issue associated with login redirect Message-ID: <1539534782448-0.post@n6.nabble.com> I am using Keycloak 4.4.0 to secure my rest service, which is implemented using Spring Boot and I am using React for the front end. I get a CORS error when the front end (running on localhost:3000) makes an API call to localhost:8080/login and is redirected to the Keycloak login page. The error is: `localhost/:1 Failed to load http://localhost:8080/login: Redirect from 'http://localhost:8080/login' to 'http://localhost:9080/auth/realms/hbs/protocol/openid-connect/auth?response_type=code&client_id=hbs&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&state=ab5034a9-4baa-4be3-9ec1-feefbe5f9c0b&login=true&scope=openid' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.` I have added a single value of '*' to the Web Origins config section in the Keycloak client. I have annotated my REST controller as follows: @RestController class MyController { @CrossOrigin @GetMapping("/login") public ResponseEntity getFoo(Principal principal) { return ResponseEntity.ok(new Foo("blah")); } } I have enabled keycloak and cors in the application properties: keycloak.cors = true keycloak.enabled = true If I disable keycloak the CORS problem goes away. As described here , I suspect the issue is to do with the keycloak server not responding with any ACCESS-CONTROL-ALLOW-ORIGIN headers despite "web Origins" being correctly configured in the keycloak admin portal. But I'm not completely sure how to confirm this. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From mposolda at redhat.com Mon Oct 15 03:19:37 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 15 Oct 2018 09:19:37 +0200 Subject: [keycloak-user] Unrecognized field "authenticationFlowBindingOverrides" In-Reply-To: References: Message-ID: <2abf0c22-cceb-3d7f-c9fb-3fc8789a57d6@redhat.com> I think the field "authenticationFlowBindingOverrides" was added in some Keycloak 4.X version. I suggest to update Keycloak dependencies versions in your pom from 3.4.3.Final to same version, which your Keycloak server is. Marek On 13/10/18 04:18, Fabio Ebner wrote: > When I try to get my client wit this code: > > ClientRepresentation app1Client = > realmResource.clients().findByClientId("central-api").get(0); > > > that error return: > > javax.ws.rs.client.ResponseProcessingException: > javax.ws.rs.ProcessingException: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "authenticationFlowBindingOverrides" (class > org.keycloak.representations.idm.ClientRepresentation), not marked as > ignorable (38 known properties: "enabled", "clientAuthenticatorType", > "redirectUris", "clientId", "authorizationServicesEnabled", "name", > "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", > "publicClient", "attributes", "protocol", "webOrigins", "protocolMappers", > "id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", > "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", > "secret", "useTemplateMappers", "notBefore", "useTemplateScope", > "standardFlowEnabled", "description", "directAccessGrantsEnabled", > "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", "access", > "bearerOnly", "registrationAccessToken", "defaultRoles", > "authorizationSettings"]) > > > > this is my pom. > > > > org.keycloak > keycloak-spring-security-adapter > 3.4.3.Final > > > org.keycloak > keycloak-spring-boot-starter > 3.4.3.Final > > > org.keycloak > keycloak-admin-client > 3.4.3.Final > > > javax.ws.rs > javax.ws.rs-api > 2.1 > > > > org.jboss.resteasy > resteasy-client > 3.1.3.Final > > > org.jboss.resteasy > resteasy-jackson2-provider > 3.1.3.Final > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From henning.waack at codecentric.de Mon Oct 15 03:20:12 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Mon, 15 Oct 2018 09:20:12 +0200 Subject: [keycloak-user] 401 when try to create an user In-Reply-To: References: Message-ID: Hi Fabio. Make sure that your user has the permissions "manage-users" and "view-realm" from the role "realm-management". Make sure your scopes are defined such that these roles actually are part of your token. Hth, greetings Henning Am Sa., 13. Okt. 2018 um 00:02 Uhr schrieb Fabio Ebner < fabio.ebner at lumera.com.br>: > I trying to use the keycloak admin client to create one user: > > my keycloak user are: keycloak and password are k3ycl0 at k > > So in using this code: > > String serverUrl = "http://localhost:9090/auth/admin"; > String realm = "Lumera"; > String clientId = "admin-cli"; > String clientSecret = "b1bc8d8e-2cff-4d6d-9cbd-d5fcfe82d1bc"; > > Keycloak keycloak = KeycloakBuilder.builder() // > .serverUrl(serverUrl) > .realm(realm) > .clientId(clientId) > // .clientSecret(clientSecret) > .username("keycloak") > .password("k3ycl0 at k") > .build(); > > UserRepresentation user = new UserRepresentation(); > user.setEnabled(true); > user.setUsername("tester1"); > user.setEmail("te at teste.com.br"); > user.setAttributes(Collections.singletonMap("origin", > Arrays.asList("demo"))); > > RealmResource realmResource = keycloak.realm(realm); > UsersResource userRessource = realmResource.users(); > javax.ws.rs.core.Response response = > userRessource.create(user); > System.out.println(response.getLocation()); > > String userId = > > response.getLocation().getPath().replaceAll(".*/([^/]+)$", "$1"); > > RoleRepresentation testerRealmRole = > realmResource.roles().get("tester").toRepresentation(); > > > userRessource.get(userId).roles().realmLevel().add(Arrays.asList(testerRealmRole)); > > ClientRepresentation app1Client = > realmResource.clients().findByClientId("app1").get(0); > RoleRepresentation userClientRole = > > > realmResource.clients().get(app1Client.getId()).roles().get("user").toRepresentation(); > > > userRessource.get(userId).roles().clientLevel(app1Client.getId()).add(Arrays.asList(userClientRole)); > > CredentialRepresentation passwordCred = new > CredentialRepresentation(); > passwordCred.setTemporary(false); > passwordCred.setType(CredentialRepresentation.PASSWORD); > passwordCred.setValue("test"); > userRessource.get(userId).resetPassword(passwordCred); > > > > But returns: Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 > Unauthorized in line javax.ws.rs.core.Response response = > userRessource.create(user); > > I using springboot 1.5.16 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From dt at acutus.pro Mon Oct 15 04:24:44 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 15 Oct 2018 11:24:44 +0300 Subject: [keycloak-user] roles in the user-info response In-Reply-To: <1539378670.5223.1.camel@acutus.pro> References: <1539378670.5223.1.camel@acutus.pro> Message-ID: <1539591884.3660.3.camel@acutus.pro> That's the bug https://issues.jboss.org/browse/KEYCLOAK-5259 It will be fixed in the upcoming 4.6.0, but my recommendation (to exclude roles from access token and leave them in ID token and/or userinfo) is still relevant. Cheers, Dmitry On Sat, 2018-10-13 at 00:11 +0300, Dmitry Telegin wrote: > Hi Simon, > > Seems like you've hit a bug. I was able to reproduce it, please let me know if the use case is similar to yours: > 1. created an OIDC client; > 2. created some client roles for that client; > 3. assigned?them to the user; > 4. added two protocol mappers, User Client Role and User Realm Role; > 5. obtained access token for the user via direct grant; > 6. used the token to query Keycloak userinfo endpoint. > > If Full scope is enabled in client settings -> Scope, I can see all the roles in the returned userinfo. > > If Full scope is disabled, there is no way to add roles from step 2 to the scope. In the scope config, they show up in Effective roles, but neither in Assigned roles nor Available roles. > > I think this is because in the latter mode userinfo returns only direct roles, not effective ones. It's easy to proof; you can add, say, "admin" realm role to the scope, but the userinfo won't include it's child role, "create-realm", even if the user is admin. > > OTOH, you have added protocol mappers to the client, right? You can go to mapper settings and turn off "Add to access token" (leaving Full scope on). Thus, your access token won't include role info anymore, but it will remain in the ID token and userinfo endpoint response. > > As the last resort, you can use Keycloak Admin REST API [1] to query for user roles. > > [1] https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote: > > Hi, > > > > We have an existing system which we would like to integrate with keycloak. > > This system has a legacy authorization model, which is fairly complex and > > fine grained. > > > > Users of this system have many hundreds of roles which in some cases > > results in the token being too large, breaking the header size. > > > > I was hoping that by limiting the roles within the token, through scope, > > and an endpoint similar to user-info or token introspection, we could > > determine which roles or resources the user is allowed to access through > > validated identity. > > > > however, i found that by limiting the scope for the access token, the roles > > are not returned as part of the user-info response. > > > > is anyone aware of any alternatives which will allow me to test roles > > associated with the user , at the resource server, without them being > > present in the access token? > > > > thanks > > > > Simon. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Oct 15 04:44:19 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 15 Oct 2018 11:44:19 +0300 Subject: [keycloak-user] Testing SAML Identity Brokering In-Reply-To: References: <1539348599.9707.1.camel@acutus.pro> Message-ID: <1539593059.3660.5.camel@acutus.pro> Hi Craig, On Fri, 2018-10-12 at 10:47 -0500, Craig Setera wrote: > Dmitry, > > This is great!? I was able to finally see a working SAML identity broker and I can therefore, start to understand how it works. You're welcome :) SAML with all its quirks is sometimes hard to grok even for seasoned engineers. > One other question: I understand how to provide a "hint" about which identity provider to use when initiating login from my client application.?? Do you mean the kc_idp_hint URL parameter? You should remember that it will work only with OpenID Connect clients. More info here: https://issues.jboss.org/browse/KEYCLOAK-4884 > Is there a way to "start" login at the SAML service and have it redirect back to Keycloak or must the login processing always start at Keycloak? I'm afraid I don't fully understand what is meant by "SAML service" here. In SAML lexicon, there are Service Providers (SPs) and Identity Providers (IDPs). In the simplest scenario, your web application is an SP, and Keycloak is an IDP. You access your webapp, get redirected to Keycloak, pass authentication, get redirected back and allowed to access the app. This is called "SP-initiated login" in SAML parlance. You can also go to a special URL inside Keycloak, be taken to login screen immediately, and upon successful login redirected to your webapp. This is called "IDP-initiated login". Both scenarios are possible with brokering, where Keycloak also poses as an SP for a 3rd party IDP. SP-initiated workflow will look like the following: webapp -> Keycloak -> 3rd party IDP -> (Keycloak, transparently) -> webapp IDP-initiated: 3rd party IDP -> (Keycloak, transparently) -> webapp Does any of the above resemble your use case? Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Thanks again, > Craig > > ================================= > Craig Setera > Chief Technology Officer > > > > > > On Fri, Oct 12, 2018 at 7:50 AM Dmitry Telegin
wrote: > > Hi Craig, > > > > On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote: > > > I'm attempting to set up a test of identity brokering all within a single > > > Keycloak server.??I have two realms set up.??The "saml-demo" realm is set > > > up with a SAML client.??I've exported the SAML definition from that client > > > and imported it into the Identity Brokering for the second realm. > > > > In the brokering scenario,?your webapp should remain the client of the saml-demo realm, and this realm itself should become a client of another realm. This is how brokering actually works. > > > > Let's assume there are realms "foo" and "bar", and the former should broker to the latter. The exact steps are: > > 1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider; > > 2. Scroll down to "Import from URL", enter the following: > > http://:/auth/realms/bar/protocol/saml/descriptor > > (replace "bar" with the actual name of your second realm) > > 3. Go to Export tab, save EntityDescriptor XML; > > 4. Go to "bar" realm -> Clients, create one, import the XML from the previous step, provide some meaningful name; > > 5. Create some users in "bar". > > > > After that, try accessing your SAML client. You'll be presented with the Keycloak login screen where you'll be able to either authenticate against "saml-demo", or to choose another realm. > > > > Some notes: > > - you can avoid first login screen and redirect automatically to the second realm, using custom authentication flow with IDP redirector + flow override at the client level; > > - upon the first brokered login, the user will be presented with the Update account details screen. If you want to bypass that, you can enable identity auto-linking. > > It's out of the box in KC 4.5.0, thx to excellent work by Ryan Slominski: https://issues.jboss.org/browse/KEYCLOAK-7270 > > For KC <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > > Unfortunately, I can't seem to get to the login page of the "saml-demo" > > > when navigating from the second realm.??When I click on the identity broker > > > realm link, I'm seeing the following in the logs: > > >? > > > keycloak_1??| Caused by: java.security.SignatureException: Signature length > > > not correct: got 256 but was expecting 128 > > > keycloak_1??|?????at > > > sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) > > > keycloak_1??|?????at > > > java.security.Signature$Delegate.engineVerify(Signature.java:1222) > > > keycloak_1??|?????at java.security.Signature.verify(Signature.java:655) > > > keycloak_1??|?????at > > > org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236) > > >? > > > I've turned up logging for all of the Keycloak SAML functionality as well > > > as for java.security.??However, I'm struggling to figure out where the > > > mismatch is located in the configuration and not quite sure where to even > > > look. > > >? > > > Can anyone offer suggestions on how to go about setting this up or > > > troubleshooting what I'm doing? > > >? > > > Thanks, > > > Craig > > >? > > > ================================= > > > *Craig Setera* > > >? > > > *Chief Technology Officer* > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dt at acutus.pro Mon Oct 15 05:29:04 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 15 Oct 2018 12:29:04 +0300 Subject: [keycloak-user] How to specify refresh tokens lifespan in Keycloak In-Reply-To: References: Message-ID: <1539595744.3660.7.camel@acutus.pro> Hi Roman, This value is derived from the "SSO Session Idle" field. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-09 at 14:08 +0300, Roman O wrote: > Keycloak refresh token lifetime is 1800 seconds: > > "refresh_expires_in": 1800 > > How to specify different default expiry time? In Keycloak admin ui, only > access token lifespan can be specified: > > [image: enter image description here] > > oauth-2.0 > > access-token > openid-connect > > keycloak refresh-token > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From deepag at aissel.com Mon Oct 15 05:44:29 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Mon, 15 Oct 2018 15:14:29 +0530 Subject: [keycloak-user] Managing Mysql relational database setup Message-ID: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> Hello All, I have configured keycloak DB from H2 to Mysql. My applications are working fine too. What i want is, 1. Can i manage the user credentials? (Because i want to import existing users credentials generated before integrating application with keycloak, as we dont want to create new user credentials and make it difficult for end users). 2. If i could import a existing credentials(username and password) to keycloak mysql , then to which table?(Because i am not finding the passwords) anywhere in table. Thanks you -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From dt at acutus.pro Mon Oct 15 06:12:28 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 15 Oct 2018 13:12:28 +0300 Subject: [keycloak-user] Managing Mysql relational database setup In-Reply-To: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> References: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> Message-ID: <1539598348.3660.10.camel@acutus.pro> Hello Deepa, On Mon, 2018-10-15 at 15:14 +0530, Deepa Gaddigoudar wrote: > Hello All, > > > I have configured keycloak DB from H2 to Mysql. My applications are? > working fine too. What i want is, > > ?1. Can i manage the user credentials? (Because i want to import > ????existing users credentials generated before integrating application > ????with keycloak, as we dont want to create new user credentials and > ????make it difficult for end users). The answer is "yes"?provided that the hash algorithm is known. There are three hash algorithms supported out of the box, namely PBKDF2-{SHA1,SHA256,SHA512} If your legacy hash format/algorithm is different from that, you'll need to implement a PasswordHashProvider. Here's the example of how this was done for BCrypt: https://github.com/leroyguillaume/keycloak-bcrypt > ?2. If i could import a existing credentials(username and password) to > ????keycloak mysql , then to which table?(Because i am not finding the > ????passwords) anywhere in table. The table is called "credential". Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > > Thanks you From deepag at aissel.com Mon Oct 15 06:30:37 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Mon, 15 Oct 2018 16:00:37 +0530 Subject: [keycloak-user] Managing Mysql relational database setup In-Reply-To: <1539598348.3660.10.camel@acutus.pro> References: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> <1539598348.3660.10.camel@acutus.pro> Message-ID: <4f13a798-e85c-386e-c054-8c63659d840e@aissel.com> Hello Dmitry, Can you please provide link of any source that i could refer for importing user credentials from existing mysql user table to keycloak "credentials" table! Regards, Deepa M G On Monday 15 October 2018 03:42 PM, Dmitry Telegin wrote: > Hello Deepa, > > On Mon, 2018-10-15 at 15:14 +0530, Deepa Gaddigoudar wrote: >> Hello All, >> >> >> I have configured keycloak DB from H2 to Mysql. My applications are >> working fine too. What i want is, >> >> ?1. Can i manage the user credentials? (Because i want to import >> ????existing users credentials generated before integrating application >> ????with keycloak, as we dont want to create new user credentials and >> ????make it difficult for end users). > The answer is "yes"?provided that the hash algorithm is known. > > There are three hash algorithms supported out of the box, namely PBKDF2-{SHA1,SHA256,SHA512} > If your legacy hash format/algorithm is different from that, you'll need to implement a PasswordHashProvider. > Here's the example of how this was done for BCrypt: https://github.com/leroyguillaume/keycloak-bcrypt > >> ?2. If i could import a existing credentials(username and password) to >> ????keycloak mysql , then to which table?(Because i am not finding the >> ????passwords) anywhere in table. > The table is called "credential". > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > >> >> Thanks you -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From dt at acutus.pro Mon Oct 15 06:44:30 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 15 Oct 2018 13:44:30 +0300 Subject: [keycloak-user] Managing Mysql relational database setup In-Reply-To: <4f13a798-e85c-386e-c054-8c63659d840e@aissel.com> References: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> <1539598348.3660.10.camel@acutus.pro> <4f13a798-e85c-386e-c054-8c63659d840e@aissel.com> Message-ID: <1539600270.3660.15.camel@acutus.pro> Deepa, The importing process itself should be trivial, but before that you need to sort out the hash algorithm issue. Could you please show us some sample records from your MySQL user table? (provided that there's no sensitive info there; you can create a test user for that) Dmitry On Mon, 2018-10-15 at 16:00 +0530, Deepa Gaddigoudar wrote: > Hello Dmitry, > > Can you please provide link of any source that i could refer for importing user credentials from existing mysql user table to keycloak "credentials" table! > > Regards, > Deepa M G > > On Monday 15 October 2018 03:42 PM, Dmitry Telegin wrote: > > Hello Deepa, > > > > On Mon, 2018-10-15 at 15:14 +0530, Deepa Gaddigoudar wrote: > > > Hello All, > > > > > > > > > I have configured keycloak DB from H2 to Mysql. My applications are? > > > working fine too. What i want is, > > > > > > ?1. Can i manage the user credentials? (Because i want to import > > > ????existing users credentials generated before integrating application > > > ????with keycloak, as we dont want to create new user credentials and > > > ????make it difficult for end users). > > > > The answer is "yes"?provided that the hash algorithm is known. > > > > There are three hash algorithms supported out of the box, namely PBKDF2-{SHA1,SHA256,SHA512} > > If your legacy hash format/algorithm is different from that, you'll need to implement a PasswordHashProvider. > > Here's the example of how this was done for BCrypt: https://github.com/leroyguillaume/keycloak-bcrypt > > > > > ?2. If i could import a existing credentials(username and password) to > > > ????keycloak mysql , then to which table?(Because i am not finding the > > > ????passwords) anywhere in table. > > > > The table is called "credential". > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > > Thanks you > ? > --? > Deepa M Gaddigoudar | Software Developer > Aissel Technologies Pvt. Ltd. > A Block, Floor 2, IT Park, Hubli ? 580029. India > Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 > Cell: +91 8951519616 > E-Mail: deepag at aissel.com From simonpayne58 at gmail.com Mon Oct 15 07:08:10 2018 From: simonpayne58 at gmail.com (Simon Payne) Date: Mon, 15 Oct 2018 12:08:10 +0100 Subject: [keycloak-user] roles in the user-info response In-Reply-To: <1539591884.3660.3.camel@acutus.pro> References: <1539378670.5223.1.camel@acutus.pro> <1539591884.3660.3.camel@acutus.pro> Message-ID: Hi Dmitry, looks like i am suffering from the same issue, thanks for highlighting. i am using client mappers to add to the user-info, however, i don't seem to be able to replicate your suggestion of removing the unwanted token claims through use of the mapper. The negative state of this option appears to not add rather than remove. the only way it appears i can remove the realm role is to use the hard-coded claim mapper and set to some unwanted value effectively overwriting the contents. i'm using 4.5 docker image for testing. it's also highly likely that in my use case, i will still wanted 'some' limited realm roles in the token to give some basic auth model for the keycloak adaptor to protect the underlying resource. e.g. 'basic-user' etc - so maybe having the option to limit scope in the normal manner would be best option. thanks Simon On Mon, Oct 15, 2018 at 9:24 AM Dmitry Telegin
wrote: > That's the bug https://issues.jboss.org/browse/KEYCLOAK-5259 > > It will be fixed in the upcoming 4.6.0, but my recommendation (to exclude > roles from access token and leave them in ID token and/or userinfo) is > still relevant. > > Cheers, > Dmitry > > On Sat, 2018-10-13 at 00:11 +0300, Dmitry Telegin wrote: > > Hi Simon, > > > > Seems like you've hit a bug. I was able to reproduce it, please let me > know if the use case is similar to yours: > > 1. created an OIDC client; > > 2. created some client roles for that client; > > 3. assigned them to the user; > > 4. added two protocol mappers, User Client Role and User Realm Role; > > 5. obtained access token for the user via direct grant; > > 6. used the token to query Keycloak userinfo endpoint. > > > > If Full scope is enabled in client settings -> Scope, I can see all the > roles in the returned userinfo. > > > > If Full scope is disabled, there is no way to add roles from step 2 to > the scope. In the scope config, they show up in Effective roles, but > neither in Assigned roles nor Available roles. > > > > I think this is because in the latter mode userinfo returns only direct > roles, not effective ones. It's easy to proof; you can add, say, "admin" > realm role to the scope, but the userinfo won't include it's child role, > "create-realm", even if the user is admin. > > > > OTOH, you have added protocol mappers to the client, right? You can go > to mapper settings and turn off "Add to access token" (leaving Full scope > on). Thus, your access token won't include role info anymore, but it will > remain in the ID token and userinfo endpoint response. > > > > As the last resort, you can use Keycloak Admin REST API [1] to query for > user roles. > > > > [1] > https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote: > > > Hi, > > > > > > We have an existing system which we would like to integrate with > keycloak. > > > This system has a legacy authorization model, which is fairly complex > and > > > fine grained. > > > > > > Users of this system have many hundreds of roles which in some cases > > > results in the token being too large, breaking the header size. > > > > > > I was hoping that by limiting the roles within the token, through > scope, > > > and an endpoint similar to user-info or token introspection, we could > > > determine which roles or resources the user is allowed to access > through > > > validated identity. > > > > > > however, i found that by limiting the scope for the access token, the > roles > > > are not returned as part of the user-info response. > > > > > > is anyone aware of any alternatives which will allow me to test roles > > > associated with the user , at the resource server, without them being > > > present in the access token? > > > > > > thanks > > > > > > Simon. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From craig at baseventure.com Mon Oct 15 07:09:25 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 15 Oct 2018 06:09:25 -0500 Subject: [keycloak-user] Testing SAML Identity Brokering In-Reply-To: <1539593059.3660.5.camel@acutus.pro> References: <1539348599.9707.1.camel@acutus.pro> <1539593059.3660.5.camel@acutus.pro> Message-ID: I think what I'm trying to understand is your IDP-initiated use case. Assuming that a user has already been authenticated as part of some other webapp, how does the IDP transition to our web app in that circumstance? ================================= *Craig Setera* *Chief Technology Officer* On Mon, Oct 15, 2018 at 3:44 AM Dmitry Telegin
wrote: > Hi Craig, > > On Fri, 2018-10-12 at 10:47 -0500, Craig Setera wrote: > > Dmitry, > > > > This is great! I was able to finally see a working SAML identity broker > and I can therefore, start to understand how it works. > > You're welcome :) SAML with all its quirks is sometimes hard to grok even > for seasoned engineers. > > > One other question: I understand how to provide a "hint" about which > identity provider to use when initiating login from my client application. > > Do you mean the kc_idp_hint URL parameter? You should remember that it > will work only with OpenID Connect clients. > More info here: https://issues.jboss.org/browse/KEYCLOAK-4884 > > > Is there a way to "start" login at the SAML service and have it redirect > back to Keycloak or must the login processing always start at Keycloak? > > I'm afraid I don't fully understand what is meant by "SAML service" here. > In SAML lexicon, there are Service Providers (SPs) and Identity Providers > (IDPs). > > In the simplest scenario, your web application is an SP, and Keycloak is > an IDP. > > You access your webapp, get redirected to Keycloak, pass authentication, > get redirected back and allowed to access the app. This is called > "SP-initiated login" in SAML parlance. > > You can also go to a special URL inside Keycloak, be taken to login screen > immediately, and upon successful login redirected to your webapp. This is > called "IDP-initiated login". > > Both scenarios are possible with brokering, where Keycloak also poses as > an SP for a 3rd party IDP. > > SP-initiated workflow will look like the following: > webapp -> Keycloak -> 3rd party IDP -> (Keycloak, transparently) -> webapp > > IDP-initiated: > 3rd party IDP -> (Keycloak, transparently) -> webapp > > Does any of the above resemble your use case? > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > Thanks again, > > Craig > > > > ================================= > > Craig Setera > > Chief Technology Officer > > > > > > > > > > > On Fri, Oct 12, 2018 at 7:50 AM Dmitry Telegin
wrote: > > > Hi Craig, > > > > > > On Thu, 2018-10-11 at 15:36 -0500, Craig Setera wrote: > > > > I'm attempting to set up a test of identity brokering all within a > single > > > > Keycloak server. I have two realms set up. The "saml-demo" realm > is set > > > > up with a SAML client. I've exported the SAML definition from that > client > > > > and imported it into the Identity Brokering for the second realm. > > > > > > In the brokering scenario, your webapp should remain the client of the > saml-demo realm, and this realm itself should become a client of another > realm. This is how brokering actually works. > > > > > > Let's assume there are realms "foo" and "bar", and the former should > broker to the latter. The exact steps are: > > > 1. Go to "foo" realm -> Identity Providers -> add SAML 2.0 provider; > > > 2. Scroll down to "Import from URL", enter the following: > > > http:// > :/auth/realms/bar/protocol/saml/descriptor > > > (replace "bar" with the actual name of your second realm) > > > 3. Go to Export tab, save EntityDescriptor XML; > > > 4. Go to "bar" realm -> Clients, create one, import the XML from the > previous step, provide some meaningful name; > > > 5. Create some users in "bar". > > > > > > After that, try accessing your SAML client. You'll be presented with > the Keycloak login screen where you'll be able to either authenticate > against "saml-demo", or to choose another realm. > > > > > > Some notes: > > > - you can avoid first login screen and redirect automatically to the > second realm, using custom authentication flow with IDP redirector + flow > override at the client level; > > > - upon the first brokered login, the user will be presented with the > Update account details screen. If you want to bypass that, you can enable > identity auto-linking. > > > It's out of the box in KC 4.5.0, thx to excellent work by Ryan > Slominski: https://issues.jboss.org/browse/KEYCLOAK-7270 > > > For KC <4.5.0, you can use this: > https://github.com/ohioit/keycloak-link-idp-with-user > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > > Unfortunately, I can't seem to get to the login page of the > "saml-demo" > > > > when navigating from the second realm. When I click on the identity > broker > > > > realm link, I'm seeing the following in the logs: > > > > > > > > keycloak_1 | Caused by: java.security.SignatureException: Signature > length > > > > not correct: got 256 but was expecting 128 > > > > keycloak_1 | at > > > > sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) > > > > keycloak_1 | at > > > > java.security.Signature$Delegate.engineVerify(Signature.java:1222) > > > > keycloak_1 | at > java.security.Signature.verify(Signature.java:655) > > > > keycloak_1 | at > > > > > org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236) > > > > > > > > I've turned up logging for all of the Keycloak SAML functionality as > well > > > > as for java.security. However, I'm struggling to figure out where > the > > > > mismatch is located in the configuration and not quite sure where to > even > > > > look. > > > > > > > > Can anyone offer suggestions on how to go about setting this up or > > > > troubleshooting what I'm doing? > > > > > > > > Thanks, > > > > Craig > > > > > > > > ================================= > > > > *Craig Setera* > > > > > > > > *Chief Technology Officer* > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From deepag at aissel.com Mon Oct 15 07:17:21 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Mon, 15 Oct 2018 16:47:21 +0530 Subject: [keycloak-user] Managing Mysql relational database setup In-Reply-To: <1539600270.3660.15.camel@acutus.pro> References: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> <1539598348.3660.10.camel@acutus.pro> <4f13a798-e85c-386e-c054-8c63659d840e@aissel.com> <1539600270.3660.15.camel@acutus.pro> Message-ID: <0ae2738a-13cc-19cc-8908-d11164c0c63a@aissel.com> Dmitry, Below is my user table, password is hashed with md5 algorithm i.e (simpleloginsecure library) . Please suggest the steps to resolve. my user data table structure Regards, On Monday 15 October 2018 04:14 PM, Dmitry Telegin wrote: > Deepa, > > The importing process itself should be trivial, but before that you need to sort out the hash algorithm issue. > > Could you please show us some sample records from your MySQL user table? (provided that there's no sensitive info there; you can create a test user for that) > > Dmitry > > On Mon, 2018-10-15 at 16:00 +0530, Deepa Gaddigoudar wrote: >> Hello Dmitry, >> >> Can you please provide link of any source that i could refer for importing user credentials from existing mysql user table to keycloak "credentials" table! >> >> Regards, >> Deepa M G >> >> On Monday 15 October 2018 03:42 PM, Dmitry Telegin wrote: >>> Hello Deepa, >>> >>> On Mon, 2018-10-15 at 15:14 +0530, Deepa Gaddigoudar wrote: >>>> Hello All, >>>> >>>> >>>> I have configured keycloak DB from H2 to Mysql. My applications are >>>> working fine too. What i want is, >>>> >>>> ?1. Can i manage the user credentials? (Because i want to import >>>> ????existing users credentials generated before integrating application >>>> ????with keycloak, as we dont want to create new user credentials and >>>> ????make it difficult for end users). >>> The answer is "yes"?provided that the hash algorithm is known. >>> >>> There are three hash algorithms supported out of the box, namely PBKDF2-{SHA1,SHA256,SHA512} >>> If your legacy hash format/algorithm is different from that, you'll need to implement a PasswordHashProvider. >>> Here's the example of how this was done for BCrypt: https://github.com/leroyguillaume/keycloak-bcrypt >>> >>>> ?2. If i could import a existing credentials(username and password) to >>>> ????keycloak mysql , then to which table?(Because i am not finding the >>>> ????passwords) anywhere in table. >>> The table is called "credential". >>> >>> Good luck! >>> Dmitry Telegin >>> CTO, Acutus s.r.o. >>> Keycloak Consulting and Training >>> >>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>> +42 (022) 888-30-71 >>> E-mail: info at acutus.pro >>> >>>> Thanks you >> >> -- >> Deepa M Gaddigoudar | Software Developer >> Aissel Technologies Pvt. Ltd. >> A Block, Floor 2, IT Park, Hubli ? 580029. India >> Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 >> Cell: +91 8951519616 >> E-Mail: deepag at aissel.com -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From ionel.gardais at tech-advantage.com Mon Oct 15 07:59:08 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 15 Oct 2018 13:59:08 +0200 (CEST) Subject: [keycloak-user] Notifying user about a login attempt Message-ID: <1065264065.257960.1539604748151.JavaMail.zimbra@tech-advantage.com> Hi, Is there a way to notify user by email whenever the user is logged through a client of the realm ? Like "You've been logged by with your account ". Thanks, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -------------- next part -------------- A non-text attachment was scrubbed... Name: GARDAIS, Ionel.vcf Type: text/directory Size: 399 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181015/a3428033/attachment.bin From lokesh.ravichandru at grootan.com Mon Oct 15 08:02:17 2018 From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru) Date: Mon, 15 Oct 2018 17:32:17 +0530 Subject: [keycloak-user] Notifying user about a login attempt In-Reply-To: <1065264065.257960.1539604748151.JavaMail.zimbra@tech-advantage.com> References: <1065264065.257960.1539604748151.JavaMail.zimbra@tech-advantage.com> Message-ID: <2E28826D-F1D4-4657-AB57-F441AC1194D7@grootan.com> As far my understanding, you shall extend event listener api to listen to events and process based on it. Check the examples section for events listener implementation - Lokesh > On 15-Oct-2018, at 5:29 PM, GARDAIS Ionel wrote: > > Hi, > > Is there a way to notify user by email whenever the user is logged through a client of the realm ? > > Like "You've been logged by with your account ". > > Thanks, > Ionel > > > > > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301_______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From triton.oidc at gmail.com Mon Oct 15 08:21:03 2018 From: triton.oidc at gmail.com (triton oidc) Date: Mon, 15 Oct 2018 12:21:03 +0000 Subject: [keycloak-user] possible encoding issue in the CLI tool Message-ID: Hi, for keycloak to be use in my entreprise, i need to pass somes tests, one of those is importing a data of test users with non conventional character. When i use the GUI, i got no issues. However when i use the CLI, i loose some specials character somewhere i reproduiced the issue in my dev envoronement : here is what i do to create the test user : SSO_DEMO_USERNAME=anakin; ${JBOSS_HOME}/bin/kcadm.sh create users -r "$SSO_REALM" -s username="$SSO_DEMO_USERNAME" -s firstName='Roma.???????.Vi?t Nam.??.??' -s lastName='Roma.???????.Vi?t Nam.??.??' -s email=$SSO_DEMO_USERNAME at mail.com -s enabled d=true The result is : Created new user with id '8c6e99cb-58ad-45ae-a217-84e4dfd15c0b' Here is a print screen with the previous command, the displayed firstname/lastname associated (anakin user) and the same one created with the GUI : obiwan [image: image.png] As you can see, only the one crated with the GUI do I don't know if it's a bug or not. if so should i created the a github issue with it ? i tried to escape the characters with simple or double quotes : same results. The keycloak version i use is comming from displays the name correctly https://access.redhat.com/containers/?tab=tech-details#/registry.access.redhat.com/redhat-sso-7-tech-preview/sso-cd-openshift i think it's base on the 4.X realease, but there was no --version on the kacadm binary, so i'm not sure Thanks for any help Amaury -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 122931 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181015/3915d2d9/attachment-0001.png From craig at baseventure.com Mon Oct 15 08:21:30 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 15 Oct 2018 07:21:30 -0500 Subject: [keycloak-user] Setting authentication execution requirement via kcadm.sh? Message-ID: I'm trying to figure out if it is possible to set the "requirement" level of an execution that is created for an authentication flow via the kcadm tool. I have a shell script that I'm using to set up the Keycloak configuration that looks like the following: *echo "Creating new authentication flow..."AUTO_LINK_FLOW_ID=`${KCADM} create authentication/flows --id -r ${REALM_NAME} -s alias="FirstBrokerLoginAutoLink" -s providerId="basic-flow" -s topLevel=true`* *echo "Adding unique authenticator..."${KCADM} create authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s requirement=ALTERNATIVE -s priority=10* *echo "Adding auto link authenticator..."${KCADM} create authentication/flows/FirstBrokerLoginAutoLink/executions/execution -r ${REALM_NAME} \ -s provider=idp-auto-link -s requirement=ALTERNATIVE -s priority=20* With this script, I'm seeing the flow and executions created, but the requirement seems to be ignored. In this case, the executions are always set to DISABLED. I've tried to follow that up with an update call that looks like this: *echo "Adding unique authenticator..."EXECUTION_ID=`${KCADM} create authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s requirement=ALTERNATIVE -s priority=10`${KCADM} update authentication/flows/FirstBrokerLoginAutoLink/executions -r ${REALM_NAME} \ -s id=${EXECUTION_ID} -s requirement=ALTERNATIVE* However, that is failing with the following error: *HTTP request error: Can not deserialize instance of com.fasterxml.jackson.databind.node.ObjectNode out of START_ARRAY tokenat [Source: [B at 527ee8a7; line: 1, column: 1]* Can anyone offer any suggestions on how to get this authentication flow properly configured so that the executions are set to ALTERNATIVE? Thanks! Craig ================================= *Craig Setera* *Chief Technology Officer* From philippe.gauthier at inspq.qc.ca Mon Oct 15 08:45:04 2018 From: philippe.gauthier at inspq.qc.ca (Philippe Gauthier) Date: Mon, 15 Oct 2018 12:45:04 +0000 Subject: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles Message-ID: Hi I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question. http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration. If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted. If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated. But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role. It is clear why it does this in the code but it is not clear why this have been done that way: Here is the code. @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); if (hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.grantRole(role); } } @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); if (!hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.deleteRoleMapping(role); } /* Maybe we should add an else here that does what the importNewUser does. } Thankyou Philippe Gauthier. From fabio.ebner at lumera.com.br Mon Oct 15 08:53:48 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Mon, 15 Oct 2018 09:53:48 -0300 Subject: [keycloak-user] Unrecognized field "authenticationFlowBindingOverrides" In-Reply-To: <2abf0c22-cceb-3d7f-c9fb-3fc8789a57d6@redhat.com> References: <2abf0c22-cceb-3d7f-c9fb-3fc8789a57d6@redhat.com> Message-ID: Marek tks I was using a old version in my pom. but after I put the correct 4.5.0.Final when I try to start my project throw an exception: Caused by: java.lang.NoClassDefFoundError: org/springframework/boot/web/server/WebServerFactoryCustomizer Look in the google say that class are only in springboot > 2 so I update my project to Springboot 2.0.5.Final, now my project start but when I try to access any url I got the error: in a loop: at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] 2018-10-15 09:50:12.363 ERROR 20936 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost] : Exception Processing /favicon.ico java.lang.StackOverflowError: null at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at or ..... at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] 2018-10-15 09:50:12.387 ERROR 20936 --- [nio-8081-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] threw exception java.lang.StackOverflowError: null at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] ...... at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] 2018-10-15 09:50:12.399 ERROR 20936 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost] : Exception Processing ErrorPage[errorCode=0, location=/error] javax.servlet.ServletException: Filter execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.34.jar:8.5.34] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_162] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar:8.5.34] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] Caused by: java.lang.StackOverflowError: null at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] .... at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] 2018-10-15 09:50:12.425 ERROR 20936 --- [nio-8081-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] threw exception java.lang.StackOverflowError: null at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.ada .... at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] 2018-10-15 09:50:12.437 ERROR 20936 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost] : Exception Processing ErrorPage[errorCode=0, location=/error] javax.servlet.ServletException: Filter execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) ~[tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat-embed-core-8.5.34.jar:8.5.34] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.34.jar:8.5.34] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_162] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.34.jar:8.5.34] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] Caused by: java.lang.StackOverflowError: null at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] at org.key Em seg, 15 de out de 2018 ?s 04:19, Marek Posolda escreveu: > I think the field "authenticationFlowBindingOverrides" was added in some > Keycloak 4.X version. I suggest to update Keycloak dependencies versions > in your pom from 3.4.3.Final to same version, which your Keycloak server > is. > > Marek > > On 13/10/18 04:18, Fabio Ebner wrote: > > When I try to get my client wit this code: > > > > ClientRepresentation app1Client = > > realmResource.clients().findByClientId("central-api").get(0); > > > > > > that error return: > > > > javax.ws.rs.client.ResponseProcessingException: > > javax.ws.rs.ProcessingException: > > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > > Unrecognized field "authenticationFlowBindingOverrides" (class > > org.keycloak.representations.idm.ClientRepresentation), not marked as > > ignorable (38 known properties: "enabled", "clientAuthenticatorType", > > "redirectUris", "clientId", "authorizationServicesEnabled", "name", > > "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", > > "publicClient", "attributes", "protocol", "webOrigins", > "protocolMappers", > > "id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", > > "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", > > "secret", "useTemplateMappers", "notBefore", "useTemplateScope", > > "standardFlowEnabled", "description", "directAccessGrantsEnabled", > > "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", > "access", > > "bearerOnly", "registrationAccessToken", "defaultRoles", > > "authorizationSettings"]) > > > > > > > > this is my pom. > > > > > > > > org.keycloak > > keycloak-spring-security-adapter > > 3.4.3.Final > > > > > > org.keycloak > > keycloak-spring-boot-starter > > 3.4.3.Final > > > > > > org.keycloak > > keycloak-admin-client > > 3.4.3.Final > > > > > > javax.ws.rs > > javax.ws.rs-api > > 2.1 > > > > > > > > org.jboss.resteasy > > resteasy-client > > 3.1.3.Final > > > > > > org.jboss.resteasy > > resteasy-jackson2-provider > > 3.1.3.Final > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From simonpayne58 at gmail.com Mon Oct 15 09:09:33 2018 From: simonpayne58 at gmail.com (Simon Payne) Date: Mon, 15 Oct 2018 14:09:33 +0100 Subject: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles In-Reply-To: References: Message-ID: Hi Philippe, yes i found that it wouldn't add or remove roles if the use was already known. I never got around to raising a Jira ticket to fix the issue as i had some issues trying to get a dev environment up and running - some units tests just wouldn't run for me. any way.. this was my solution which is running in our production, which seems to still be working as expected. I just rebuilt the relevant service and deployed accordingly. I'm happy to work on the permanent fix. I found it in 3.2.1 (i think it was and it is still present in 4.3 which is the most up-to date version we are running). There were some additional requirements which Marek mentioned to include in the fix, they will be in the original thread. >* @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) {* >* mapRole(realm, user, mapperModel, context); *>* } *>>* @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { *>* mapRole(realm, user, mapperModel, context); *>>* } *>>* private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { *>>* String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); *>* RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); *>* if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName); *>>* if (hasClaimValue(mapperModel, context)) { *>* user.grantRole(role); *>* }else{ *>* user.deleteRoleMapping(role); *>* } *>* }* Simon. On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier < philippe.gauthier at inspq.qc.ca> wrote: > Hi > > > I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot > find any answers for his question. > > http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html > > > This post was about ClaimToRoleMapper class of the OIDC broker component. > This class search for a claim, check for its value and grant a role if the > value is equals to the value specified in the configuration. > > > If the user from the IdP is not known by Keycloak, it will be created by > the First Broker Login Flow and the role will be granted. > > > If the user is already known by Keycloak, he have the role specified by > the mapper and he don't have the claim anymore, the role will be revocated. > > > But. If the user is known by Keycloak, he don't have the role specified by > the mapper and he have the claim, Keycloak does not grant him the role. > > > It is clear why it does this in the code but it is not clear why this have > been done that way: > > > Here is the code. > > @Override > public void importNewUser(KeycloakSession session, RealmModel realm, > UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.grantRole(role); > } > } > > @Override > public void updateBrokeredUser(KeycloakSession session, RealmModel > realm, UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (!hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.deleteRoleMapping(role); > } > /* Maybe we should add an else here that does what the importNewUser > does. > } > Thankyou > > Philippe Gauthier. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From philippe.gauthier at inspq.qc.ca Mon Oct 15 09:18:27 2018 From: philippe.gauthier at inspq.qc.ca (Philippe Gauthier) Date: Mon, 15 Oct 2018 13:18:27 +0000 Subject: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles In-Reply-To: References: , Message-ID: I Simon. I posted the question on the mailing list. I looked in the Keycloak devel branch on github and the code is still the same as you posted last year. We have a support contract with RedHat. Maybe I can use this path to open the case? Thankyou. Philippe. ________________________________ De : Simon Payne Envoy? : 15 octobre 2018 09:09:33 ? : Philippe Gauthier Cc : keycloak-user; ?tienne Sadio Objet : Re: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles Hi Philippe, yes i found that it wouldn't add or remove roles if the use was already known. I never got around to raising a Jira ticket to fix the issue as i had some issues trying to get a dev environment up and running - some units tests just wouldn't run for me. any way.. this was my solution which is running in our production, which seems to still be working as expected. I just rebuilt the relevant service and deployed accordingly. I'm happy to work on the permanent fix. I found it in 3.2.1 (i think it was and it is still present in 4.3 which is the most up-to date version we are running). There were some additional requirements which Marek mentioned to include in the fix, they will be in the original thread. > @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { > mapRole(realm, user, mapperModel, context); > } > > @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { > mapRole(realm, user, mapperModel, context); > > } > > private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { > > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); > if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName); > > if (hasClaimValue(mapperModel, context)) { > user.grantRole(role); > }else{ > user.deleteRoleMapping(role); > } > } Simon. On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier > wrote: Hi I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question. http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration. If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted. If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated. But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role. It is clear why it does this in the code but it is not clear why this have been done that way: Here is the code. @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); if (hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.grantRole(role); } } @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); if (!hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.deleteRoleMapping(role); } /* Maybe we should add an else here that does what the importNewUser does. } Thankyou Philippe Gauthier. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From fabio.ebner at lumera.com.br Mon Oct 15 09:33:35 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Mon, 15 Oct 2018 10:33:35 -0300 Subject: [keycloak-user] Unrecognized field "authenticationFlowBindingOverrides" In-Reply-To: References: <2abf0c22-cceb-3d7f-c9fb-3fc8789a57d6@redhat.com> Message-ID: I fix, but I need to create the keycloak.json file I use the @Bean KeycloakConfigResolver keycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } don't works (I using .yml file don't know if is a limitation) but tks anyway From triton.oidc at gmail.com Mon Oct 15 11:02:39 2018 From: triton.oidc at gmail.com (triton oidc) Date: Mon, 15 Oct 2018 15:02:39 +0000 Subject: [keycloak-user] Re : Setting authentication execution requirement via kcadm.sh? In-Reply-To: References: Message-ID: Hi Craig, i'm not an expert, but here is what i did to set my execution value to REQUIRED : create a json with {"id":[ID_OF_YOUR_EXECUTION],"requirement":"REQUIRED"} put it in a file my_file.json you can have the id of you execution using this command ./kcadm.sh get authentication/flows/[your_flow]/executions --format csv -r $keycloak_new_realm --fields id | tr -d '\n' and you can import the file using this command : ./kcadm.sh update authentication/flows/[your_flow]/executions -r $keycloak_new_realm -f my_file.json There is probably a better way but i didn't found it hope it helps Amaury On Mon, Oct 15, 2018 at 1:07 PM wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Setting authentication execution requirement via kcadm.sh? > (Craig Setera) > 2. org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not > update user roles (Philippe Gauthier) > 3. Re: Unrecognized field "authenticationFlowBindingOverrides" > (Fabio Ebner) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 Oct 2018 07:21:30 -0500 > From: Craig Setera > Subject: [keycloak-user] Setting authentication execution requirement > via kcadm.sh? > To: keycloak-user at lists.jboss.org > Message-ID: > < > CAPVdwjq1oyjCom4_A0TBJ8m3KBCgit5nOqMCGqKP4t2RU6zb5Q at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I'm trying to figure out if it is possible to set the "requirement" level > of an execution that is created for an authentication flow via the kcadm > tool. I have a shell script that I'm using to set up the Keycloak > configuration that looks like the following: > > > *echo "Creating new authentication flow..."AUTO_LINK_FLOW_ID=`${KCADM} > create authentication/flows --id -r ${REALM_NAME} -s > alias="FirstBrokerLoginAutoLink" -s providerId="basic-flow" -s > topLevel=true`* > > > > *echo "Adding unique authenticator..."${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r > ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s > requirement=ALTERNATIVE -s priority=10* > > > > > *echo "Adding auto link authenticator..."${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution -r > ${REALM_NAME} \ -s provider=idp-auto-link -s requirement=ALTERNATIVE -s > priority=20* > With this script, I'm seeing the flow and executions created, but the > requirement seems to be ignored. In this case, the executions are always > set to DISABLED. I've tried to follow that up with an update call that > looks like this: > > > > > > > *echo "Adding unique authenticator..."EXECUTION_ID=`${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r > ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s > requirement=ALTERNATIVE -s priority=10`${KCADM} update > authentication/flows/FirstBrokerLoginAutoLink/executions -r ${REALM_NAME} > \ -s id=${EXECUTION_ID} -s requirement=ALTERNATIVE* > > However, that is failing with the following error: > > > > *HTTP request error: Can not deserialize instance of > com.fasterxml.jackson.databind.node.ObjectNode out of START_ARRAY tokenat > [Source: [B at 527ee8a7; line: 1, column: 1]* > Can anyone offer any suggestions on how to get this authentication flow > properly configured so that the executions are set to ALTERNATIVE? > > Thanks! > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > > > ------------------------------ > > Message: 2 > Date: Mon, 15 Oct 2018 12:45:04 +0000 > From: Philippe Gauthier > Subject: [keycloak-user] > org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update > user roles > To: "keycloak-user at lists.jboss.org" > Cc: ?tienne Sadio > Message-ID: > < > YTOPR0101MB141798E50DFEF73BB8C32857B1FD0 at YTOPR0101MB1417.CANPRD01.PROD.OUTLOOK.COM > > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi > > > I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot > find any answers for his question. > > http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html > > > This post was about ClaimToRoleMapper class of the OIDC broker component. > This class search for a claim, check for its value and grant a role if the > value is equals to the value specified in the configuration. > > > If the user from the IdP is not known by Keycloak, it will be created by > the First Broker Login Flow and the role will be granted. > > > If the user is already known by Keycloak, he have the role specified by > the mapper and he don't have the claim anymore, the role will be revocated. > > > But. If the user is known by Keycloak, he don't have the role specified by > the mapper and he have the claim, Keycloak does not grant him the role. > > > It is clear why it does this in the code but it is not clear why this have > been done that way: > > > Here is the code. > > @Override > public void importNewUser(KeycloakSession session, RealmModel realm, > UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.grantRole(role); > } > } > > @Override > public void updateBrokeredUser(KeycloakSession session, RealmModel > realm, UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (!hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.deleteRoleMapping(role); > } > /* Maybe we should add an else here that does what the importNewUser > does. > } > Thankyou > > Philippe Gauthier. > > > > ------------------------------ > > Message: 3 > Date: Mon, 15 Oct 2018 09:53:48 -0300 > From: Fabio Ebner > Subject: Re: [keycloak-user] Unrecognized field > "authenticationFlowBindingOverrides" > To: Marek Posolda > Cc: keycloak-user at lists.jboss.org > Message-ID: > < > CAFxMZba+qwDnfkrggWXn6U+iY_hZYpMJ0CzMYvrtYgMmL3rQ9g at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Marek tks I was using a old version in my pom. but after I put the correct > 4.5.0.Final when I try to start my project throw an exception: > > Caused by: java.lang.NoClassDefFoundError: > org/springframework/boot/web/server/WebServerFactoryCustomizer > > Look in the google say that class are only in springboot > 2 so I update my > project to Springboot 2.0.5.Final, now my project start but when I try to > access any url I got the error: > > in a loop: > > > > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.363 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > /favicon.ico > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at or > > ..... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.387 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet > [dispatcherServlet] threw exception > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > ...... > > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.399 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > ErrorPage[errorCode=0, location=/error] > > javax.servlet.ServletException: Filter execution threw an exception > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .SocketProcessorBase.run(SocketProcessorBase.java:49) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [na:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [na:1.8.0_162] > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] > Caused by: java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > .... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.425 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet > [dispatcherServlet] threw exception > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at org.keycloak.ada > .... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.437 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > ErrorPage[errorCode=0, location=/error] > > javax.servlet.ServletException: Filter execution threw an exception > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .SocketProcessorBase.run(SocketProcessorBase.java:49) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [na:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [na:1.8.0_162] > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] > Caused by: java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at org.key > > > > Em seg, 15 de out de 2018 ?s 04:19, Marek Posolda > escreveu: > > > I think the field "authenticationFlowBindingOverrides" was added in some > > Keycloak 4.X version. I suggest to update Keycloak dependencies versions > > in your pom from 3.4.3.Final to same version, which your Keycloak server > > is. > > > > Marek > > > > On 13/10/18 04:18, Fabio Ebner wrote: > > > When I try to get my client wit this code: > > > > > > ClientRepresentation app1Client = > > > realmResource.clients().findByClientId("central-api").get(0); > > > > > > > > > that error return: > > > > > > javax.ws.rs.client.ResponseProcessingException: > > > javax.ws.rs.ProcessingException: > > > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > > > Unrecognized field "authenticationFlowBindingOverrides" (class > > > org.keycloak.representations.idm.ClientRepresentation), not marked as > > > ignorable (38 known properties: "enabled", "clientAuthenticatorType", > > > "redirectUris", "clientId", "authorizationServicesEnabled", "name", > > > "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", > > > "publicClient", "attributes", "protocol", "webOrigins", > > "protocolMappers", > > > "id", "baseUrl", "surrogateAuthRequired", "adminUrl", > "fullScopeAllowed", > > > "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", > > > "secret", "useTemplateMappers", "notBefore", "useTemplateScope", > > > "standardFlowEnabled", "description", "directAccessGrantsEnabled", > > > "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", > > "access", > > > "bearerOnly", "registrationAccessToken", "defaultRoles", > > > "authorizationSettings"]) > > > > > > > > > > > > this is my pom. > > > > > > > > > > > > org.keycloak > > > keycloak-spring-security-adapter > > > 3.4.3.Final > > > > > > > > > org.keycloak > > > keycloak-spring-boot-starter > > > 3.4.3.Final > > > > > > > > > org.keycloak > > > keycloak-admin-client > > > 3.4.3.Final > > > > > > > > > javax.ws.rs > > > javax.ws.rs-api > > > 2.1 > > > > > > > > > > > > org.jboss.resteasy > > > resteasy-client > > > 3.1.3.Final > > > > > > > > > org.jboss.resteasy > > > resteasy-jackson2-provider > > > 3.1.3.Final > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 58, Issue 37 > ********************************************* > From craig at baseventure.com Mon Oct 15 14:23:41 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 15 Oct 2018 13:23:41 -0500 Subject: [keycloak-user] Disable certain account management tabs? Message-ID: (Apologies for all of the questions lately... I'm busy digging in and that leads me to questions!) Is it possible to disable some of the tabs in the user account management application without changing the theme FTL? For instance, if I wanted to remove the "Sessions" tab, can that be done without rewriting the Freemarker template? (It doesn't look like it from the code, but I figured it was worth asking) Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From ssilvert at redhat.com Mon Oct 15 14:43:42 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 15 Oct 2018 14:43:42 -0400 Subject: [keycloak-user] Disable certain account management tabs? In-Reply-To: References: Message-ID: <531bc8ed-3f51-26d1-4adf-dfecd1ac86ce@redhat.com> On 10/15/2018 2:23 PM, Craig Setera wrote: > (Apologies for all of the questions lately... I'm busy digging in and that > leads me to questions!) > > Is it possible to disable some of the tabs in the user account management > application without changing the theme FTL? For instance, if I wanted to > remove the "Sessions" tab, can that be done without rewriting the > Freemarker template? (It doesn't look like it from the code, but I figured > it was worth asking) No, but it's pretty easy to define a new theme. :-) > > Thanks, > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From anthony.meikle at xyleminc.com Mon Oct 15 15:46:01 2018 From: anthony.meikle at xyleminc.com (Meikle, Anthony) Date: Mon, 15 Oct 2018 19:46:01 +0000 Subject: [keycloak-user] User Storage SPI with Mongo Message-ID: <098DCFD9-EB38-4DAE-9E9C-E72F6E811BE8@xyleminc.com> As Keycloak no longer supports Mongo does this extend to User Storage SPI as well? Meaning, is it possible to write a SPI to interact with MongoDB based on the structure of the current Provider Interfaces? From fabio.ebner at lumera.com.br Mon Oct 15 16:05:55 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Mon, 15 Oct 2018 17:05:55 -0300 Subject: [keycloak-user] Usiing Annotations to secure method Message-ID: It's possible to use the annotation: @Secured() in my method to secure instead: @Override protected void configure(final HttpSecurity http) throws Exception { super.configure(http); http .authorizeRequests() .antMatchers("/estado/*").hasRole("CARTORIO") .antMatchers("/natureza/*").hasRole("CLIENTE") .anyRequest().permitAll(); } tks From dt at acutus.pro Mon Oct 15 18:00:25 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 16 Oct 2018 01:00:25 +0300 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> <1533171048.2094.15.camel@acutus.pro> <1539350057.9707.4.camel@acutus.pro> Message-ID: <1539640825.9119.2.camel@acutus.pro> Craig, Will, I've published a PoC: https://github.com/dteleguin/keycloak-dynamic-branding It demonstrates how to push URI info to FTL context and utilize it inside login template. Feel free to ask me any questions on that. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-10-12 at 09:46 -0500, Craig Setera wrote: > The URL you call out is how I'm solving for this.? I'm hopeful to be able to do something similar for the account management pages as well, but I haven't tried that at all to this point. > > I would love to see something more "official", but I understand if that isn't something easily handled in the core. > > ================================= > Craig Setera > Chief Technology Officer > > > > > > On Fri, Oct 12, 2018 at 8:14 AM Dmitry Telegin
wrote: > > Craig, Will, > > > > Indeed, in the out-of-the-box configuration the URI info is not accessible in FTL templates. But I was able to provide it with the help of the custom LoginFormsProvider, which was trivial to implement. > > Yep this adds another entity, but as long as you're deploying your custom theme as a module or via deployments dir (which is the recommended way), you should be ok with this, as theme+provider could be packaged as a single JAR. > > > > Since it turns out to be kind of popular topic, I think I'll publish the PoC and maybe even write an article on that. In a few words, you extend FreeMarkerLoginFormsProvider and override createCommonAttributes(), where you can push any arbitrary data to the FTL context. > > > > 2 Craig: is your use case similar to that of Will? I mean your URL is like this: > > http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?...&customvar=1 > > > > I'm asking because if you append a query param to your client URL, it won't be propagated to the Keycloak auth URL directly, but rather as a part of redirect_uri param (from where it can be parsed of course). > > > > P.S. if anyone from the dev team reads this: do you think we can have this OOTB? > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Mon, 2018-10-08 at 10:04 -0500, Craig Setera wrote: > > > Following up on this conversation.? I was unable to find a way to do this via the Freemarker templates unfortunately.? The templates are not receiving anything useful in determining the full path and query parameters.? The only approach that I've found to do what I need is to add a small Javascript snippet to my theme that is able to look at the query parameters and insert a new stylesheet reference into the code based on a query parameter.? Ugly, but seems effective assuming I can get my query parameter set in all of the URL's that matter. > > >? > > > ================================= > > > Craig Setera > > > Chief Technology Officer > > >? > > >? > > >? > > >? > > > > On Wed, Aug 29, 2018 at 9:36 AM Craig Setera wrote: > > > > Dmitry, > > > >? > > > > I've put Keycloak on the back burner for the moment.? I do intend to pick it back up toward the end of the year and I expect I will be digging into this heavily.? If I figure anything out, I will be sure to report back. > > > >? > > > > Craig > > > >? > > > >? > > > > ================================= > > > > Craig Setera > > > > Chief Technology Officer > > > > 415-324-5861 > > > > craig at baseventure.com > > > >? > > > >? > > > >? > > > >? > > > > > > On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin
wrote: > > > > > Craig, Will, > > > > >? > > > > > Sorry for having fooled you :-\ turns out that the ${url} object is actually not what it seems. > > > > >? > > > > > I'd suggest the following trick. Could someone please try dumping all the available FTL variables using the below approach? > > > > > https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 > > > > >? > > > > > This is for Liferay, but I hope it works with Keycloak FTLs without any major modifications. So hopefully we can fish something useful out of there. > > > > >? > > > > > Cheers, > > > > > Dmitry Telegin > > > > > CTO, Acutus s.r.o. > > > > > Keycloak Consulting and Training > > > > >? > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > +42 (022) 888-30-71 > > > > > E-mail: info at acutus.pro > > > > >? > > > > > On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: > > > > > > Hi Dmitry, > > > > > >? > > > > > > I have a use case for this same need: conditionally rendering a block of HTML in in the login.ftl based on the value of a query string param. > > > > > >? > > > > > > I have an a question with more details here:?https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 > > > > > >? > > > > > > I attempted to use ${ur} as you suggested, however it does not have a public method that provides the request url :(? > > > > > >? > > > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java > > > > > >? > > > > > > I am missing something? Or is there any other way to access the login request url in login.ftl?? > > > > > >? > > > > > > Thanks, Will? > > > > > >? > > > > > > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin
wrote: > > > > > > >? > > > > > > > Hi Craig, sorry for late response, > > > > > > >? > > > > > > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: > > > > > > > > We build and host a multitenant application that is currently using > > > > > > > > homegrown authentication and authorization (using Picketlink).??We are > > > > > > > > considering a move to Keycloak.??My preference would be to use the login > > > > > > > > flows that are built in to Keycloak rather than building our own, however > > > > > > > > that is dependent on whether we can properly brand those login flows on a > > > > > > > > per-customer basis in some dynamic way. > > > > > > >? > > > > > > > In Keycloak parlance, the term "login flow" has a very particular > > > > > > > meaning. Basically, it's what you see in the Authentication section in > > > > > > > the Admin Console. It defines how authentication *works* rather than > > > > > > > how it *looks like* (i.e. logic rather than appearance). > > > > > > >? > > > > > > > Do you really mean "login flows"? From the second part of your message > > > > > > > I can deduce you're mainly interested in customizing the GUI. > > > > > > >? > > > > > > > > In looking at the theme SPI support, it appears to be mostly targeted to > > > > > > > > supporting mulitple "static" themes.??Is it possible to make a theme that > > > > > > > > is dynamic based on, for example, a query parameter? > > > > > > >? > > > > > > > By default, Keycloak uses FreeMarker templates for login screens. In > > > > > > > the templates, the URL object is exposed as ${url}, so you can analyze > > > > > > > it and add conditional statements. If you're ok with that, probably you > > > > > > > won't need to implement any SPIs. > > > > > > >? > > > > > > > Otherwise, you can either implement custom theme selection logic based > > > > > > > on request parameters (Theme Selector SPI), or completely redefine > > > > > > > theming mechanism (Theme SPI). > > > > > > >? > > > > > > > > ???Are there any > > > > > > > > examples anywhere on how that might be possible??? > > > > > > >? > > > > > > > Well, builtin Keycloak themes are the best example IMO :) you can find > > > > > > > the default login theme under > > > > > > > themes/src/main/resources/theme/base/login in the source tree. > > > > > > >? > > > > > > > > Would Keycloak carry > > > > > > > > through query parameters if they were provided when launching the login > > > > > > > > flow? > > > > > > >? > > > > > > > It's best to create a custom theme and see :) > > > > > > >? > > > > > > > Good luck! > > > > > > > Dmitry Telegin > > > > > > > CTO, Acutus s.r.o. > > > > > > > Keycloak Consulting and Training > > > > > > >? > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > > +42 (022) 888-30-71 > > > > > > > E-mail: info at acutus.pro > > > > > > >? > > > > > > > > Thanks, > > > > > > > > Craig > > > > > > > > _______________________________________________ > > > > > > > > keycloak-user mailing list > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > >? > > > > > >? > > > > >? > > From fabio.ebner at lumera.com.br Mon Oct 15 20:04:43 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Mon, 15 Oct 2018 21:04:43 -0300 Subject: [keycloak-user] Cors Message-ID: I tryng to get a token with a JS Client. so I configu my client just like the image, and this is my code (Axios) to try to get the token: this.axios.post(' http://localhost:9090/auth/realms/Lumera/protocol/openid-connect/token', { username: this.email, password: this.senha, grant_type: 'password', client_id: 'central-api' }, { headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, }, ).then((response) => { console.log('ok'); }, ).catch((error) => { console.log('erro'); }); but I got the error: Failed to load http://localhost:9090/auth/realms/Lumera/protocol/openid-connect/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400. [image: Screen Shot 2018-10-15 at 21.00.51.png] If i use postman to get a token works fine. so the Web Origins should works in this case? tks -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-10-15 at 21.00.51.png Type: image/png Size: 75143 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181015/b6acc831/attachment-0001.png From deepag at aissel.com Tue Oct 16 05:45:37 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Tue, 16 Oct 2018 15:15:37 +0530 Subject: [keycloak-user] Managing Mysql relational database setup In-Reply-To: <0ae2738a-13cc-19cc-8908-d11164c0c63a@aissel.com> References: <61a41883-dcde-2c74-6b48-c48493b9cf5a@aissel.com> <1539598348.3660.10.camel@acutus.pro> <4f13a798-e85c-386e-c054-8c63659d840e@aissel.com> <1539600270.3660.15.camel@acutus.pro> <0ae2738a-13cc-19cc-8908-d11164c0c63a@aissel.com> Message-ID: <94b5dbf2-31d6-2992-f0f2-3586ec90eee2@aissel.com> Hello again!, What i have done so far is: 1. Set up a keycloak 4.5.0 on localhost. 2. Created realm and 3 clients within it (PHP codeigniter framework), configured using PHP Adapter [https://github.com/stevenmaguire/oauth2-keycloak]. 3. Relational Database setup: I have configured keycloak with *Mysql database *called keycloak(I m self grasping purpose of table). 4. From previous reply, i gotto know credentials, user_entity, are table for storing user credentials. What i want is: 1. I have existing users which are encrypted using *simpleloginsecure *library(I just know that this library uses md5). 2. I either want to convert stored Md5 password to decrypt with help of PasswordHashProvider and store in original form. 3. OR store them as is, and tell keycloak to continue to use *simpleloginsecure *library to secure password. (How to add custom library)? 4. Which PasswordHashProvider do i need to use and how?(Please explain step by step). 5. As i have 3 clients, i need to have a unique ID to identify the user belongs to which client. So can i alter any of the table user_entity or credentials? Regards, Deepa M G On Monday 15 October 2018 04:47 PM, Deepa Gaddigoudar wrote: > Dmitry, > > Below is my user table, password is hashed with md5 algorithm i.e > (simpleloginsecure library) . Please suggest the steps to resolve. > my user data table structure > > Regards, > > On Monday 15 October 2018 04:14 PM, Dmitry Telegin wrote: >> Deepa, >> >> The importing process itself should be trivial, but before that you need to sort out the hash algorithm issue. >> >> Could you please show us some sample records from your MySQL user table? (provided that there's no sensitive info there; you can create a test user for that) >> >> Dmitry >> >> On Mon, 2018-10-15 at 16:00 +0530, Deepa Gaddigoudar wrote: >>> Hello Dmitry, >>> >>> Can you please provide link of any source that i could refer for importing user credentials from existing mysql user table to keycloak "credentials" table! >>> >>> Regards, >>> Deepa M G >>> >>> On Monday 15 October 2018 03:42 PM, Dmitry Telegin wrote: >>>> Hello Deepa, >>>> >>>> On Mon, 2018-10-15 at 15:14 +0530, Deepa Gaddigoudar wrote: >>>>> Hello All, >>>>> >>>>> >>>>> I have configured keycloak DB from H2 to Mysql. My applications are >>>>> working fine too. What i want is, >>>>> >>>>> ?1. Can i manage the user credentials? (Because i want to import >>>>> ????existing users credentials generated before integrating application >>>>> ????with keycloak, as we dont want to create new user credentials and >>>>> ????make it difficult for end users). >>>> The answer is "yes"?provided that the hash algorithm is known. >>>> >>>> There are three hash algorithms supported out of the box, namely PBKDF2-{SHA1,SHA256,SHA512} >>>> If your legacy hash format/algorithm is different from that, you'll need to implement a PasswordHashProvider. >>>> Here's the example of how this was done for BCrypt: https://github.com/leroyguillaume/keycloak-bcrypt >>>> >>>>> ?2. If i could import a existing credentials(username and password) to >>>>> ????keycloak mysql , then to which table?(Because i am not finding the >>>>> ????passwords) anywhere in table. >>>> The table is called "credential". >>>> >>>> Good luck! >>>> Dmitry Telegin >>>> CTO, Acutus s.r.o. >>>> Keycloak Consulting and Training >>>> >>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>>> +42 (022) 888-30-71 >>>> E-mail: info at acutus.pro >>>> >>>>> Thanks you >>> >>> -- >>> Deepa M Gaddigoudar | Software Developer >>> Aissel Technologies Pvt. Ltd. >>> A Block, Floor 2, IT Park, Hubli ? 580029. India >>> Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 >>> Cell: +91 8951519616 >>> E-Mail: deepag at aissel.com -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From Luka.Odak at maurer-electronics.hr Tue Oct 16 10:33:04 2018 From: Luka.Odak at maurer-electronics.hr (Luka Odak) Date: Tue, 16 Oct 2018 14:33:04 +0000 Subject: [keycloak-user] Custom verification mail with image Message-ID: <81dc46cbda2c49baa370c903815c73c5@maurer-electronics.hr> Hy, I'm trying to customize email which is sent on executeActionsEmail("VERIFY_EMAIL") In folder themes I created following structure mytheme email html messages text resources img css theme.properties and populated it with necessary files. When in messages_en.properties I set delivered mail is not stylized, but just plain text without image. I tried to move resources directory through structure but without success. Also I've tried to hardcode path to the image. That way I receive stylized email but without image. What am I doing wrong? Thanks. With best regards ------------------------------------------------------------- Luka Odak Software Developer From craig at baseventure.com Tue Oct 16 11:12:28 2018 From: craig at baseventure.com (Craig Setera) Date: Tue, 16 Oct 2018 10:12:28 -0500 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: <1539640825.9119.2.camel@acutus.pro> References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> <1533171048.2094.15.camel@acutus.pro> <1539350057.9707.4.camel@acutus.pro> <1539640825.9119.2.camel@acutus.pro> Message-ID: Dmitry, This is pretty awesome and definitely helps to better understand the options for something like this. Part of me is wondering if it is still better/easier to use my Javascript based solution? In particular, changing the FTL themes definitely means that we are going to have to track template source changes to Keycloak much more closely. Do you have any insights into the release-to-release compatibility for the theme templates? Thanks again, Craig ================================= *Craig Setera* *Chief Technology Officer* On Mon, Oct 15, 2018 at 5:00 PM Dmitry Telegin
wrote: > Craig, Will, > > I've published a PoC: > https://github.com/dteleguin/keycloak-dynamic-branding > > It demonstrates how to push URI info to FTL context and utilize it inside > login template. Feel free to ask me any questions on that. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-10-12 at 09:46 -0500, Craig Setera wrote: > > The URL you call out is how I'm solving for this. I'm hopeful to be > able to do something similar for the account management pages as well, but > I haven't tried that at all to this point. > > > > I would love to see something more "official", but I understand if that > isn't something easily handled in the core. > > > > ================================= > > Craig Setera > > Chief Technology Officer > > > > > > > > > > > On Fri, Oct 12, 2018 at 8:14 AM Dmitry Telegin
wrote: > > > Craig, Will, > > > > > > Indeed, in the out-of-the-box configuration the URI info is not > accessible in FTL templates. But I was able to provide it with the help of > the custom LoginFormsProvider, which was trivial to implement. > > > Yep this adds another entity, but as long as you're deploying your > custom theme as a module or via deployments dir (which is the recommended > way), you should be ok with this, as theme+provider could be packaged as a > single JAR. > > > > > > Since it turns out to be kind of popular topic, I think I'll publish > the PoC and maybe even write an article on that. In a few words, you extend > FreeMarkerLoginFormsProvider and override createCommonAttributes(), where > you can push any arbitrary data to the FTL context. > > > > > > 2 Craig: is your use case similar to that of Will? I mean your URL is > like this: > > > > http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?...&customvar=1 > > > > > > I'm asking because if you append a query param to your client URL, it > won't be propagated to the Keycloak auth URL directly, but rather as a part > of redirect_uri param (from where it can be parsed of course). > > > > > > P.S. if anyone from the dev team reads this: do you think we can have > this OOTB? > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Mon, 2018-10-08 at 10:04 -0500, Craig Setera wrote: > > > > Following up on this conversation. I was unable to find a way to do > this via the Freemarker templates unfortunately. The templates are not > receiving anything useful in determining the full path and query > parameters. The only approach that I've found to do what I need is to add > a small Javascript snippet to my theme that is able to look at the query > parameters and insert a new stylesheet reference into the code based on a > query parameter. Ugly, but seems effective assuming I can get my query > parameter set in all of the URL's that matter. > > > > > > > > ================================= > > > > Craig Setera > > > > Chief Technology Officer > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 29, 2018 at 9:36 AM Craig Setera < > craig at baseventure.com> wrote: > > > > > Dmitry, > > > > > > > > > > I've put Keycloak on the back burner for the moment. I do intend > to pick it back up toward the end of the year and I expect I will be > digging into this heavily. If I figure anything out, I will be sure to > report back. > > > > > > > > > > Craig > > > > > > > > > > > > > > > ================================= > > > > > Craig Setera > > > > > Chief Technology Officer > > > > > 415-324-5861 > > > > > craig at baseventure.com > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin
> wrote: > > > > > > Craig, Will, > > > > > > > > > > > > Sorry for having fooled you :-\ turns out that the ${url} object > is actually not what it seems. > > > > > > > > > > > > I'd suggest the following trick. Could someone please try > dumping all the available FTL variables using the below approach? > > > > > > > https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 > > > > > > > > > > > > This is for Liferay, but I hope it works with Keycloak FTLs > without any major modifications. So hopefully we can fish something useful > out of there. > > > > > > > > > > > > Cheers, > > > > > > Dmitry Telegin > > > > > > CTO, Acutus s.r.o. > > > > > > Keycloak Consulting and Training > > > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > +42 (022) 888-30-71 > > > > > > E-mail: info at acutus.pro > > > > > > > > > > > > On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: > > > > > > > Hi Dmitry, > > > > > > > > > > > > > > I have a use case for this same need: conditionally rendering > a block of HTML in in the login.ftl based on the value of a query string > param. > > > > > > > > > > > > > > I have an a question with more details here: > https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 > > > > > > > > > > > > > > I attempted to use ${ur} as you suggested, however it does not > have a public method that provides the request url :( > > > > > > > > > > > > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java > > > > > > > > > > > > > > I am missing something? Or is there any other way to access > the login request url in login.ftl? > > > > > > > > > > > > > > Thanks, Will > > > > > > > > > > > > > > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin < > dt at acutus.pro> wrote: > > > > > > > > > > > > > > > > Hi Craig, sorry for late response, > > > > > > > > > > > > > > > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: > > > > > > > > > We build and host a multitenant application that is > currently using > > > > > > > > > homegrown authentication and authorization (using > Picketlink). We are > > > > > > > > > considering a move to Keycloak. My preference would be to > use the login > > > > > > > > > flows that are built in to Keycloak rather than building > our own, however > > > > > > > > > that is dependent on whether we can properly brand those > login flows on a > > > > > > > > > per-customer basis in some dynamic way. > > > > > > > > > > > > > > > > In Keycloak parlance, the term "login flow" has a very > particular > > > > > > > > meaning. Basically, it's what you see in the Authentication > section in > > > > > > > > the Admin Console. It defines how authentication *works* > rather than > > > > > > > > how it *looks like* (i.e. logic rather than appearance). > > > > > > > > > > > > > > > > Do you really mean "login flows"? From the second part of > your message > > > > > > > > I can deduce you're mainly interested in customizing the GUI. > > > > > > > > > > > > > > > > > In looking at the theme SPI support, it appears to be > mostly targeted to > > > > > > > > > supporting mulitple "static" themes. Is it possible to > make a theme that > > > > > > > > > is dynamic based on, for example, a query parameter? > > > > > > > > > > > > > > > > By default, Keycloak uses FreeMarker templates for login > screens. In > > > > > > > > the templates, the URL object is exposed as ${url}, so you > can analyze > > > > > > > > it and add conditional statements. If you're ok with that, > probably you > > > > > > > > won't need to implement any SPIs. > > > > > > > > > > > > > > > > Otherwise, you can either implement custom theme selection > logic based > > > > > > > > on request parameters (Theme Selector SPI), or completely > redefine > > > > > > > > theming mechanism (Theme SPI). > > > > > > > > > > > > > > > > > Are there any > > > > > > > > > examples anywhere on how that might be possible? > > > > > > > > > > > > > > > > Well, builtin Keycloak themes are the best example IMO :) > you can find > > > > > > > > the default login theme under > > > > > > > > themes/src/main/resources/theme/base/login in the source > tree. > > > > > > > > > > > > > > > > > Would Keycloak carry > > > > > > > > > through query parameters if they were provided when > launching the login > > > > > > > > > flow? > > > > > > > > > > > > > > > > It's best to create a custom theme and see :) > > > > > > > > > > > > > > > > Good luck! > > > > > > > > Dmitry Telegin > > > > > > > > CTO, Acutus s.r.o. > > > > > > > > Keycloak Consulting and Training > > > > > > > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > > > +42 (022) 888-30-71 > > > > > > > > E-mail: info at acutus.pro > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Craig > > > > > > > > > _______________________________________________ > > > > > > > > > keycloak-user mailing list > > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > > > > > > > keycloak-user mailing list > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > > > > From jdennis at redhat.com Tue Oct 16 12:03:56 2018 From: jdennis at redhat.com (John Dennis) Date: Tue, 16 Oct 2018 12:03:56 -0400 Subject: [keycloak-user] SAML Token contains carriage returns ( ) In-Reply-To: References: Message-ID: The original poster was seeing unexpected carriage returns in the SAML message emitted by Keycloak. I just discovered another issue where Keycloak inserts line feeds in HTTP-Redirect messages in violation of the SAML spec causing some SAML implementations to fail to process the message. I filed this JIRA to cover the case: https://issues.jboss.org/browse/KEYCLOAK-8594 On 10/3/18 3:45 AM, Hynek Mlnarik wrote: > Keycloak usually does not add any carriage return entities. What version of > keycloak do you use? Have you changed/endorsed any XML processing library? What I find interesting in the XML Dean shared below is the carriage returns are not uniformly appearing at each line ending as one might expect. Rather they only appear in the signature digest and X509Certificate values. My guess is these values are being inserted as strings into string data and those particular string values have Windows line-endings. However the carriage returns should not cause the XML parser to fail, see this part of the XML spec: https://www.w3.org/TR/REC-xml/#sec-line-ends > 2.11 End-of-Line Handling > > XML parsed entities are often stored in computer files which, for > editing convenience, are organized into lines. These lines are > typically separated by some combination of the characters CARRIAGE > RETURN (#xD) and LINE FEED (#xA). > > To simplify the tasks of applications, the XML processor must > behave as if it normalized all line breaks in external parsed > entities (including the document entity) on input, before parsing, > by translating both the two-character sequence #xD #xA and any #xD > that is not followed by #xA to a single #xA character. What is also interesting is the values with carriage returns in them are base64 data. So Websphere might be having a similar problem as in the above JIRA where is aborts after seeing a character not in the base64 alphabet. However this is quite different than the JIRA reported above, read on... Also note the SAML Core spec says this: > Applications that compare data received in SAML documents to data > from external sources MUST take into account the normalization > rules specified for XML. Text contained within elements is > normalized so that line endings are represented using linefeed > characters (ASCII code 10 Decimal ), as described in the XML > Recommendation [XML] Section 2.11. And furthermore the XML Signature Specification reiterates the above with this requirement > 1. line endings are normalized to the single character #xA by > dropping #xD characters if they are immediately followed by a #xA > and replacing them with #xA in all other cases, As for the Digest and X509Certificate elements (as well as anything else contained in XML Signature elments the XML Signature spec does not place restrictions on line endings other than noted above. With respect to base64 encoded data in XML signature elements the only requirement is the base64 text comply with RFC 2045 which not only permits line endings but requires wrapping at 76 characters *and* states any character not in the base64 alphabet is to be ignored. Therefore my conclusion is that if WebSphere is unable to process the XML document with the carriage returns it is not spec compliant. Note this is very different that the JIRA filed above with respect to whitespace in base64 data because the SAML binding spec *requires* the base64 text to omit whitespace (a deviation from RFC 2045). > On Mon, Sep 17, 2018 at 6:31 PM Dean Peterson > wrote: > >> Is there a way to remove the carriage returns keycloak uses in the saml >> assertion token? This is incompatible with Websphere idAssertion using >> keycloak as the Identity provider. Ex, notice the characters in the >> content: >> >> > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >> ID="ID_a42073de-3815-4951-8db4-5d07d46dbf75" >> IssueInstant="2018-09-17T05:35:29.198Z" Version="2.0"> >> http://localhost:8080/auth/realms/unemployment-insurance >> > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# >> ">> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# >> ">> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 >> ">> >> URI="#ID_a42073de-3815-4951-8db4-5d07d46dbf75">> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature >> ">> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# >> ">> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 >> >> ">8aoA9CDfFV8PXBnuafSS3JU/MXuGX3to93E+go9DJrk=UpQPIpNTXMuds8BP5a/N08sXeVMV9Bo6/gxb+rZo38tJwu9GGdrX2SeUlQUWVKRcH0qQRlWzVLfO >> >> nvb9gbIs/qGrIRQf2nvb40ywN0V8QqCaQr8VU++2rOJGSUfByGjazopvp2WrOM0JdlD6WjeqCs27 >> >> L+fpbVKC8GGZQB+KblqQ08xJ17yN0VDxwDAk+QDwkGpioe9p6/nSZZYCIimPF8BR0TxgwCm9KZl7 >> >> ASNv+d7m6Zaarj/CnqjLG0zDWPfAdW6R5sWuRmUzHiDG3AwpOaxxLP2d5HGPCRCfmiCHMVN3EVx4 >> >> FoQg/ej8QQ1Z0fCOg/N9qRJnFxYbnjMdc1w4rw==Ayvm2xqFD1Xb_CeLG0LbFdh2PuBAflqKnI7kCiTwqjwMIICuzCCAaMCBgFlsHW+ezANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZVbmVtcGxveW1lbnQg >> >> SW5zdXJhbmNlMB4XDTE4MDkwNjE5NTUzMVoXDTI4MDkwNjE5NTcxMVowITEfMB0GA1UEAwwWVW5l ..... >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- John Dennis From marco.lamina at sap.com Tue Oct 16 12:07:32 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Tue, 16 Oct 2018 16:07:32 +0000 Subject: [keycloak-user] Best practices for permission-based resource lookup Message-ID: <11E7DC30-8679-4F66-92DE-2A7A0E4D3F88@contoso.com> Hi folks, I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via ?view? scope). Right now, this is my implementation: 1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (.) 2. Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1] 3. Filter the list by name and scope using the resource prefix 4. Extract object IDs from resource names and load DB objects using the extracted IDs While this works, I still see some issues with this approach: * The resulting list of resources in 2) could potentially become quite big and increase response time * The ?naming schema solution? for mapping Keycloak resources to database objects seems more like a workaround Are there best practices for doing this kind of thing with Keycloak? If not, I?d be grateful for any tips on how to turn this into a more robust / efficient solution. Thanks, Marco [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions From psilva at redhat.com Tue Oct 16 17:22:30 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 16 Oct 2018 18:22:30 -0300 Subject: [keycloak-user] Best practices for permission-based resource lookup In-Reply-To: <11E7DC30-8679-4F66-92DE-2A7A0E4D3F88@contoso.com> References: <11E7DC30-8679-4F66-92DE-2A7A0E4D3F88@contoso.com> Message-ID: On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco wrote: > Hi folks, > I have a project with several resources that are created and owned by > users. Access to these resources can be shared with groups or other users > via Keycloak permissions. My API needs to implement endpoints for accessing > these resources in a permission-based manner, meaning that for example GET > /my-resource should return all resources that the provided access token has > permission to view (e.g. via ?view? scope). > > Right now, this is my implementation: > > 1. POST /my-resource creates an object in my DB and a corresponding > Keycloak resource via the Protection API. Resources in Keycloak are named > using a schema (.) > 2. Send POST token endpoint with response_mode=permissions. This gives > me a list of all resources the token can access, including the scopes. See > [1] > 3. Filter the list by name and scope using the resource prefix > 4. Extract object IDs from resource names and load DB objects using the > extracted IDs > > While this works, I still see some issues with this approach: > > * The resulting list of resources in 2) could potentially become quite > big and increase response time > Yeah, that is one of the drawbacks when fetching permissions for every single resource. How many resources are you expecting for each user ? > * The ?naming schema solution? for mapping Keycloak resources to > database objects seems more like a workaround > That is fine, another approach is store the "reference id" in a column. > > Are there best practices for doing this kind of thing with Keycloak? If > not, I?d be grateful for any tips on how to turn this into a more robust / > efficient solution. > Until now, we have focused on API security as well privacy. For the latter, permissions are evaluated on a per resource basis so you don't have any performance penalties when doing this. > > Thanks, > Marco > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marco.lamina at sap.com Tue Oct 16 17:41:01 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Tue, 16 Oct 2018 21:41:01 +0000 Subject: [keycloak-user] Best practices for permission-based resource lookup In-Reply-To: References: <11E7DC30-8679-4F66-92DE-2A7A0E4D3F88@contoso.com> Message-ID: <201588F9-E9BC-4659-AA8C-9C6F0AAA8E4D@sap.com> A single user will potentially have access to a couple hundred resources in the future. If there was a way to somehow reduce the size of the result from the token endpoint in 2), that would already be a big improvement. Right now, the endpoint returns all resources of all types, while I only ever need the accessible resources of one particular type. I agree that storing the "reference id" in a column is probably a cleaner solution than parsing the resource name. From: Pedro Igor Silva Date: Tuesday, October 16, 2018 at 2:23 PM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Best practices for permission-based resource lookup On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco > wrote: Hi folks, I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via ?view? scope). Right now, this is my implementation: 1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (.) 2. Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1] 3. Filter the list by name and scope using the resource prefix 4. Extract object IDs from resource names and load DB objects using the extracted IDs While this works, I still see some issues with this approach: * The resulting list of resources in 2) could potentially become quite big and increase response time Yeah, that is one of the drawbacks when fetching permissions for every single resource. How many resources are you expecting for each user ? * The ?naming schema solution? for mapping Keycloak resources to database objects seems more like a workaround That is fine, another approach is store the "reference id" in a column. Are there best practices for doing this kind of thing with Keycloak? If not, I?d be grateful for any tips on how to turn this into a more robust / efficient solution. Until now, we have focused on API security as well privacy. For the latter, permissions are evaluated on a per resource basis so you don't have any performance penalties when doing this. Thanks, Marco [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 17 03:01:44 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 17 Oct 2018 09:01:44 +0200 Subject: [keycloak-user] User Storage SPI with Mongo In-Reply-To: <098DCFD9-EB38-4DAE-9E9C-E72F6E811BE8@xyleminc.com> References: <098DCFD9-EB38-4DAE-9E9C-E72F6E811BE8@xyleminc.com> Message-ID: <519016b8-9b53-24e2-ce48-ea47647dccda@redhat.com> Yes, that should work. You can maybe look at some old sources of Keycloak where Mongo was there and inspire from them. Once you have this working, it may be good to send PR to update our "extensions" page with your extension, may be useful for others. Marek On 15/10/18 21:46, Meikle, Anthony wrote: > As Keycloak no longer supports Mongo does this extend to User Storage SPI as well? Meaning, is it possible to write a SPI to interact with MongoDB based on the structure of the current Provider Interfaces? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From amavisto at gmail.com Wed Oct 17 04:47:05 2018 From: amavisto at gmail.com (Milan Simonovic) Date: Wed, 17 Oct 2018 10:47:05 +0200 Subject: [keycloak-user] authz-rest-employee quickstart: fails to query Protection API for employee resource (/api/alice doesn't match /api/{employee}/*) Message-ID: Hi all, the resource server from https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee quickstart hits keycloak twice on each api call (/api/alice), quering the protection api for a resource: and both times the response is empty ([]). Where does these params come from? I don?t see matchingUri and deep defined at https://www.keycloak.org/docs/latest/authorization_services/index.html#querying-resources How should the call look like to /api/alice would match the resource?s /api/{employee}/* uri? regards, Milan From mposolda at redhat.com Wed Oct 17 04:50:55 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 17 Oct 2018 10:50:55 +0200 Subject: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles In-Reply-To: References: Message-ID: <34236d1d-d94f-f4af-f1fc-d53241f867f5@redhat.com> Hi, I think the JIRA for this already exists and we want to improve in this area. One thing is, that the actual call of updating UserModel should be done just if user is not already in that role. Otherwise we will have unecessary DB calls and cache invalidations during each broker login. I think this was already discussed before. So feel free to add to that JIRA or even send PR for this. Thanks, Marek On 15/10/18 15:18, Philippe Gauthier wrote: > I Simon. > > > I posted the question on the mailing list. > > > I looked in the Keycloak devel branch on github and the code is still the same as you posted last year. > > > We have a support contract with RedHat. Maybe I can use this path to open the case? > > > Thankyou. > > > Philippe. > > ________________________________ > De : Simon Payne > Envoy? : 15 octobre 2018 09:09:33 > ? : Philippe Gauthier > Cc : keycloak-user; ?tienne Sadio > Objet : Re: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles > > Hi Philippe, > > yes i found that it wouldn't add or remove roles if the use was already known. I never got around to raising a Jira ticket to fix the issue as i had some issues trying to get a dev environment up and running - some units tests just wouldn't run for me. > > any way.. this was my solution which is running in our production, which seems to still be working as expected. I just rebuilt the relevant service and deployed accordingly. > > I'm happy to work on the permanent fix. I found it in 3.2.1 (i think it was and it is still present in 4.3 which is the most up-to date version we are running). There were some additional requirements which Marek mentioned to include in the fix, they will be in the original thread. > >> @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { >> mapRole(realm, user, mapperModel, context); >> } >> >> @Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { >> mapRole(realm, user, mapperModel, context); >> >> } >> >> private void mapRole(RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { >> >> String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); >> RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); >> if (role ==null)throw new IdentityBrokerException("Unable to find role: " + roleName); >> >> if (hasClaimValue(mapperModel, context)) { >> user.grantRole(role); >> }else{ >> user.deleteRoleMapping(role); >> } >> } > > Simon. > > > > > > > On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier > wrote: > Hi > > > I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question. > > http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html > > > This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration. > > > If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted. > > > If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated. > > > But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role. > > > It is clear why it does this in the code but it is not clear why this have been done that way: > > > Here is the code. > > @Override > public void importNewUser(KeycloakSession session, RealmModel realm, > UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.grantRole(role); > } > } > > @Override > public void updateBrokeredUser(KeycloakSession session, RealmModel > realm, UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (!hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.deleteRoleMapping(role); > } > /* Maybe we should add an else here that does what the importNewUser does. > } > Thankyou > > Philippe Gauthier. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 17 04:52:17 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 17 Oct 2018 10:52:17 +0200 Subject: [keycloak-user] org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles In-Reply-To: <34236d1d-d94f-f4af-f1fc-d53241f867f5@redhat.com> References: <34236d1d-d94f-f4af-f1fc-d53241f867f5@redhat.com> Message-ID: <093cfdcf-898b-a57e-efe0-ac4d10bdd9d8@redhat.com> And yes, if you have support, it may help to discuss with the support team and create official RFE for the product. This can help a lot to have this to be prioritized. Marek On 17/10/18 10:50, Marek Posolda wrote: > Hi, > > I think the JIRA for this already exists and we want to improve in > this area. One thing is, that the actual call of updating UserModel > should be done just if user is not already in that role. Otherwise we > will have unecessary DB calls and cache invalidations during each > broker login. I think this was already discussed before. So feel free > to add to that JIRA or even send PR for this. > > Thanks, > Marek > > On 15/10/18 15:18, Philippe Gauthier wrote: >> I Simon. >> >> >> I posted the question on the mailing list. >> >> >> I looked in the Keycloak devel branch on github and the code is still >> the same as you posted last year. >> >> >> We have a support contract with RedHat. Maybe I can use this path to >> open the case? >> >> >> Thankyou. >> >> >> Philippe. >> >> ________________________________ >> De : Simon Payne >> Envoy? : 15 octobre 2018 09:09:33 >> ? : Philippe Gauthier >> Cc : keycloak-user; ?tienne Sadio >> Objet : Re: [keycloak-user] >> org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update >> user roles >> >> Hi Philippe, >> >> yes i found that it wouldn't add or remove roles if the use was >> already known.? I never got around to raising a Jira ticket to fix >> the issue as i had some issues trying to get a dev environment up and >> running - some units tests just wouldn't run for me. >> >> any way.. this was my solution which is running in our production, >> which seems to still be working as expected.? I just rebuilt the >> relevant service and deployed accordingly. >> >> I'm happy to work on the permanent fix.? I found it in 3.2.1 (i think >> it was and it is still present in 4.3 which is the most up-to date >> version we are running).? There were some additional requirements >> which Marek mentioned to include in the fix, they will be in the >> original thread. >> >>> @Override public void importNewUser(KeycloakSession session, >>> RealmModel realm, UserModel user, IdentityProviderMapperModel >>> mapperModel, BrokeredIdentityContext context) { >>> ????? mapRole(realm, user, mapperModel, context); >>> } >>> >>> @Override public void updateBrokeredUser(KeycloakSession session, >>> RealmModel realm, UserModel user, IdentityProviderMapperModel >>> mapperModel, BrokeredIdentityContext context) { >>> ????? mapRole(realm, user, mapperModel, context); >>> >>> } >>> >>> private void mapRole(RealmModel realm, UserModel user, >>> IdentityProviderMapperModel mapperModel, BrokeredIdentityContext >>> context) { >>> >>> ????? String roleName = >>> mapperModel.getConfig().get(ConfigConstants.ROLE); >>> ????? RoleModel role = KeycloakModelUtils.getRoleFromString(realm, >>> roleName); >>> ????? if (role ==null)throw new IdentityBrokerException("Unable to >>> find role: " + roleName); >>> >>> ????? if (hasClaimValue(mapperModel, context)) { >>> ????????? user.grantRole(role); >>> ????? }else{ >>> ????????? user.deleteRoleMapping(role); >>> ????? } >>> } >> >> Simon. >> >> >> >> >> >> >> On Mon, Oct 15, 2018 at 1:46 PM Philippe Gauthier >> > >> wrote: >> Hi >> >> >> I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I >> cannot find any answers for his question. >> >> http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html >> >> >> >> This post was about ClaimToRoleMapper class of the OIDC broker >> component. This class search for a claim, check for its value and >> grant a role if the value is equals to the value specified in the >> configuration. >> >> >> If the user from the IdP is not known by Keycloak, it will be created >> by the First Broker Login Flow and the role will be granted. >> >> >> If the user is already known by Keycloak, he have the role specified >> by the mapper and he don't have the claim anymore, the role will be >> revocated. >> >> >> But. If the user is known by Keycloak, he don't have the role >> specified by the mapper and he have the claim, Keycloak does not >> grant him the role. >> >> >> It is clear why it does this in the code but it is not clear why this >> have been done that way: >> >> >> Here is the code. >> >> @Override >> public void importNewUser(KeycloakSession session, RealmModel realm, >> UserModel user, IdentityProviderMapperModel mapperModel, >> BrokeredIdentityContext context) { >> ???? String roleName = >> mapperModel.getConfig().get(ConfigConstants.ROLE); >> ???? if (hasClaimValue(mapperModel, context)) { >> ???????? RoleModel role = KeycloakModelUtils.getRoleFromString(realm, >> roleName); >> ???????? if (role == null) throw new IdentityBrokerException("Unable to >> find role: " + roleName); >> ???????? user.grantRole(role); >> ???? } >> } >> >> @Override >> public void updateBrokeredUser(KeycloakSession session, RealmModel >> realm, UserModel user, IdentityProviderMapperModel mapperModel, >> BrokeredIdentityContext context) { >> ???? String roleName = >> mapperModel.getConfig().get(ConfigConstants.ROLE); >> ???? if (!hasClaimValue(mapperModel, context)) { >> ???????? RoleModel role = KeycloakModelUtils.getRoleFromString(realm, >> roleName); >> ???????? if (role == null) throw new IdentityBrokerException("Unable to >> find role: " + roleName); >> ???????? user.deleteRoleMapping(role); >> ???? } >> ???? /* Maybe we should add an else here that does what the >> importNewUser does. >> } >> Thankyou >> >> Philippe Gauthier. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From deepag at aissel.com Wed Oct 17 04:59:42 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Wed, 17 Oct 2018 14:29:42 +0530 Subject: [keycloak-user] How to implement PasswordHashProvider for the Bcrypt password using existing library Message-ID: Hello There!, I need to migrate my existing applications user credentials to keycloak database(i setup a RDBMS i.e mysql). I have used simpleloginsecure library to hash the password while creating application user account. This library uses md5 Bcrypt method to hash the password. I know i need to implement PasswordHashProvider. My question: 1. Is it possible to use the simpleloginsecure library in keycloak. 2. How to implement PasswordHashProvider ? 3. Later how to move user credentials from existing database to keycloak mysql schema? Regards, Deepa M G -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From amavisto at gmail.com Wed Oct 17 06:08:43 2018 From: amavisto at gmail.com (Milan Simonovic) Date: Wed, 17 Oct 2018 12:08:43 +0200 Subject: [keycloak-user] authz-rest-employee quickstart: fails to query Protection API for employee resource (/api/alice doesn't match /api/{employee}/*) Message-ID: <5EAC7837-0940-47C1-840B-0A2DC9190F25@gmail.com> allright, found a solution. matchingUri from the source code: https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcfcc90a219f/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java#L348 looks like a flag that should trigger extra search if no resource is found, calling PathMatcher on each client resource. PathMatcher, https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e75d1e78d16/common/src/main/java/org/keycloak/common/util/PathMatcher.java#L29 , seems capable of matching /api/alice to /api/{employee}/*, this test passes: @Test public void matches() throws Exception { PathMatcher> pathMatcher = new PathMatcher>() { @Override protected String getPath(Map.Entry entry) { return entry.getKey(); } @Override protected Collection> getPaths() { Map result = new HashMap<>(); result.put("/api/{employee}/*", "employee resource"); return result.entrySet(); } }; Map.Entry matches = pathMatcher.matches("/api/alice"); assertNotNull(matches); assertEquals("employee resource", matches.getValue()); } so the matchingUri param should be set to true and then the resource is found: curl -H ?Authorization: Bearer $access_token? \ ?$SRV/authz/protection/resource_set?matchingUri=true&uri=%2Fapi%2Falice? [?deed8ae3-41a9-4781-b6c7-cb297516c2c6?] regards, Milan From dean.wyns at aptus.be Wed Oct 17 09:43:59 2018 From: dean.wyns at aptus.be (Wyns Dean) Date: Wed, 17 Oct 2018 13:43:59 +0000 Subject: [keycloak-user] Direct Access grant vs SPA theme Message-ID: Hi We're developing an application that has a more extensive login flow than Keycloak offers by default. Our first thought was to develop the login flow ourselves in our web application, using the Direct Access grant. In this case, we'd need to maintain the login session ourselves. We'd need to proxy the requests and inject the access token in the headers, and renew the access token using the refresh token if necessary. So we're instead looking to implement a theme that implements this login flow using a small SPA. Is this something that the theme system is capable of? Is this recommended over the previously mentioned approach (direct grant)? Thanks in advance for any feedback Dean From mattia.bello at horsa.it Wed Oct 17 11:10:35 2018 From: mattia.bello at horsa.it (mattia.bello) Date: Wed, 17 Oct 2018 08:10:35 -0700 (MST) Subject: [keycloak-user] Problem with custom login using Keycloak + Spring Security Adapter in Multi Tenancy mode Message-ID: <1539789035857-0.post@n6.nabble.com> Hello, i am using keycloak with the keycloak Spring Security and multi-tenancy configuration. I need to manage the following use case: I want to use only a single login page where user must enter the realm, username and password. I can not use the standard keycloak login page because the keycloak needs to know the realm before showing the relative login page. How can I do that? I thought the follow solution: I would like to login to the keycloak, using the mechanism of the remember me, creating the necessary cookies after my login with the realm, username and password informations. Is it possible? How do i do that? Thank's to all. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From psilva at redhat.com Wed Oct 17 13:38:03 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 17 Oct 2018 14:38:03 -0300 Subject: [keycloak-user] Best practices for permission-based resource lookup In-Reply-To: <201588F9-E9BC-4659-AA8C-9C6F0AAA8E4D@sap.com> References: <11E7DC30-8679-4F66-92DE-2A7A0E4D3F88@contoso.com> <201588F9-E9BC-4659-AA8C-9C6F0AAA8E4D@sap.com> Message-ID: On Tue, Oct 16, 2018 at 6:41 PM Lamina, Marco wrote: > A single user will potentially have access to a couple hundred resources > in the future. > > If there was a way to somehow reduce the size of the result from the token > endpoint in 2), that would already be a big improvement. Right now, the > endpoint returns all resources of all types, while I only ever need the > accessible resources of one particular type. > Right now we have a *response_permissions_limit* parameter to limit the number of permissions evaluated by the server. It is quite non-deterministic though as it is not based on any order or types of resources. Evaluate permissions based on resource types is something we can consider. If you don't mind, please open a RFE. Contribution is also welcome :) > > > I agree that storing the "reference id" in a column is probably a cleaner > solution than parsing the resource name. > > > > > > *From: *Pedro Igor Silva > *Date: *Tuesday, October 16, 2018 at 2:23 PM > *To: *"Lamina, Marco" > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] Best practices for permission-based > resource lookup > > > > > > On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco > wrote: > > Hi folks, > I have a project with several resources that are created and owned by > users. Access to these resources can be shared with groups or other users > via Keycloak permissions. My API needs to implement endpoints for accessing > these resources in a permission-based manner, meaning that for example GET > /my-resource should return all resources that the provided access token has > permission to view (e.g. via ?view? scope). > > Right now, this is my implementation: > > 1. POST /my-resource creates an object in my DB and a corresponding > Keycloak resource via the Protection API. Resources in Keycloak are named > using a schema (.) > 2. Send POST token endpoint with response_mode=permissions. This gives > me a list of all resources the token can access, including the scopes. See > [1] > 3. Filter the list by name and scope using the resource prefix > 4. Extract object IDs from resource names and load DB objects using the > extracted IDs > > While this works, I still see some issues with this approach: > > * The resulting list of resources in 2) could potentially become quite > big and increase response time > > > > Yeah, that is one of the drawbacks when fetching permissions for every > single resource. How many resources are you expecting for each user ? > > > > * The ?naming schema solution? for mapping Keycloak resources to > database objects seems more like a workaround > > > > That is fine, another approach is store the "reference id" in a column. > > > > > Are there best practices for doing this kind of thing with Keycloak? If > not, I?d be grateful for any tips on how to turn this into a more robust / > efficient solution. > > > > Until now, we have focused on API security as well privacy. For the > latter, permissions are evaluated on a per resource basis so you don't have > any performance penalties when doing this. > > > > > Thanks, > Marco > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From robin at kearney.co.uk Wed Oct 17 17:06:23 2018 From: robin at kearney.co.uk (Robin Kearney) Date: Wed, 17 Oct 2018 22:06:23 +0100 Subject: [keycloak-user] Creating new user throws error when using AWS Simple AD Message-ID: Hi, I've got Keycloak 4.5.0.Final setup to talk to an AWS instance of their Simple AD - which is Samba 4 behind the scenes. Connectivity and authentication works ok, as does the initial sync all users. However, when I create a new user through Keycloak, I get an error "Error! Could not create user" in the UI and the following logs: keycloak_1 | 20:45:52,571 WARN [org.keycloak.services.resources.admin.UsersResource] (default task-17) Could not create user: org.keycloak.models.ModelException: Could not modify attribute for DN [cn=example12,CN=Users,DC=ad,DC=example,DC=com] keycloak_1 | Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 00002030: No such Base DN: cn=example12,CN=Users,DC=ad,DC=example,DC=com]; remaining name 'cn=example12,CN=Users,DC=ad,DC=example,DC=com' The full stack trace is here https://gist.githubusercontent.com/rk295/a8ada3cd79212e73d2e55215e4d53e34/raw/37aac21a5c7dd3d3423aa9ae2456068c2c1170ec/keycloak-error.log What is interesting is the user is created successfully in LDAP. ldif https://gist.githubusercontent.com/rk295/0bde9a03f057dea09ea08f7f0050785e/raw/7dc63b208d95dc2160ed8cdbed87d55e52fb4b53/key-example.ldiff However in this ldif, is the following fields show "IA==" rather than the value I entered (example12 in both cases) sn:: IA== givenName:: IA== I have both the firstname and lastname mappers setup to map the following fields: usermodel attribute firstName -> ldap givenName usermodel attribute lastName -> ldap sn Both setup with RO false, always read from LDAP true, is mandatory true, is binary false. If I hit the button to resync changed (or all) users, the user shows in the Keycloak admin, but the fields above missing. Hope somebody can help! r. From jeff at sweetjacket.com Wed Oct 17 19:36:32 2018 From: jeff at sweetjacket.com (Jeff Victor) Date: Thu, 18 Oct 2018 01:36:32 +0200 Subject: [keycloak-user] Spring Boot Multi-tenancy Message-ID: I'm trying to get multi-tenancy working in a spring boot project. I've built the latest 4.6.0 snapshot and as a result am able to register my own MultiTenantConfigResolver - as per https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified that my custom resolver is being called. My application requires security to kick in at /admin/** and /customer/** which correspond to two realms - admin and customer. However, anything else should be open. Here is the configuration: http.authorizeRequests() .antMatchers("/admin*").authenticated() .antMatchers("/customer*").authenticated() .anyRequest().permitAll(); The issue I'm having is that I don't know what KeycloakDeployment to return if someone accesses an unprotected resource like / or even /sso/login. In both of those cases my config resolver gets invoked and I return null which then results in the following exception: java.lang.NullPointerException: null at org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43) at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) I've seen in other examples of a multi-tenant config resolver that always return a KeycloakDeployment or if it one can't be determined then it throws an exception such as here https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/control/PathBasedKeycloakConfigResolver.java . As an example, when debugging it seems that if I return the appropriate KeycloakDeployment for /admin everything goes well but straight away the resolver gets invoked again as there has been a redirect to /sso/login. In this case how am I to determine which KeycloakDeployment / realm to use? Thanks, Jeff From fabio.ebner at lumera.com.br Wed Oct 17 19:50:43 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Wed, 17 Oct 2018 20:50:43 -0300 Subject: [keycloak-user] Forbidden on Post Method Message-ID: I trying to use spring boot with keycloak, so I create 2 clients in keycloak 1 - "central-front" is public where my user will get a token 2 - "central-api" is "bearer-only" where my api will validate the token in my "centra-api" I create 2 roles CLIENTE and CARTORIO, then I create one user with CLIENTE ROLE and other with CARTORIO. in my back I configure just like this: package br.com.lumera.centralback.config; import org.keycloak.adapters.KeycloakConfigResolver; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter; import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter; import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter; import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @Configuration @EnableWebSecurity public class KeycloakSecurityConfigurer extends KeycloakWebSecurityConfigurerAdapter { @Bean public GrantedAuthoritiesMapper grantedAuthoritiesMapper() { //o Springboot espera que toda role comeca com "ROLE_" essa configuracao coloca o ROLE_ nas roles que estao cehgando SimpleAuthorityMapper mapper = new SimpleAuthorityMapper(); mapper.setConvertToUpperCase(true); return mapper; } @Override protected KeycloakAuthenticationProvider keycloakAuthenticationProvider() { final KeycloakAuthenticationProvider provider = super.keycloakAuthenticationProvider(); provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper()); return provider; } @Override protected void configure(final AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(keycloakAuthenticationProvider()); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new NullAuthenticatedSessionStrategy(); } @Override protected void configure(final HttpSecurity http) throws Exception { super.configure(http); http .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers("/estado/*").hasRole("CLIENTE") .antMatchers("/natureza/*").hasRole("CLIENTE") .antMatchers("/cartorio/*").hasRole("CLIENTE") .antMatchers("/mensagem/*").hasRole("CLIENTE") .anyRequest().permitAll(); } @Bean public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( final KeycloakAuthenticationProcessingFilter filter) { final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean( final KeycloakPreAuthActionsFilter filter) { final FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } } and my keycloak.json { "realm" : "Lumera", "bearer-only" : true, "auth-server-url" : "http://localhost:9090/auth", "ssl-required" : "external", "resource" : "central-api", "use-resource-role-mappings" : true, "principal-attribute" : "preferred_username" } So when I try to accessa GET URI the roles works fine, If I log an CARTORIO I can't access any of that url listed above, and if I log an CLIENTE I access normally. but in my url /mensagem/ I have one POST in /mensagem/ and when I try to POST something I always get ant Forbidden, I already try to put .antMatchers(HttpMethod.POST, "/mensagem/**") I alredy try to remove the .antMatchers("/mensagem/*").hasRole("CLIENTE") with no success too From deepag at aissel.com Thu Oct 18 01:24:21 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Thu, 18 Oct 2018 10:54:21 +0530 Subject: [keycloak-user] Configure existing hashing library with keycloak Message-ID: Hello Keycloak Team!, My existing user passwords are hashed using SimpleLoginSecure Library. As I am not sure about the *salt* they have used, can I integrate this same library with keycloak for PasswordHashProvider. If yes how? Which piece of code I need to alter. I am not familiar with java. Regards, Deepa M G -- ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From erik.g.haugen at gmail.com Thu Oct 18 03:33:03 2018 From: erik.g.haugen at gmail.com (Erik Haugen) Date: Thu, 18 Oct 2018 09:33:03 +0200 Subject: [keycloak-user] Error 'secure-deployment' isn't an allowed element here when change wildfly config for keycloak Message-ID: <4FFEC350-7B9F-43F2-AD37-1DA4F132E9E6@gmail.com> I'm trying secure a war file in Wildfly 14.0.1.Final with keycloak. I followed the documentation given here : https://www.keycloak.org/docs/latest/securing_apps/index.html#_jboss_adapter I installed the keycloak wildfly adapter 4.5.0. I'm trying to secure a war via the Adapter Subsystem and followed the documentation and modified the standalone.xml of the wildfly Keycloak subsystem definition <> master https://keycloak.test.online/auth none account 46a3091a-abc-9f9a-8895949d4cdf after adding this information to the standalone.xml, I try to start wildfly and get the following error message : 09:19:13,164 ERROR [stderr] (Controller Boot Thread) [Fatal Error] :422:11: The element type "profile" must be terminated by the matching end-tag "". 09:19:13,193 ERROR [org.jboss.as.controller] (Controller Boot Thread) OPVDX001: Validation error in standalone.xml ----------------------------------- | | 413: | 414: | 415: | ^^^^ 'secure-deployment' isn't an allowed element here | | 416: master | 417: https://keycloak.test.online/auth | 418: none | | The primary underlying error message was: | > ParseError at [row,col]:[415,13] | > Message: WFLYCTL0198: Unexpected element | > '{urn:jboss:domain:8.0}secure-deployment' encountered | |------------------------------------------------------------------------------- 09:19:13,195 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143) at org.jboss.as.server.ServerService.boot(ServerService.java:377) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) at java.lang.Thread.run(Thread.java:748) 09:19:13,198 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. Any ideas what could be wrong? From testoauth55 at gmail.com Thu Oct 18 07:21:12 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 18 Oct 2018 16:51:12 +0530 Subject: [keycloak-user] the admin rest api for realm import is not importing realm Message-ID: As mentioned in docs: https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_resource I have created a post request via postman and the response is 200 OK, but when I go and check on the admin console, new realm is not visible. Moreover, when I perform the same operation via an invalid token, then also the response is 200 OK. Am I missing something here? Attached screenshot of postman request. (In the body I have copy pasted entire contents of realm json file that was exported from another server) -------------- next part -------------- A non-text attachment was scrubbed... Name: import_realm.JPG Type: image/jpeg Size: 128184 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181018/33336da0/attachment-0001.jpe From testoauth55 at gmail.com Thu Oct 18 07:28:22 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 18 Oct 2018 16:58:22 +0530 Subject: [keycloak-user] Admin rest api / admin console to export users Message-ID: Is the only way to export users via* kcadm.sh/.bat *or is there a way to export users via admin console / admin rest API? From psilva at redhat.com Thu Oct 18 09:17:09 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 18 Oct 2018 10:17:09 -0300 Subject: [keycloak-user] Spring Boot Multi-tenancy In-Reply-To: References: Message-ID: We recently added support for node registration, but I missed the fact that it should only run when a deployment could be resolved. Could you open a JIRA, please ? Regards. Pedro Igor On Wed, Oct 17, 2018 at 8:39 PM Jeff Victor wrote: > I'm trying to get multi-tenancy working in a spring boot project. I've > built the latest 4.6.0 snapshot and as a result am able to register my own > MultiTenantConfigResolver - as per > https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified that > my > custom resolver is being called. > > My application requires security to kick in at /admin/** and /customer/** > which correspond to two realms - admin and customer. > > However, anything else should be open. Here is the configuration: > > http.authorizeRequests() > > .antMatchers("/admin*").authenticated() > > .antMatchers("/customer*").authenticated() > > .anyRequest().permitAll(); > > The issue I'm having is that I don't know what KeycloakDeployment to return > if someone accesses an unprotected resource like / or even /sso/login. > > In both of those cases my config resolver gets invoked and I return null > which then results in the following exception: > > java.lang.NullPointerException: null > > at > org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43) > > at > org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) > > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) > > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) > > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) > > I've seen in other examples of a multi-tenant config resolver that always > return a KeycloakDeployment or if it one can't be determined then it throws > an exception such as here > > https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/control/PathBasedKeycloakConfigResolver.java > . > > As an example, when debugging it seems that if I return the appropriate > KeycloakDeployment for /admin everything goes well but straight away the > resolver gets invoked again as there has been a redirect to /sso/login. In > this case how am I to determine which KeycloakDeployment / realm to use? > > Thanks, > Jeff > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jambo_mcd at yahoo.co.uk Thu Oct 18 09:21:20 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Thu, 18 Oct 2018 13:21:20 +0000 (UTC) Subject: [keycloak-user] Keycloak realm certificates be passed to Knox? References: <366471873.18450736.1539868880248.ref@mail.yahoo.com> Message-ID: <366471873.18450736.1539868880248@mail.yahoo.com> Hi, I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.? Knox is used to decrypt singed JWT's. Is this something that can be achieved? Thanks Jamie From testoauth55 at gmail.com Thu Oct 18 10:33:08 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 18 Oct 2018 20:03:08 +0530 Subject: [keycloak-user] Admin rest api / admin console to export users In-Reply-To: <1d4ed99f-2ac9-011e-17e8-5399d576745e@aissel.com> References: <1d4ed99f-2ac9-011e-17e8-5399d576745e@aissel.com> Message-ID: Thanks for the reply. But I am looking for a non command line way to import/export users. Is there an admin rest API or admin web console option for the same? On Thursday, October 18, 2018, Deepa Gaddigoudar wrote: > https://github.com/Codingpedia/codingmarks.org/ > wiki/Move-keycloak-database-from-H2-to-MySql > > *https://www.keycloak.org/docs/latest/server_installation/index.html#_database* > > > > Use below command to export users: > > > KEYCLOAK_HOME/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=exported_realms > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > > > > On Thursday 18 October 2018 04:58 PM, Bruce Wings wrote: > > Is the only way to export users via* kcadm.sh/.bat *or > is there a way to export users via admin console / admin rest API? > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > ------------------------------ > *Deepa M Gaddigoudar | Software Developer* > Aissel Technologies Pvt. Ltd. > A Block, Floor 2, IT Park, Hubli ? 580029. India > Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 > Cell: +91 8951519616 > E-Mail: deepag at aissel.com > From anthony.meikle at xyleminc.com Thu Oct 18 10:49:53 2018 From: anthony.meikle at xyleminc.com (Meikle, Anthony) Date: Thu, 18 Oct 2018 14:49:53 +0000 Subject: [keycloak-user] Admin rest api / admin console to export users In-Reply-To: References: <1d4ed99f-2ac9-011e-17e8-5399d576745e@aissel.com> Message-ID: You could write a Java program using the keycloak-admin-client to recreate the users from your exiting database. ?On 10/18/18, 10:36 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Bruce Wings" wrote: Thanks for the reply. But I am looking for a non command line way to import/export users. Is there an admin rest API or admin web console option for the same? On Thursday, October 18, 2018, Deepa Gaddigoudar wrote: > https://github.com/Codingpedia/codingmarks.org/ > wiki/Move-keycloak-database-from-H2-to-MySql > > *https://www.keycloak.org/docs/latest/server_installation/index.html#_database* > > > > Use below command to export users: > > > KEYCLOAK_HOME/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=exported_realms > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > > > > On Thursday 18 October 2018 04:58 PM, Bruce Wings wrote: > > Is the only way to export users via* kcadm.sh/.bat *or > is there a way to export users via admin console / admin rest API? > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > ------------------------------ > *Deepa M Gaddigoudar | Software Developer* > Aissel Technologies Pvt. Ltd. > A Block, Floor 2, IT Park, Hubli ? 580029. India > Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 > Cell: +91 8951519616 > E-Mail: deepag at aissel.com > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From wyllys.ingersoll at keepertech.com Thu Oct 18 12:04:02 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Thu, 18 Oct 2018 12:04:02 -0400 Subject: [keycloak-user] password reset email REST api? Message-ID: Is there ( or are they plans to add one) a REST API endpoint for sending a user a password reset email link? Im looking for a way to simulate what happens when the "reset password" form is used but without using the form itself, so that an application could make the request without requiring a UI. This is different from having an administrator manually reset a password, I want the user to just get a secure link to reset their own password when necessary. thanks, Wyllys Ingersoll From dereck.jacobsen at gmail.com Thu Oct 18 13:26:54 2018 From: dereck.jacobsen at gmail.com (Dereck Jacobsen) Date: Thu, 18 Oct 2018 11:26:54 -0600 Subject: [keycloak-user] No ID token in headers OpenID connect, apache OIDC Message-ID: Hi all, Sorry for the newbie question. I have keycloak set up and the apache OIDC adapter protecting a php website. However, when I look at the headers after login (using the OIDCResponseType code) , I am only seeing the access token and no ID token. Is there a setting I am missing in the keycloak configuration? Thanks! From psilva at redhat.com Thu Oct 18 13:40:32 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 18 Oct 2018 14:40:32 -0300 Subject: [keycloak-user] Spring Boot Multi-tenancy In-Reply-To: References: Message-ID: Based on other adapters, requests to unprotected resources should not be processed by Keycloak mechanisms. I need to check why spring is behaving differently. Let me look at that and I'll update that JIRA. Thanks. On Thu, Oct 18, 2018 at 12:31 PM jeff victor wrote: > Hi Pedro. I have created KEYCLOAK-8616 > . > > Could you tell me what the expected behavior for a custom > KeycloakConfigResolver should be when it is invoked when being redirected > to /sso/login? Or for any other path that doesn't contain information to > determine the deployment? I've noticed, for instance, that the resolver > also gets invoked for other unprotected resources in the project such as / > or /some-unprotected-path. > > Should the resolver return null? Or is the issue that the resolver > shouldn't be getting invoked at all if the path isn't protected by spring > security? > > > Thanks, > > Jeff > > On Thu, Oct 18, 2018 at 3:17 PM Pedro Igor Silva > wrote: > >> We recently added support for node registration, but I missed the fact >> that it should only run when a deployment could be resolved. Could you open >> a JIRA, please ? >> >> Regards. >> Pedro Igor >> >> On Wed, Oct 17, 2018 at 8:39 PM Jeff Victor wrote: >> >>> I'm trying to get multi-tenancy working in a spring boot project. I've >>> built the latest 4.6.0 snapshot and as a result am able to register my >>> own >>> MultiTenantConfigResolver - as per >>> https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified >>> that my >>> custom resolver is being called. >>> >>> My application requires security to kick in at /admin/** and /customer/** >>> which correspond to two realms - admin and customer. >>> >>> However, anything else should be open. Here is the configuration: >>> >>> http.authorizeRequests() >>> >>> .antMatchers("/admin*").authenticated() >>> >>> .antMatchers("/customer*").authenticated() >>> >>> .anyRequest().permitAll(); >>> >>> The issue I'm having is that I don't know what KeycloakDeployment to >>> return >>> if someone accesses an unprotected resource like / or even /sso/login. >>> >>> In both of those cases my config resolver gets invoked and I return null >>> which then results in the following exception: >>> >>> java.lang.NullPointerException: null >>> >>> at >>> org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43) >>> >>> at >>> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) >>> >>> at >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>> >>> at >>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) >>> >>> at >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) >>> >>> I've seen in other examples of a multi-tenant config resolver that always >>> return a KeycloakDeployment or if it one can't be determined then it >>> throws >>> an exception such as here >>> >>> https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/java/org/keycloak/example/multitenant/control/PathBasedKeycloakConfigResolver.java >>> . >>> >>> As an example, when debugging it seems that if I return the appropriate >>> KeycloakDeployment for /admin everything goes well but straight away the >>> resolver gets invoked again as there has been a redirect to /sso/login. >>> In >>> this case how am I to determine which KeycloakDeployment / realm to use? >>> >>> Thanks, >>> Jeff >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From hans.zandbelt at zmartzone.eu Thu Oct 18 14:25:14 2018 From: hans.zandbelt at zmartzone.eu (Hans Zandbelt) Date: Thu, 18 Oct 2018 20:25:14 +0200 Subject: [keycloak-user] No ID token in headers OpenID connect, apache OIDC In-Reply-To: References: Message-ID: > > Sorry for the newbie question. I have keycloak set up and the apache OIDC > adapter protecting a php website. However, when I look at the headers after > login (using the OIDCResponseType code) , I am only seeing the access token > and no ID token. Is there a setting I am missing in the keycloak > configuration? > That is a mod_auth_openidc question, for which the answer is here: https://github.com/zmartzone/mod_auth_openidc/blob/v2.3.8/auth_openidc.conf#L644-L650 Hans. -- hans.zandbelt at zmartzone.eu ZmartZone IAM - www.zmartzone.eu From kkcmadhu at yahoo.com Thu Oct 18 14:34:59 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Thu, 18 Oct 2018 18:34:59 +0000 (UTC) Subject: [keycloak-user] Self Service for User ( using admin-cli) References: <1406111650.10997828.1539887699954.ref@mail.yahoo.com> Message-ID: <1406111650.10997828.1539887699954@mail.yahoo.com> Hi I have a query on user self service (Auth service), I have a realm with few admin users (who has manage *, view *) in realm-management client. I also have ordinary users, who do not have any access in realm-management client. I would like write a rest service, where the logged in user ( the user id in the bearker token), will be able to perform??a) GET realms/realmName/users/? ?b)? and? PUT realms/realmName/users/ on the following conditions the bearer token should be an admin's bearer token? or the logged in user should be editing his own record (sub in jwt should be same as the in url) Between, i am using admin-cli for these operation. Please guid on how to go about this. RegardsMadhu From Don.Reynolds at quest.com Thu Oct 18 16:29:27 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Thu, 18 Oct 2018 20:29:27 +0000 Subject: [keycloak-user] password reset email REST api? In-Reply-To: References: Message-ID: Hello Wyllys, Yes this is possible. You want to use the REST API endpoint to send an email to the user requiring them to perform some action. See the section called "Send a update account email to the user An email contains a link the user can click to perform a set of required actions." in the Keycloak REST admin api docs (https://www.keycloak.org/docs-api/4.5/rest-api/index.html) PUT /{realm}/users/{id}/execute-actions-email The body of the request specifies the actions you want them to perform. I think you will want to send the following, which will force the user to reset their password, as well as send them an email with a link to do so: ["VERIFY_EMAIL", "UPDATE_PASSWORD "] Here are a few other links that might help: http://lists.jboss.org/pipermail/keycloak-user/2016-December/008766.html https://stackoverflow.com/questions/42071682/how-to-update-password-via-keyclaok-admin-rest-api-by-execute-actions-email This section of the keycloak server admin guide describes what the various required action options are: https://www.keycloak.org/docs/latest/server_admin/index.html#required-actions Since the keycloak admin web console uses the REST api, it can be handy to turn on developer tools in your browser and watch the network traffic that occurs when you perform the equivalent action in the keycloak admin console to the REST api calls the console makes to the server and the exact parameters it passes. Hope that helps, Don > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Wyllys Ingersoll > Sent: Thursday, October 18, 2018 12:04 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] password reset email REST api? > > Is there ( or are they plans to add one) a REST API endpoint for sending a > user a password reset email link? > > Im looking for a way to simulate what happens when the "reset password" > form is used but without using the form itself, so that an application could > make the request without requiring a UI. > > This is different from having an administrator manually reset a password, I > want the user to just get a secure link to reset their own password when > necessary. > > thanks, > Wyllys Ingersoll > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wyllys.ingersoll at keepertech.com Thu Oct 18 17:02:35 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Thu, 18 Oct 2018 17:02:35 -0400 Subject: [keycloak-user] password reset email REST api? In-Reply-To: References: Message-ID: Thanks! On Thu, Oct 18, 2018 at 5:01 PM Don Reynolds (dreynold) < Don.Reynolds at quest.com> wrote: > Hello Wyllys, > > Yes this is possible. You want to use the REST API endpoint to send an > email to the user requiring them to perform some action. > See the section called "Send a update account email to the user An email > contains a link the user can click to perform a set of required actions." > in the Keycloak REST admin api docs ( > https://www.keycloak.org/docs-api/4.5/rest-api/index.html) > > PUT /{realm}/users/{id}/execute-actions-email > > The body of the request specifies the actions you want them to perform. I > think you will want to send the following, which will force the user to > reset their password, as well as send them an email with a link to do so: > ["VERIFY_EMAIL", "UPDATE_PASSWORD "] > > Here are a few other links that might help: > http://lists.jboss.org/pipermail/keycloak-user/2016-December/008766.html > > https://stackoverflow.com/questions/42071682/how-to-update-password-via-keyclaok-admin-rest-api-by-execute-actions-email > > This section of the keycloak server admin guide describes what the various > required action options are: > > https://www.keycloak.org/docs/latest/server_admin/index.html#required-actions > > Since the keycloak admin web console uses the REST api, it can be handy to > turn on developer tools in your browser and watch the network traffic that > occurs when you perform the equivalent action in the keycloak admin console > to the REST api calls the console makes to the server and the exact > parameters it passes. > > Hope that helps, > Don > > > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org > bounces at lists.jboss.org> On Behalf Of Wyllys Ingersoll > > Sent: Thursday, October 18, 2018 12:04 PM > > To: keycloak-user at lists.jboss.org > > Subject: [keycloak-user] password reset email REST api? > > > > Is there ( or are they plans to add one) a REST API endpoint for sending > a > > user a password reset email link? > > > > Im looking for a way to simulate what happens when the "reset password" > > form is used but without using the form itself, so that an application > could > > make the request without requiring a UI. > > > > This is different from having an administrator manually reset a > password, I > > want the user to just get a secure link to reset their own password when > > necessary. > > > > thanks, > > Wyllys Ingersoll > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sisyphus18 at protonmail.com Thu Oct 18 18:06:37 2018 From: sisyphus18 at protonmail.com (Anup VK) Date: Thu, 18 Oct 2018 22:06:37 +0000 Subject: [keycloak-user] o.s.security.saml.log.SAMLDefaultLogger Message-ID: Hello Folks, I have a spring GRAILS application using Keycloak 4.5. For some reason the redirection after login proceeds to http://localhost:8080/spring-security-saml/saml/SSO/alias/localhost instead of http://127.0.0.1:8080/csi-gui-chargedb/ This might be a Spring Security suite redirection issue, that said the 'Valid Redirect URIs' box only accepts a * wildcard character. If I specify a valid URL - like http://127.0.0.1:8080/csi-gui-chargedb/ - it complains. Please let me know what are your thoughts. Muchos gracias in advance. AVK Sent with [ProtonMail](https://protonmail.com) Secure Email. From callum at well.ox.ac.uk Fri Oct 19 04:43:03 2018 From: callum at well.ox.ac.uk (Callum Smith) Date: Fri, 19 Oct 2018 08:43:03 +0000 Subject: [keycloak-user] SSSD integration with password expiry Message-ID: Dear All, My google-fu has turned up some results of people doing bits of this using LDAP, but I was wondering if there was anyway of handling users with expired passwords through Keycloak's UI. So the issue is that with FreeIPA as an authentication backend, when a user is created their password is expired (for lots of good reasons). This forces them to change the password on their first login, which works with ssh, gnome, but not Keycloak. Is this because of something I have misconfigured (or yet to configure) or is it just not supported? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum at well.ox.ac.uk From thesofiane at gmail.com Fri Oct 19 09:11:12 2018 From: thesofiane at gmail.com (So Be) Date: Fri, 19 Oct 2018 15:11:12 +0200 Subject: [keycloak-user] LDAP at Log in page Message-ID: Hi, I have integrated our jupyterhub with keycloak. it works fine. Now, I want to add LDAP as additional identity provider with Github. I have configured the realm with our LDAP server but I can not see LDAP button with the others in the log in page. What I am doing wrong? Thank you. From thesofiane at gmail.com Fri Oct 19 09:14:04 2018 From: thesofiane at gmail.com (So Be) Date: Fri, 19 Oct 2018 15:14:04 +0200 Subject: [keycloak-user] Configure EMail failed Message-ID: Hi, as an administrator, I like to receive notifications when users log into Keycloak. I tried to configure the EMail for the realm but I got Logged in user does not have an e-mail. Any idea about what causing this? Thank you. From testoauth55 at gmail.com Fri Oct 19 10:13:10 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 19 Oct 2018 19:43:10 +0530 Subject: [keycloak-user] the admin rest api for realm import is not importing realm In-Reply-To: References: Message-ID: Can anyone suggest whether there is something wrong in the way I am sending request or is this an issue on keycloak side? On Thursday, October 18, 2018, Bruce Wings wrote: > As mentioned in docs: > > https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_ > realms_admin_resource > > I have created a post request via postman and the response is 200 OK, but > when I go and check on the admin console, new realm is not visible. > > Moreover, when I perform the same operation via an invalid token, then > also the response is 200 OK. Am I missing something here? > > Attached screenshot of postman request. (In the body I have copy pasted > entire contents of realm json file that was exported from another server) > > From testoauth55 at gmail.com Mon Oct 22 00:46:27 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 22 Oct 2018 10:16:27 +0530 Subject: [keycloak-user] the admin rest api for realm import is not importing realm In-Reply-To: References: Message-ID: As mentioned in docs: https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_realms_admin_resource when I send a request to : *http://localhost:8380/ * I get 200 OK, but when I go and check on the admin console, new realm is not visible. *but when* I send a request to : *http://localhost:8380/auth/admin/realms , *I get 401 unauthorized. (keycloak server running on port 8380 and I am sending the bearer token obtained from http://10.252.70.71:8380/auth/realms/master/protocol/openid-connect/token) Which is the accurate URL to import a realm json in keycloak? *http://localhost:8380/ * OR *http://localhost:8380/auth/admin/realms * On Fri, Oct 19, 2018 at 7:43 PM Bruce Wings wrote: > Can anyone suggest whether there is something wrong in the way I am > sending request or is this an issue on keycloak side? > > On Thursday, October 18, 2018, Bruce Wings wrote: > >> As mentioned in docs: >> >> >> https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_resource >> >> I have created a post request via postman and the response is 200 OK, but >> when I go and check on the admin console, new realm is not visible. >> >> Moreover, when I perform the same operation via an invalid token, then >> also the response is 200 OK. Am I missing something here? >> >> Attached screenshot of postman request. (In the body I have copy pasted >> entire contents of realm json file that was exported from another server) >> >> From testoauth55 at gmail.com Mon Oct 22 01:39:31 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 22 Oct 2018 11:09:31 +0530 Subject: [keycloak-user] the admin rest api for realm import is not importing realm In-Reply-To: References: Message-ID: Forgot to mention that sending request to: *http://localhost:8380/auth * gives 415-Unsupported media type error. Images for postman request attached On Mon, Oct 22, 2018 at 10:16 AM Bruce Wings wrote: > As mentioned in docs: > https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_realms_admin_resource > when I send a request to : *http://localhost:8380/ > * I get 200 OK, but when I go and check on the > admin console, new realm is not visible. > > *but when* I send a request to : *http://localhost:8380/auth/admin/realms > , *I get 401 unauthorized. > (keycloak server running on port 8380 and I am sending the bearer token > obtained from > http://10.252.70.71:8380/auth/realms/master/protocol/openid-connect/token) > > Which is the accurate URL to import a realm json in keycloak? *http://localhost:8380/ > * OR *http://localhost:8380/auth/admin/realms > * > > > On Fri, Oct 19, 2018 at 7:43 PM Bruce Wings wrote: > >> Can anyone suggest whether there is something wrong in the way I am >> sending request or is this an issue on keycloak side? >> >> On Thursday, October 18, 2018, Bruce Wings wrote: >> >>> As mentioned in docs: >>> >>> >>> https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_resource >>> >>> I have created a post request via postman and the response is 200 OK, >>> but when I go and check on the admin console, new realm is not visible. >>> >>> Moreover, when I perform the same operation via an invalid token, then >>> also the response is 200 OK. Am I missing something here? >>> >>> Attached screenshot of postman request. (In the body I have copy pasted >>> entire contents of realm json file that was exported from another server) >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: import1.JPG Type: image/jpeg Size: 41694 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181022/867323f8/attachment-0002.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: import2.JPG Type: image/jpeg Size: 105500 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181022/867323f8/attachment-0003.jpe From deepag at aissel.com Mon Oct 22 01:51:38 2018 From: deepag at aissel.com (Deepa Gaddigoudar) Date: Mon, 22 Oct 2018 11:21:38 +0530 Subject: [keycloak-user] Can i integrate External PHP hash provider library with keycloak Message-ID: Hello All, Previously I have used SimpleLoginSecure to secure my application user passwords, thus i dont know the *salt* used by this library. Now i want to migrate my users to keycloak without asking them to reset their password. Is there is a way to integrate SimpleLoginSecure library with keycloak as a PasswordHash Provider?. If yes, How do i do that ? Regards, Deepa M G ------------------------------------------------------------------------ *Deepa M Gaddigoudar | Software Developer* Aissel Technologies Pvt. Ltd. A Block, Floor 2, IT Park, Hubli ? 580029. India Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181 Cell: +91 8951519616 E-Mail: deepag at aissel.com From ulrik.sjolin at gmail.com Mon Oct 22 01:58:22 2018 From: ulrik.sjolin at gmail.com (=?UTF-8?Q?Ulrik_Sj=C3=B6lin?=) Date: Mon, 22 Oct 2018 01:58:22 -0400 Subject: [keycloak-user] open-id/connect endpoint giving unexpected result Message-ID: Hello, I am using 4.5.0 and have a simple setup with 2 users (Alice and Jdoe) each of them has a UMA-resource. Jdoe is sharing his resource with Alice (all scopes). Running ?evaluate? in the admin-web-ui everything looks correct: Alice does have Delete-Scope (and 4 other scopes) on JdoeResource. I use a simple curl script but it does however not give the same result as the evaluate-web-ui does: Using the /openid-connect/token, ?permission=#Delete? and subject_token=$ALICE_TOKEN, I get the expected result (both Alice and Jdoes resources are returned correctly): [{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname?:?AliceResource?},{?scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname?:?JdoeResource?}] changing to ?permission=AlliceResource#Delete? everything looks like expected: [{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname?:?AliceResource?}] Changing again to the id of JoeResource i.e ?permission=854b0ac8-8504-4b92-b642-1c959a1f8de0#Delete", I get: [{"scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname":"JdoeResource"}] But changing to ?permission=JdoeResource#Delete?, I get, what I think is unexpected: {"error":"invalid_resource","error_description":"Resource with id [JdoeResource] does not exist."} Is this expected behavior? Is there something I am doing wrong? Best Regards, Ulrik From andreas.lau at outlook.com Mon Oct 22 03:52:19 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Mon, 22 Oct 2018 07:52:19 +0000 Subject: [keycloak-user] How to get a link to password reset from keycloak api Message-ID: Hello, we have a application where we managed to create a user account over the REST API. Now instead creating a temporary password for the new user and forcing the user to login and change the password the very first time he/she logs in, we'd like to create a link, where he/she has to enter a password and gets logged in (exactly like it is done in the functionality password reset), and send it to the user via mail. I've googled around and the only hints I can find is how to call reset password via API. But with this we only trigger keycloak to send a mail with such a link. But as I said we like to get the link itself. Is this possible somehow? Can you give us a helping hand? Thanks. Andreas From testoauth55 at gmail.com Mon Oct 22 04:05:13 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 22 Oct 2018 13:35:13 +0530 Subject: [keycloak-user] the admin rest api for realm import is not importing realm In-Reply-To: References: Message-ID: I have also written a small JAVA client to import JSON and I get same 415 error through that also. Here's Java client code: *File realmConfigFile = new File("D:\\test\\realm.json");* *if(!realmConfigFile.exists() || realmConfigFile.isDirectory()) { * * // return failure* *}* *String urlString = "http://localhost:8380/auth ";* *URL url = null;* *InputStream stream = null;* *HttpURLConnection urlConnection = null;* *String result = "";* *try {* * KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); * * String token = keycloakSecurityContext.getTokenString();* * if(StringUtils.isBlank(token))* * return Response.status(Response.Status.UNAUTHORIZED).build();* * url = new URL(urlString);* * urlConnection = (HttpURLConnection) url.openConnection();* * urlConnection.setRequestMethod("POST");* * urlConnection.setDoOutput(true);* * urlConnection.setRequestProperty ("Authorization", "Bearer "+token);* * urlConnection.setRequestProperty("Content-Type", "application/json; charset=UTF-8");* * urlConnection.connect();* * String realmJson = FileUtils.readFileToString(realmConfigFile, "UTF-8");* * OutputStreamWriter wr = new OutputStreamWriter(urlConnection.getOutputStream());* * wr.write(realmJson);* * wr.flush();* * stream = urlConnection.getInputStream();* * BufferedReader reader = new BufferedReader(new InputStreamReader(stream, "UTF-8"), 8);* * result = reader.readLine(); * * return Response.ok("request complted").build();* *} catch (Exception e){* *}* On Mon, Oct 22, 2018 at 11:09 AM Bruce Wings wrote: > Forgot to mention that sending request to: *http://localhost:8380/auth > * gives 415-Unsupported media > type error. Images for postman request attached > > > > > On Mon, Oct 22, 2018 at 10:16 AM Bruce Wings > wrote: > >> As mentioned in docs: >> https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_realms_admin_resource >> when I send a request to : *http://localhost:8380/ >> * I get 200 OK, but when I go and check on >> the admin console, new realm is not visible. >> >> *but when* I send a request to : *http://localhost:8380/auth/admin/realms >> , *I get 401 unauthorized. >> (keycloak server running on port 8380 and I am sending the bearer token >> obtained from >> http://10.252.70.71:8380/auth/realms/master/protocol/openid-connect/token >> ) >> >> Which is the accurate URL to import a realm json in keycloak? *http://localhost:8380/ >> * OR *http://localhost:8380/auth/admin/realms >> * >> >> >> On Fri, Oct 19, 2018 at 7:43 PM Bruce Wings >> wrote: >> >>> Can anyone suggest whether there is something wrong in the way I am >>> sending request or is this an issue on keycloak side? >>> >>> On Thursday, October 18, 2018, Bruce Wings >>> wrote: >>> >>>> As mentioned in docs: >>>> >>>> >>>> https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_resource >>>> >>>> I have created a post request via postman and the response is 200 OK, >>>> but when I go and check on the admin console, new realm is not visible. >>>> >>>> Moreover, when I perform the same operation via an invalid token, then >>>> also the response is 200 OK. Am I missing something here? >>>> >>>> Attached screenshot of postman request. (In the body I have copy pasted >>>> entire contents of realm json file that was exported from another server) >>>> >>>> From ionel.gardais at tech-advantage.com Mon Oct 22 08:03:25 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 22 Oct 2018 14:03:25 +0200 (CEST) Subject: [keycloak-user] Use of event.clientId in FreeMarker Message-ID: <445908380.414931.1540209805868.JavaMail.zimbra@tech-advantage.com> Hi, I've configured the localisation and FTL templates to send an email at every successful login. I'd like to add, beside the date and the source IP, the client through the user was connected However, event.clientId always resolves to null, whereas event.ipAddress and event.date are correct. Here is what lies in the .ftl file : ${msg("eventLoginBody",event.date,event.ipAddress,event.clientId)} messages_en.properties contains eventLoginSubject=Successful login eventLoginBody=A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin. eventLoginBodyHtml=

A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin.

If I logg the event to the console, clientId is correctly set. Does EmailTemplateProvider swallow the clientId field ? Am I missing something in the template definition ? Thanks, Ionel Ionel GARDAIS CIO - IT Team manager -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -------------- next part -------------- A non-text attachment was scrubbed... Name: GARDAIS, Ionel.vcf Type: text/directory Size: 399 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181022/da558fca/attachment.bin From ionel.gardais at tech-advantage.com Mon Oct 22 08:30:07 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 22 Oct 2018 14:30:07 +0200 (CEST) Subject: [keycloak-user] Notifying user about a login attempt In-Reply-To: <2E28826D-F1D4-4657-AB57-F441AC1194D7@grootan.com> References: <1065264065.257960.1539604748151.JavaMail.zimbra@tech-advantage.com> <2E28826D-F1D4-4657-AB57-F441AC1194D7@grootan.com> Message-ID: <610687491.417341.1540211407255.JavaMail.zimbra@tech-advantage.com> Hi Lokesh, The following patch should do the trick. It enables the email event listener and configures it to include the LOGIN event. It also defines the associated email templates and messages. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Lokesh Ravichandru" ?: "Ionel GARDAIS" Cc: "keycloak-user" Envoy?: Lundi 15 Octobre 2018 14:02:17 Objet: Re: [keycloak-user] Notifying user about a login attempt As far my understanding, you shall extend event listener api to listen to events and process based on it. Check the examples section for events listener implementation - Lokesh > On 15-Oct-2018, at 5:29 PM, GARDAIS Ionel wrote: > > Hi, > > Is there a way to notify user by email whenever the user is logged through a client of the realm ? > > Like "You've been logged by with your account ". > > Thanks, > Ionel > > > > > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301_______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak-email-login.patch Type: text/x-patch Size: 14409 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181022/8de9ab9c/attachment-0001.bin From lokesh.ravichandru at grootan.com Mon Oct 22 09:33:52 2018 From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru) Date: Mon, 22 Oct 2018 19:03:52 +0530 Subject: [keycloak-user] Notifying user about a login attempt In-Reply-To: <610687491.417341.1540211407255.JavaMail.zimbra@tech-advantage.com> References: <1065264065.257960.1539604748151.JavaMail.zimbra@tech-advantage.com> <2E28826D-F1D4-4657-AB57-F441AC1194D7@grootan.com> <610687491.417341.1540211407255.JavaMail.zimbra@tech-advantage.com> Message-ID: Awesome!!! cool!1 On Mon, Oct 22, 2018 at 6:00 PM GARDAIS Ionel < ionel.gardais at tech-advantage.com> wrote: > Hi Lokesh, > > The following patch should do the trick. > It enables the email event listener and configures it to include the LOGIN > event. > It also defines the associated email templates and messages. > > -- > Ionel GARDAIS > Tech'Advantage CIO - IT Team manager > > ----- Mail original ----- > De: "Lokesh Ravichandru" > ?: "Ionel GARDAIS" > Cc: "keycloak-user" > Envoy?: Lundi 15 Octobre 2018 14:02:17 > Objet: Re: [keycloak-user] Notifying user about a login attempt > > As far my understanding, you shall extend event listener api to listen to > events and process based on it. Check the examples section for events > listener implementation > > - Lokesh > > > On 15-Oct-2018, at 5:29 PM, GARDAIS Ionel < > ionel.gardais at tech-advantage.com> wrote: > > > > Hi, > > > > Is there a way to notify user by email whenever the user is logged > through a client of the realm ? > > > > Like "You've been logged by with your account > ". > > > > Thanks, > > Ionel > > > > > > > > > > -- > > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 > 301_______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- > > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 > > -- *Grootan Technologies Private Limited* R-Block, 15th main street Anna nagar, Chennai 600 040 tel +91 97890 24698 mail lokesh.ravichandru at grootan.com | web https://www.grootan.com From Pavel.Micka at zoomint.com Mon Oct 22 10:28:47 2018 From: Pavel.Micka at zoomint.com (Pavel Micka) Date: Mon, 22 Oct 2018 14:28:47 +0000 Subject: [keycloak-user] Java 11 (Docker container base) Message-ID: <564d3037b9974039868327e2ed2bee3d@zoomint.com> Hello everyone, What is the plan for Java 11 support? The point is that current versions of Docker containers are based on OpenJDK 8, but the official Java 8 support will cease at the end of December. Will Keycloak use Java 11 by that time or will it rely on updates provided by the community. This is important to us, as Keycloak is important part of our app security. Thanks, Pavel // I have found this ticket in Jira, but it does not provide too many details: https://issues.jboss.org/browse/KEYCLOAK-7811 From mposolda at redhat.com Mon Oct 22 13:02:22 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 22 Oct 2018 19:02:22 +0200 Subject: [keycloak-user] LDAP at Log in page In-Reply-To: References: Message-ID: Hi, there are 2 concepts in Keycloak. - Identity Brokering / Identity providers - The providers are 3rd party OAuth2/OIDC/SAML providers, which Keycloak will just delegate authentication too. That is what is displayed as a button on the login page - UserStorage providers - Those are used by Keycloak for the provisioning of users. LDAP integration is in this category. In other words, you won't see anything like "Login with LDAP" on the login screen. Keycloak just automatically uses LDAP for provisioning of users when you configure LDAP provider. More details in the docs Marek On 19/10/18 15:11, So Be wrote: > Hi, > > I have integrated our jupyterhub with keycloak. it works fine. > Now, I want to add LDAP as additional identity provider with Github. > I have configured the realm with our LDAP server but I can not see LDAP > button with the others in the log in page. > > What I am doing wrong? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From craig at baseventure.com Mon Oct 22 18:16:49 2018 From: craig at baseventure.com (Craig Setera) Date: Mon, 22 Oct 2018 17:16:49 -0500 Subject: [keycloak-user] Session management vs servlet adapter? Message-ID: Can anyone tell me how Java sessions are managed relative to the servlet adapter? As we are switching over from JSESSIONID-based authentication to Keycloak, we have other non-security based services that are using @SessionScoped beans. While we can continue to reflect JSESSIONID are there any cases with Keycloak will invalidate and/or switch the HttpSession from request to request? Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From keycloak-user at imber.wien Tue Oct 23 04:59:54 2018 From: keycloak-user at imber.wien (keycloak-user at imber.wien) Date: Tue, 23 Oct 2018 10:59:54 +0200 Subject: [keycloak-user] Logout via admin API causes offline token to go stale Message-ID: <5bfbb9512479b62890d3fa60fb36f546@imber.wien> Hi, there's a message by Ritesh Garg dated May 25, 2018, about Offline Tokens becoming invalid when user sessions are logged out via Admin REST API. (I just joined the list, so I cannot easily reply to that message directly.) The issue is still reproducable in 4.5.0.Final and also affects the User Account app (when the user clicks "Log out all sessions", Offline Tokens cannot be used anymore). I created KEYCLOAK-8638 for this. Cheers, Mario. From msakho at redhat.com Tue Oct 23 05:04:28 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 23 Oct 2018 11:04:28 +0200 Subject: [keycloak-user] Java 11 (Docker container base) In-Reply-To: <564d3037b9974039868327e2ed2bee3d@zoomint.com> References: <564d3037b9974039868327e2ed2bee3d@zoomint.com> Message-ID: Hello, Pavel, where did you get the information that the official Java 8 support will cease at the end of december? https://access.redhat.com/articles/1299013 https://www.oracle.com/technetwork/java/javase/eol-135779.html Meissa Le lun. 22 oct. 2018 ? 16:33, Pavel Micka a ?crit : > Hello everyone, > > What is the plan for Java 11 support? The point is that current versions > of Docker containers are based on OpenJDK 8, but the official Java 8 > support will cease at the end of December. Will Keycloak use Java 11 by > that time or will it rely on updates provided by the community. > > This is important to us, as Keycloak is important part of our app security. > > Thanks, > > Pavel > > // I have found this ticket in Jira, but it does not provide too many > details: https://issues.jboss.org/browse/KEYCLOAK-7811 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulkitsrivastavajd at gmail.com Tue Oct 23 06:51:37 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Tue, 23 Oct 2018 16:21:37 +0530 Subject: [keycloak-user] User Federation for Admin Users Message-ID: Hi, Is it possible to use an external user federation for admin users in keycloak. These users should be able to login to keycloak admin. Thanks, Pulkit From robin at kearney.co.uk Tue Oct 23 07:01:13 2018 From: robin at kearney.co.uk (Robin Kearney) Date: Tue, 23 Oct 2018 12:01:13 +0100 Subject: [keycloak-user] Creating new user throws error when using AWS Simple AD In-Reply-To: References: Message-ID: Hi, I'm just bumping this again because I still have the problem, does anybody know what might be wrong here? r. On Wed, Oct 17, 2018 at 10:06 PM Robin Kearney wrote: > > Hi, > > I've got Keycloak 4.5.0.Final setup to talk to an AWS instance of > their Simple AD - which is Samba 4 behind the scenes. Connectivity and > authentication works ok, as does the initial sync all users. > > However, when I create a new user through Keycloak, I get an error > "Error! Could not create user" in the UI and the following logs: > > keycloak_1 | 20:45:52,571 WARN > [org.keycloak.services.resources.admin.UsersResource] (default > task-17) Could not create user: org.keycloak.models.ModelException: > Could not modify attribute for DN > [cn=example12,CN=Users,DC=ad,DC=example,DC=com] > > keycloak_1 | Caused by: javax.naming.NameNotFoundException: [LDAP: > error code 32 - 00002030: No such Base DN: > cn=example12,CN=Users,DC=ad,DC=example,DC=com]; remaining name > 'cn=example12,CN=Users,DC=ad,DC=example,DC=com' > > The full stack trace is here > > https://gist.githubusercontent.com/rk295/a8ada3cd79212e73d2e55215e4d53e34/raw/37aac21a5c7dd3d3423aa9ae2456068c2c1170ec/keycloak-error.log > > What is interesting is the user is created successfully in LDAP. > > ldif https://gist.githubusercontent.com/rk295/0bde9a03f057dea09ea08f7f0050785e/raw/7dc63b208d95dc2160ed8cdbed87d55e52fb4b53/key-example.ldiff > > However in this ldif, is the following fields show "IA==" rather than > the value I entered (example12 in both cases) > > sn:: IA== > givenName:: IA== > > I have both the firstname and lastname mappers setup to map the > following fields: > > usermodel attribute firstName -> ldap givenName > usermodel attribute lastName -> ldap sn > > Both setup with RO false, always read from LDAP true, is mandatory > true, is binary false. > > If I hit the button to resync changed (or all) users, the user shows > in the Keycloak admin, but the fields above missing. > > Hope somebody can help! > > r. From Pavel.Micka at zoomint.com Tue Oct 23 07:05:45 2018 From: Pavel.Micka at zoomint.com (Pavel Micka) Date: Tue, 23 Oct 2018 11:05:45 +0000 Subject: [keycloak-user] Java 11 (Docker container base) In-Reply-To: References: <564d3037b9974039868327e2ed2bee3d@zoomint.com> Message-ID: <1d8ec6c8800f46aa82e3ba96c8951086@zoomint.com> Sorry, end of january (my fault): https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java and OpenJDK will most probably start to diverge, as OpenJDK will not have access to Oracle repos (afaik). So the speed of security fixes will depend on willigness of community to fix the upcomming issues. Pavel From: Meissa M'baye Sakho Sent: Tuesday, October 23, 2018 11:04 AM To: Pavel Micka Cc: keycloak-user Subject: Re: [keycloak-user] Java 11 (Docker container base) Hello, Pavel, where did you get the information that the official Java 8 support will cease at the end of december? https://access.redhat.com/articles/1299013 https://www.oracle.com/technetwork/java/javase/eol-135779.html Meissa Le lun. 22 oct. 2018 ? 16:33, Pavel Micka > a ?crit : Hello everyone, What is the plan for Java 11 support? The point is that current versions of Docker containers are based on OpenJDK 8, but the official Java 8 support will cease at the end of December. Will Keycloak use Java 11 by that time or will it rely on updates provided by the community. This is important to us, as Keycloak is important part of our app security. Thanks, Pavel // I have found this ticket in Jira, but it does not provide too many details: https://issues.jboss.org/browse/KEYCLOAK-7811 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sakodiya at grepruby.com Tue Oct 23 07:09:19 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Tue, 23 Oct 2018 16:39:19 +0530 Subject: [keycloak-user] Keycloak RBAC permission check in node API Message-ID: Hi Team, I was integrating the keycloak with nodejs and I want to restrict the nodeJS API. I've added the *Authorization settings (scope, resources and policies) *while creating the client. But struggling, how to protect the API endpoints basis on the resource and scopes in nodejs app. I've declared following resources and scopes in the client and also, added some policies basis on the role. 'res:customer', 'scopes:create'], ['/customers(*)', 'get', 'res:customer', 'scopes:view'], ['/campaigns', 'post', 'res:campaign', 'scopes:create'], ['/campaigns(*)', 'get', 'res:campaign', 'scopes:view Although, I've checked the link and while I insight into the code I found that there is one API http://localhost:8080/auth/ realms/{realmName}/authz/entitlement/{clientName} which accepts the authorization token in header and permissions in body like '[{"resource_set_name": "res:campaign", "scopes": [ 'scopes:view' ]}]', so this way we could check that whether user have sufficient permission or not. *But while going through the doc, I found that the entitlement API was removed in the keycloak new version*. *So how can we perform the similar permission checks in new keycloak version. Is there any API supported just like entitlement ? or Is there any alternative way available to perform the protection check ?* Thanks, Shubham Akodiya From psilva at redhat.com Tue Oct 23 07:56:15 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 23 Oct 2018 08:56:15 -0300 Subject: [keycloak-user] Keycloak RBAC permission check in node API In-Reply-To: References: Message-ID: Hi, Recently, we have added a policy enforcer component to the NodeJS adapter. I need to work on docs though. Could you check this example [1] ? For more details about how to obtain permissions from the server, take a look here [2]. [1] https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example [2] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions On Tue, Oct 23, 2018 at 8:24 AM Shubham Akodiya wrote: > Hi Team, > > I was integrating the keycloak with nodejs and I want to restrict the > nodeJS API. I've added the *Authorization settings (scope, resources and > policies) *while creating the client. But struggling, how to protect the > API endpoints basis on the resource and scopes in nodejs app. I've declared > following resources and scopes in the client and also, added some policies > basis on the role. > > 'res:customer', 'scopes:create'], > ['/customers(*)', 'get', 'res:customer', 'scopes:view'], > ['/campaigns', 'post', 'res:campaign', 'scopes:create'], > ['/campaigns(*)', 'get', 'res:campaign', 'scopes:view > > Although, I've checked the link > and while I insight > into the code I found that there is one API http://localhost:8080/auth/ > realms/{realmName}/authz/entitlement/{clientName} > > which accepts the > authorization token in header and permissions in body like > '[{"resource_set_name": > "res:campaign", "scopes": [ 'scopes:view' ]}]', so this way we could check > that whether user have sufficient permission or not. *But while going > through the doc, I found that the entitlement API was removed in the > keycloak new version*. > > *So how can we perform the similar permission checks in new keycloak > version. Is there any API supported just like entitlement ? or Is there any > alternative way available to perform the protection check ?* > > Thanks, > Shubham Akodiya > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Don.Reynolds at quest.com Tue Oct 23 08:38:45 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Tue, 23 Oct 2018 12:38:45 +0000 Subject: [keycloak-user] User Federation for Admin Users In-Reply-To: References: Message-ID: Hello Pulkit, You could setup and an identity provider in the Master realm which only your admin user have access to authenticate against, and then setup a "hardcoded role" mapper for that identity provider to map all who authenticate to the "admin" role. This will grant all your admins (who can authenticate against the identity provider you configured) admin access within the keycloak admin console. If you only want to grant these users keycloak admin access for a particular realm, set up the identity provider in the desired realm and create the "hardcoded role" mapper to map the "realm-management" Client Role of "realm-admin" to those users. See more about "Dedicated Realm Admin Consoles" at: https://www.keycloak.org/docs/latest/server_admin/index.html#_per_realm_admin_permissions Regards, Don Reynolds > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Pulkit Srivastava > Sent: Tuesday, October 23, 2018 6:52 AM > To: keycloak-user ; keycloak-user- > request at lists.jboss.org > Subject: [keycloak-user] User Federation for Admin Users > > Hi, > Is it possible to use an external user federation for admin users in keycloak. > These users should be able to login to keycloak admin. > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sakodiya at grepruby.com Tue Oct 23 08:55:23 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Tue, 23 Oct 2018 18:25:23 +0530 Subject: [keycloak-user] Need help to Manage SSO in node application without any library Message-ID: Hi Team, I'm integrating the node application with keycloak without using *keycloak-connect library, *So In this case, I'm handling the following things at my end - - Managing user session. - Display our app login page instead of keycloak default page. - Performing the user authentication and authorization using the keycloak URLs. I have taken the reference of this app but I'm facing the problem in SSO and I'm guessing that this is happening because of not using the keycloak library, In which session is managed by keycloak. So how to achieve this in my application ? Thanks, Shubham Akodiya From melissa.palmer at gmail.com Tue Oct 23 09:41:05 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Tue, 23 Oct 2018 15:41:05 +0200 Subject: [keycloak-user] keycloak-quickstarts: app-authz-photoz vs. app-authz-uma-photoz Message-ID: Hi, Please can someone let me know what is the difference between the two quick-starts app-authz-photoz vs. app-authz-uma-photoz? Thanks In Advance Melissa From psilva at redhat.com Tue Oct 23 10:04:51 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 23 Oct 2018 11:04:51 -0300 Subject: [keycloak-user] keycloak-quickstarts: app-authz-photoz vs. app-authz-uma-photoz In-Reply-To: References: Message-ID: app-authz-photoz is not using UMA flow, so there is less overhead in the client when obtaining RPTs (no permission ticket). Instead, it just sends regular access tokens and PEP enforce access by querying the server for permissions. On Tue, Oct 23, 2018 at 10:46 AM Melissa Palmer wrote: > Hi, > > Please can someone let me know what is the difference between the two > quick-starts > app-authz-photoz vs. app-authz-uma-photoz? > > Thanks In Advance > Melissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From NKARIPINENI at bwh.harvard.edu Tue Oct 23 12:24:15 2018 From: NKARIPINENI at bwh.harvard.edu (Karipineni, Neelima,M.D.) Date: Tue, 23 Oct 2018 16:24:15 +0000 Subject: [keycloak-user] OIDC protocol extension Message-ID: We have a use case where we?re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It?s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/src/main/java/org/keycloak/protocol/kubernetes, and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I?m not sure it?s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it?s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we?re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. From toyaserwork at gmail.com Tue Oct 23 13:12:23 2018 From: toyaserwork at gmail.com (Work Account) Date: Tue, 23 Oct 2018 13:12:23 -0400 Subject: [keycloak-user] Add x5c to be generated as part of the JWK Message-ID: Hi, In an effort to use keycloak as an IDP with Azure for multi factor authentication, Azure expects the x5c property to be available in the JWK when querying the jwks_uri. The change would simply include the x5c property as part of the returned JWK as described here (https://tools.ietf.org/html/rfc7517#section-4.7). In short, the x5c property contains the certificate chain. The change would involve updating core\src\main\java\org\keycloak\jose\jwk\JWKBuilder.java to generate the certificate chain from the RsaKeyMetadata certificate. Thanks From sthorger at redhat.com Tue Oct 23 13:50:49 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 23 Oct 2018 19:50:49 +0200 Subject: [keycloak-user] OIDC protocol extension In-Reply-To: References: Message-ID: I wouldn't to a custom login protocol as that would be very hard to maintain. We've actually ended up refactoring the branch you point to into not using a login protocol. Why not use an optional authenticator for this purpose? It can check the scope and only display the additional consent step if the certain auth request scope is there. It can then add a note to the user session which you can map into the token with a protocol mapper. On Tue, 23 Oct 2018 at 18:29, Karipineni, Neelima,M.D. < NKARIPINENI at bwh.harvard.edu> wrote: > We have a use case where we?re trying to implement an OAuth2 profile which > requires an extra claim on the access token when a certain auth request > scope is used. > The expected behavior is that when a certain scope is present in the auth > endpoint request then during the Authorization flow the user is shown an > extra screen where they input an identifier which ultimately is included as > a claim in the access token. Details are at > http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) > for reference. > > Any suggestions on how to accomplish this in keycloak? I considered using > an ActionToken like in the quickstarts external action token example, but > the additional execution needs to happen even when the user has previously > authenticated. It?s like an additional consent step after user and client > authentication rather than an additional authentication step. > > My current thought is to implement a custom LoginProtocol that wraps > OIDCLoginProtocol, as shown in > https://github.com/keycloak/keycloak/tree/openshift-integration/services/src/main/java/org/keycloak/protocol/kubernetes, > and have an additional redirect in the authenticated method that functions > similarly to the external action token example. The callback endpoint would > persist the extra claim against the client session until the access token > is requested. > > I?m not sure it?s possible to extend the OIDC protocol within a new > protocol. Preliminarily after installing a shell wrapper protocol, it?s > missing the OIDC configuration properties and mappers in the admin console. > Is something like this possible without copying/recreating large chunks of > the OIDC code? If not, any suggestions on alternative ways to accomplish > this? > > As an additional wrench, we?re still on v3.3.0 and upgrade is not on the > schedule as of now. > > > > > The information in this e-mail is intended only for the person to whom it > is > addressed. If you believe this e-mail was sent to you in error and the > e-mail > contains patient information, please contact the Partners Compliance > HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you in > error > but does not contain patient information, please contact the sender and > properly > dispose of the e-mail. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 23 13:54:20 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 23 Oct 2018 19:54:20 +0200 Subject: [keycloak-user] Need help to Manage SSO in node application without any library In-Reply-To: References: Message-ID: I would suggest reconsidering this approach and rather leverage what is already there. Using the login pages from Keycloak is the best practice, in terms of security, flexiblity and maintenance. Using our connect adapter (or a different OIDC library) is also highly recommended over trying to implement your own. On Tue, 23 Oct 2018 at 14:57, Shubham Akodiya wrote: > Hi Team, > > I'm integrating the node application with keycloak without using > *keycloak-connect > library, *So In this case, I'm handling the following things at my end - > - Managing user session. > - Display our app login page instead of keycloak default page. > - Performing the user authentication and authorization using the keycloak > URLs. > > I have taken the reference of this app > but I'm facing the > problem in SSO and I'm guessing that this is happening because of not using > the keycloak library, In which session is managed by keycloak. So how to > achieve this in my application ? > > Thanks, > Shubham Akodiya > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From NKARIPINENI at bwh.harvard.edu Tue Oct 23 14:03:02 2018 From: NKARIPINENI at bwh.harvard.edu (Karipineni, Neelima,M.D.) Date: Tue, 23 Oct 2018 18:03:02 +0000 Subject: [keycloak-user] OIDC protocol extension In-Reply-To: References: Message-ID: I believe that?s essentially what the action-token-authenticator quickstart does. I tested this out and it only shows the additional step if the user has not previously authenticated. If the user has an existing session, it forwards to an error page that says ?You are already logged in?. I did make it required and not optional though, since my understanding is that only one optional authenticator needs to successfully run. We need something that displays the additional consent step every time there is a new auth code request with the specified scope, regardless of whether the user has previously authenticated. It?s also preferable that the user has successfully authenticated prior to showing the additional consent page, because there may be confidential data on the consent page (ie, a search widget for a patient identifier). From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Tuesday, October 23, 2018 at 1:51 PM To: "Karipineni, Neelima,M.D." Cc: keycloak-user Subject: Re: [keycloak-user] OIDC protocol extension External Email - Use Caution I wouldn't to a custom login protocol as that would be very hard to maintain. We've actually ended up refactoring the branch you point to into not using a login protocol. Why not use an optional authenticator for this purpose? It can check the scope and only display the additional consent step if the certain auth request scope is there. It can then add a note to the user session which you can map into the token with a protocol mapper. On Tue, 23 Oct 2018 at 18:29, Karipineni, Neelima,M.D. > wrote: We have a use case where we?re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It?s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/src/main/java/org/keycloak/protocol/kubernetes, and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I?m not sure it?s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it?s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we?re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From melissa.palmer at gmail.com Tue Oct 23 14:35:09 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Tue, 23 Oct 2018 20:35:09 +0200 Subject: [keycloak-user] keycloak-quickstarts: app-authz-photoz vs. app-authz-uma-photoz In-Reply-To: References: Message-ID: Thanks Pedro, Two more things 1) on the app-authz-photoz it refers and uses photoz-authz-policy but there is no module for photoz-authz-policy in the code base, is it ok then to use the one from app-authz-uma-photoz 2) What would the advantage be to use the UMA flow? Thanks Melissa On Tue, 23 Oct 2018 at 16:05, Pedro Igor Silva wrote: > app-authz-photoz is not using UMA flow, so there is less overhead in the > client when obtaining RPTs (no permission ticket). Instead, it just sends > regular access tokens and PEP enforce access by querying the server for > permissions. > > On Tue, Oct 23, 2018 at 10:46 AM Melissa Palmer > wrote: > >> Hi, >> >> Please can someone let me know what is the difference between the two >> quick-starts >> app-authz-photoz vs. app-authz-uma-photoz? >> >> Thanks In Advance >> Melissa >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From ionel.gardais at tech-advantage.com Tue Oct 23 15:29:02 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Tue, 23 Oct 2018 21:29:02 +0200 (CEST) Subject: [keycloak-user] [FGTSPAM] Use of event.clientId in FreeMarker In-Reply-To: <445908380.414931.1540209805868.JavaMail.zimbra@tech-advantage.com> References: <445908380.414931.1540209805868.JavaMail.zimbra@tech-advantage.com> Message-ID: <1359062686.486791.1540322942093.JavaMail.zimbra@tech-advantage.com> OK I find the culprit : clientId getter in EventBean is getClient(), not getClientId(). So using event.client is OK. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Ionel GARDAIS" ?: "keycloak-user" Envoy?: Lundi 22 Octobre 2018 14:03:25 Objet: [FGTSPAM] [keycloak-user] Use of event.clientId in FreeMarker Hi, I've configured the localisation and FTL templates to send an email at every successful login. I'd like to add, beside the date and the source IP, the client through the user was connected However, event.clientId always resolves to null, whereas event.ipAddress and event.date are correct. Here is what lies in the .ftl file : ${msg("eventLoginBody",event.date,event.ipAddress,event.clientId)} messages_en.properties contains eventLoginSubject=Successful login eventLoginBody=A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin. eventLoginBodyHtml=

A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin.

If I logg the event to the console, clientId is correctly set. Does EmailTemplateProvider swallow the clientId field ? Am I missing something in the template definition ? Thanks, Ionel Ionel GARDAIS CIO - IT Team manager -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From ionel.gardais at tech-advantage.com Tue Oct 23 15:31:42 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Tue, 23 Oct 2018 21:31:42 +0200 (CEST) Subject: [keycloak-user] Use of event.clientId in FreeMarker In-Reply-To: <1359062686.486791.1540322942093.JavaMail.zimbra@tech-advantage.com> References: <445908380.414931.1540209805868.JavaMail.zimbra@tech-advantage.com> <1359062686.486791.1540322942093.JavaMail.zimbra@tech-advantage.com> Message-ID: <1908306958.486793.1540323102558.JavaMail.zimbra@tech-advantage.com> OK I find the culprit : clientId getter in EventBean is getClient(), not getClientId(). So using event.client is OK. https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/email/freemarker/beans/EventBean.java#L45 -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Ionel GARDAIS" ?: "keycloak-user" Envoy?: Lundi 22 Octobre 2018 14:03:25 Objet: [FGTSPAM] [keycloak-user] Use of event.clientId in FreeMarker Hi, I've configured the localisation and FTL templates to send an email at every successful login. I'd like to add, beside the date and the source IP, the client through the user was connected However, event.clientId always resolves to null, whereas event.ipAddress and event.date are correct. Here is what lies in the .ftl file : ${msg("eventLoginBody",event.date,event.ipAddress,event.clientId)} messages_en.properties contains eventLoginSubject=Successful login eventLoginBody=A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin. eventLoginBodyHtml=

A successful login was detected to your account on {0} from {1} for {2}. If this was not you, please contact an admin.

If I logg the event to the console, clientId is correctly set. Does EmailTemplateProvider swallow the clientId field ? Am I missing something in the template definition ? Thanks, Ionel Ionel GARDAIS CIO - IT Team manager -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From psilva at redhat.com Tue Oct 23 15:57:06 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 23 Oct 2018 16:57:06 -0300 Subject: [keycloak-user] keycloak-quickstarts: app-authz-photoz vs. app-authz-uma-photoz In-Reply-To: References: Message-ID: On Tue, Oct 23, 2018 at 3:35 PM Melissa Palmer wrote: > Thanks Pedro, > > Two more things > 1) on the app-authz-photoz it refers and uses photoz-authz-policy but > there is no module for photoz-authz-policy in the code base, > is it ok then to use the one from app-authz-uma-photoz > Humm ... I thought I have removed any reference for this one. If so, it is an issue and I'll fix it. That quickstart should not be using drools policies ... > > 2) What would the advantage be to use the UMA flow? > You are using a standard that is more suitable if you have privacy requirements. For instance, in UMA your client application is able to submit "authorization requests" to resource owners so they can approve access to others to their assets and you are allowed to manage permissions to these "user-managed resources" via a REST API. > > Thanks Melissa > > On Tue, 23 Oct 2018 at 16:05, Pedro Igor Silva wrote: > >> app-authz-photoz is not using UMA flow, so there is less overhead in the >> client when obtaining RPTs (no permission ticket). Instead, it just sends >> regular access tokens and PEP enforce access by querying the server for >> permissions. >> >> On Tue, Oct 23, 2018 at 10:46 AM Melissa Palmer >> wrote: >> >>> Hi, >>> >>> Please can someone let me know what is the difference between the two >>> quick-starts >>> app-authz-photoz vs. app-authz-uma-photoz? >>> >>> Thanks In Advance >>> Melissa >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From pulkitsrivastavajd at gmail.com Wed Oct 24 00:58:40 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Wed, 24 Oct 2018 10:28:40 +0530 Subject: [keycloak-user] User Federation for Admin Users Message-ID: Hi, Is it possible to use an external user federation for admin users in keycloak. These users should be able to login to keycloak admin. Thanks, Pulkit From melissa.palmer at gmail.com Wed Oct 24 07:57:51 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Wed, 24 Oct 2018 13:57:51 +0200 Subject: [keycloak-user] Advanced authorization Message-ID: Hi, I am trying to do something similar to the following: - have a resource (say album) in app-authz-uma-photoz quickstart that includes a status attribute against it. - status such as: CREATED, APPROVED, DECLINED, - a person can then be given a role that allows for permissions (via a role) such as - album:create - album:approve - album:decline - BUT a person is not allowed to approve any albums they created themselves Is there a keycloak-quickstarts/example I can start from? Or a recommended way I should attempt to tackle this? Thank You in advance, Melissa From lilian.benoit at lbenoit.fr Wed Oct 24 08:18:00 2018 From: lilian.benoit at lbenoit.fr (Lilian BENOIT) Date: Wed, 24 Oct 2018 14:18:00 +0200 Subject: [keycloak-user] Configure EMail failed In-Reply-To: References: Message-ID: <9f5476bd4b8494f13ab9aa092e2cf617@lbenoit.fr> Hi, You must add email at your connected user. Regards. Lilian BENOIT. Le 2018-10-19 15:14, So Be a ?crit?: > Hi, > > as an administrator, I like to receive notifications when users log > into > Keycloak. > I tried to configure the EMail for the realm but I got > > Logged in user does not have an e-mail. > > Any idea about what causing this? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Oct 24 08:44:35 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 24 Oct 2018 09:44:35 -0300 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Hi Melissa, I don't think this is very different than what we have in the quickstart you mentioned. On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer wrote: > Hi, > > I am trying to do something similar to the following: > - have a resource (say album) in app-authz-uma-photoz quickstart that > includes a status attribute against it. > - status such as: CREATED, APPROVED, DECLINED, > You probably noticed that resources in Keycloak have attributes, so you could set a "status" accordingly. You should be able to write JS policies that can access any attribute associated with a resource. > - a person can then be given a role that allows for permissions (via a > role) such as > > - album:create > - album:approve > - album:decline > If you have different authorization requirements for each scope, you can create a scope-based permission for each scope. Otherwise, a single scope-permission managing access for all of them. > > - BUT a person is not allowed to approve any albums they created themselves > I would create a scope-permission specific for album:approve and associate it with a JS policy that deny access to the the resource owner (considering the owner is the person that created the resource). > > Is there a keycloak-quickstarts/example I can start from? > Or a recommended way I should attempt to tackle this? > It is worthy to highlight that when using UMA and, specially, the "My Resources" page in the Account Service, resource owners are always allowed to manage their resources. It seems you are more interested in a worflow that does not really fit this functionality in particular. I think you would need to manage this workflow from your app based on the permissions you have in Keycloak. > > Thank You in advance, > Melissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From melissa.palmer at gmail.com Wed Oct 24 09:01:15 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Wed, 24 Oct 2018 15:01:15 +0200 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Thanks Pedro, I will take a closer look. Yes I?ll put the work flow in the app. But we do want to manage the permissions in KEy, I tried to align with the QuickStart ti explain. But it?s not necessarily on resource that I own with I want to do this. For example it could be against adding products in and ecommerce app, or transactions for a company It sounds like I should rather use the non UMA example to try this against. Would that be better? Thanks Melissa > On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: > > Hi Melissa, > > I don't think this is very different than what we have in the quickstart you mentioned. > >> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer wrote: >> Hi, >> >> I am trying to do something similar to the following: >> - have a resource (say album) in app-authz-uma-photoz quickstart that >> includes a status attribute against it. >> - status such as: CREATED, APPROVED, DECLINED, > > You probably noticed that resources in Keycloak have attributes, so you could set a "status" accordingly. You should be able to write JS policies that can access any attribute associated with a resource. > >> - a person can then be given a role that allows for permissions (via a >> role) such as >> >> - album:create >> - album:approve >> - album:decline > > If you have different authorization requirements for each scope, you can create a scope-based permission for each scope. Otherwise, a single scope-permission managing access for all of them. > >> >> - BUT a person is not allowed to approve any albums they created themselves > > I would create a scope-permission specific for album:approve and associate it with a JS policy that deny access to the the resource owner (considering the owner is the person that created the resource). > >> >> Is there a keycloak-quickstarts/example I can start from? >> Or a recommended way I should attempt to tackle this? > > It is worthy to highlight that when using UMA and, specially, the "My Resources" page in the Account Service, resource owners are always allowed to manage their resources. It seems you are more interested in a worflow that does not really fit this functionality in particular. I think you would need to manage this workflow from your app based on the permissions you have in Keycloak. > >> >> Thank You in advance, >> Melissa >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Wed Oct 24 09:08:56 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 24 Oct 2018 10:08:56 -0300 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request Message-ID: Hello Keycloakers, I am having some problems with Keycloak 4.5.0. I basically have set up two nodes, and they see each other. I am using MPING (the default configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In front of these Keycloak nodes I have an HTTPD, which is using AJP to connect and load balance them. When the second server starts I can see: > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-5) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1] > (2) [keycloak-1, keycloak-2] > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1] > (2) [keycloak-1, keycloak-2] > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1] > (2) [keycloak-1, keycloak-2] > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-8) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1] > (2) [keycloak-1, keycloak-2] > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-7) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1] > (2) [keycloak-1, keycloak-2] > So, they are seeing/reaching each other. The problem happens when I try to login. I then get the following: > MSC000001: Failed to start service > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: > org.jboss.msc.service.StartException in service > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: > org.infinispan.commons.CacheException: Unable to invoke method public void > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > throws java.lang.Exception on object of type StateTransferManagerImpl > And errors like: > Suppressed: java.util.concurrent.ExecutionException: > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out > waiting for responses for request 2 from keycloak-2 > 018-10-24 12:55:48,990 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "infinispan"), > ("cache-container" => "ejb"), > ("thread-pool" => "transport") > ]) - failure description: { > "WFLYCTL0080: Failed services" => > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => > "org.infinispan.commons.CacheException: Unable to invoke method public void > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > throws java.lang.Exception on object of type StateTransferManagerImpl > Caused by: org.infinispan.commons.CacheException: Unable to invoke > method public void > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > throws java.lang.Exception on object of type StateTransferManagerImpl > Caused by: org.infinispan.commons.CacheException: Initial state > transfer timed out for cache client-mappings on keycloak-2"}, > "WFLYCTL0288: One or more services were unable to start due to one or > more indirect dependencies not being available." => { > "Services that were unable to start:" => > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], > "Services that may be the cause:" => [ > "jboss.clustering.web.route.default-server", > "jboss.deployment.discovery.\"keycloak-server.war\"", > "jboss.ejb.association", > "jboss.ejb.remoting.connector.client-mappings", > "jboss.iiop-openjdk.poa-service.rootpoa", > I am quite puzzled, there is not ports being blocked, and the system has no load at all. Why would this timeout happen? -- Rafael Weing?rtner From psilva at redhat.com Wed Oct 24 09:14:08 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 24 Oct 2018 10:14:08 -0300 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Yeah, I think so. I need to document this ... But we also expose endpoints in Admin REST API which you could use to manage these permissions/policies from your app. On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer wrote: > Thanks Pedro, I will take a closer look. > Yes I?ll put the work flow in the app. But we do want to manage the > permissions in KEy, > > I tried to align with the QuickStart ti explain. But it?s not necessarily > on resource that I own with I want to do this. For example it could be > against adding products in and ecommerce app, or transactions for a company > > It sounds like I should rather use the non > UMA example to try this against. Would that be better? > > Thanks > Melissa > > > On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: > > Hi Melissa, > > I don't think this is very different than what we have in the quickstart > you mentioned. > > On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer > wrote: > >> Hi, >> >> I am trying to do something similar to the following: >> - have a resource (say album) in app-authz-uma-photoz quickstart that >> includes a status attribute against it. >> - status such as: CREATED, APPROVED, DECLINED, >> > > You probably noticed that resources in Keycloak have attributes, so you > could set a "status" accordingly. You should be able to write JS policies > that can access any attribute associated with a resource. > > >> - a person can then be given a role that allows for permissions (via a >> role) such as >> >> - album:create >> - album:approve >> - album:decline >> > > If you have different authorization requirements for each scope, you can > create a scope-based permission for each scope. Otherwise, a single > scope-permission managing access for all of them. > > >> >> - BUT a person is not allowed to approve any albums they created >> themselves >> > > I would create a scope-permission specific for album:approve and associate > it with a JS policy that deny access to the the resource owner (considering > the owner is the person that created the resource). > > >> >> Is there a keycloak-quickstarts/example I can start from? >> Or a recommended way I should attempt to tackle this? >> > > It is worthy to highlight that when using UMA and, specially, the "My > Resources" page in the Account Service, resource owners are always allowed > to manage their resources. It seems you are more interested in a worflow > that does not really fit this functionality in particular. I think you > would need to manage this workflow from your app based on the permissions > you have in Keycloak. > > >> >> Thank You in advance, >> Melissa >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From slaskawi at redhat.com Wed Oct 24 09:29:31 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 24 Oct 2018 15:29:31 +0200 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: The new view log messages look a bit weird. It seems that JGroups installed new view every 1 ms, which is very unusual. There are three scenarios where this may happen (at least that I can think from the top of my head): - Very short timeout on FD_* protocols - Faulty NIC or incorrect network level configuration in the datacenter - Network packets are cut when in transport. I've seen it with one of the hardware firewalls (don't remember which one though). Due to faulty configuration it was cutting packets to certain length causing other layers to fail miserably. Perhaps you could set the logging level to DEBUG on org.jgroups package and check if there's anything interesting there? On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Hello Keycloakers, > I am having some problems with Keycloak 4.5.0. I basically have set up two > nodes, and they see each other. I am using MPING (the default > configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In > front of these Keycloak nodes I have an HTTPD, which is using AJP to > connect and load balance them. > > When the second server starts I can see: > > > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service > thread > > 1-5) ISPN000094: Received new cluster view for channel ejb: > [keycloak-1|1] > > (2) [keycloak-1, keycloak-2] > > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service > thread > > 1-2) ISPN000094: Received new cluster view for channel ejb: > [keycloak-1|1] > > (2) [keycloak-1, keycloak-2] > > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service > thread > > 1-3) ISPN000094: Received new cluster view for channel ejb: > [keycloak-1|1] > > (2) [keycloak-1, keycloak-2] > > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service > thread > > 1-8) ISPN000094: Received new cluster view for channel ejb: > [keycloak-1|1] > > (2) [keycloak-1, keycloak-2] > > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service > thread > > 1-7) ISPN000094: Received new cluster view for channel ejb: > [keycloak-1|1] > > (2) [keycloak-1, keycloak-2] > > > > So, they are seeing/reaching each other. The problem happens when I try to > login. I then get the following: > > > MSC000001: Failed to start service > > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: > > org.jboss.msc.service.StartException in service > > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: > > org.infinispan.commons.CacheException: Unable to invoke method public > void > > > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > > throws java.lang.Exception on object of type StateTransferManagerImpl > > > > And errors like: > > > Suppressed: java.util.concurrent.ExecutionException: > > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out > > waiting for responses for request 2 from keycloak-2 > > > > 018-10-24 12:55:48,990 ERROR [org.jboss.as.controller.management-operation] > > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - > address: ([ > > ("subsystem" => "infinispan"), > > ("cache-container" => "ejb"), > > ("thread-pool" => "transport") > > ]) - failure description: { > > "WFLYCTL0080: Failed services" => > > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => > > "org.infinispan.commons.CacheException: Unable to invoke method public > void > > > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > > throws java.lang.Exception on object of type StateTransferManagerImpl > > Caused by: org.infinispan.commons.CacheException: Unable to invoke > > method public void > > > org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() > > throws java.lang.Exception on object of type StateTransferManagerImpl > > Caused by: org.infinispan.commons.CacheException: Initial state > > transfer timed out for cache client-mappings on keycloak-2"}, > > "WFLYCTL0288: One or more services were unable to start due to one or > > more indirect dependencies not being available." => { > > "Services that were unable to start:" => > > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], > > "Services that may be the cause:" => [ > > "jboss.clustering.web.route.default-server", > > "jboss.deployment.discovery.\"keycloak-server.war\"", > > "jboss.ejb.association", > > "jboss.ejb.remoting.connector.client-mappings", > > "jboss.iiop-openjdk.poa-service.rootpoa", > > > > > I am quite puzzled, there is not ports being blocked, and the system has no > load at all. Why would this timeout happen? > > -- > Rafael Weing?rtner > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From melissa.palmer at gmail.com Wed Oct 24 09:56:04 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Wed, 24 Oct 2018 15:56:04 +0200 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Ok thank you, yes I have seen the Rest API hadn?t really thought I needed to use the api for this. What you thinking > On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva wrote: > > Yeah, I think so. I need to document this ... But we also expose endpoints in Admin REST API which you could use to manage these permissions/policies from your app. > >> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer wrote: >> Thanks Pedro, I will take a closer look. >> Yes I?ll put the work flow in the app. But we do want to manage the permissions in KEy, >> >> I tried to align with the QuickStart ti explain. But it?s not necessarily on resource that I own with I want to do this. For example it could be against adding products in and ecommerce app, or transactions for a company >> >> It sounds like I should rather use the non >> UMA example to try this against. Would that be better? >> >> Thanks >> Melissa >> >> >>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: >>> >>> Hi Melissa, >>> >>> I don't think this is very different than what we have in the quickstart you mentioned. >>> >>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer wrote: >>>> Hi, >>>> >>>> I am trying to do something similar to the following: >>>> - have a resource (say album) in app-authz-uma-photoz quickstart that >>>> includes a status attribute against it. >>>> - status such as: CREATED, APPROVED, DECLINED, >>> >>> You probably noticed that resources in Keycloak have attributes, so you could set a "status" accordingly. You should be able to write JS policies that can access any attribute associated with a resource. >>> >>>> - a person can then be given a role that allows for permissions (via a >>>> role) such as >>>> >>>> - album:create >>>> - album:approve >>>> - album:decline >>> >>> If you have different authorization requirements for each scope, you can create a scope-based permission for each scope. Otherwise, a single scope-permission managing access for all of them. >>> >>>> >>>> - BUT a person is not allowed to approve any albums they created themselves >>> >>> I would create a scope-permission specific for album:approve and associate it with a JS policy that deny access to the the resource owner (considering the owner is the person that created the resource). >>> >>>> >>>> Is there a keycloak-quickstarts/example I can start from? >>>> Or a recommended way I should attempt to tackle this? >>> >>> It is worthy to highlight that when using UMA and, specially, the "My Resources" page in the Account Service, resource owners are always allowed to manage their resources. It seems you are more interested in a worflow that does not really fit this functionality in particular. I think you would need to manage this workflow from your app based on the permissions you have in Keycloak. >>> >>>> >>>> Thank You in advance, >>>> Melissa >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Wed Oct 24 11:09:00 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 24 Oct 2018 12:09:00 -0300 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: Thanks for the prompt reply. To answer you: > - Very short timeout on FD_* protocols > It is the standard configuration, so, this should not be a problem. - Faulty NIC or incorrect network level configuration in the datacenter > - Network packets are cut when in transport. I've seen it with one of the > hardware firewalls (don't remember which one though). Due to faulty > configuration it was cutting packets to certain length causing other layers > to fail miserably. > Maybe? Well, both VMs are in the same broadcast domain, and there is no firewall in-between them. Here go some log entries. There are some things that I do not understand here. Why am I seing multiple ?keycloak-1: installing view?? Shouldn't it only happen once? The same situation is happening with ?created cluster (first member). My view is [keycloak-1|0]? > 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] (ServerService > Thread Pool -- 50) socket information: > mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 > sock: bound to <>:55200, receive buffer size=212992, > send buffer size=212992 > mcast_sock: bound to <>:45688, send buffer > size=212992, receive buffer size=212992 > 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] (ServerService > Thread Pool -- 50) socket information: > mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 > sock: bound to <>:55200, receive buffer size=212992, > send buffer size=212992 > mcast_sock: bound to <>:45688, send buffer > size=212992, receive buffer size=212992 > 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical > address=<>:55200 > 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical > address=<>:55200 > 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] > (ServerService Thread Pool -- 50) > [keycloak-1 setDigest()] > existing digest: [] > new digest: keycloak-1: [0 (0)] > resulting digest: keycloak-1: [0 (0)] > 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] > (ServerService Thread Pool -- 50) > [keycloak-1 setDigest()] > existing digest: [] > new digest: keycloak-1: [0 (0)] > resulting digest: keycloak-1: [0 (0)] > 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) keycloak-1: installing view > [keycloak-1|0] (1) [keycloak-1] > 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) keycloak-1: installing view > [keycloak-1|0] (1) [keycloak-1] > 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (ServerService Thread Pool -- 50) resuming message garbage collection > 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (ServerService Thread Pool -- 50) resuming message garbage collection > 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (ServerService Thread Pool -- 50) resuming message garbage collection > 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (ServerService Thread Pool -- 50) resuming message garbage collection > 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) keycloak-1: created cluster (first > member). My view is [keycloak-1|0], impl is > org.jgroups.protocols.pbcast.CoordGmsImpl > 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] > (ServerService Thread Pool -- 50) keycloak-1: created cluster (first > member). My view is [keycloak-1|0], impl is > org.jgroups.protocols.pbcast.CoordGmsImpl > 2018-10-24 14:45:28,621 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000078: Starting JGroups channel ejb > 2018-10-24 14:45:28,620 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000078: Starting JGroups channel ejb > 2018-10-24 14:45:28,620 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-5) ISPN000078: Starting JGroups channel ejb > 2018-10-24 14:45:28,625 INFO [org.infinispan.CLUSTER] (MSC service thread > 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] > (1) [keycloak-1] > 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) suspending message garbage collection > 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) suspending message garbage collection > 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) keycloak-1: resume task started, > max_suspend_time=33000 > 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) keycloak-1: resume task started, > max_suspend_time=33000 > 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] > (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) > [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] > (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) > [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,142 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel > ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK > pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, > keycloak-2], ping_dest=keycloak-2 > 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK > pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, > keycloak-2], ping_dest=keycloak-2 > 2018-10-24 14:48:02,148 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,149 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel > ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,151 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,153 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel > ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel > ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel > ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] > 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] > (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster > 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) resuming message garbage collection > 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] > (thread-9,ejb,keycloak-1) resuming message garbage collection > 2018-10-24 14:48:03,229 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t2) ISPN000310: Starting cluster-wide rebalance for > cache offlineSessions, topology CacheTopology{id=2, > phase=READ_OLD_WRITE_ALL, rebalanceId=2, > currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, > pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, > keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, > keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, > 378015dd-8c56-44a7-ab7e-a93d706dd623]} > 2018-10-24 14:48:03,231 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t2) > [Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started rebalance > with topology id 2 > 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t4) ISPN000310: Starting cluster-wide rebalance for > cache sessions, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, > rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = > (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = > (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, > actualMembers=[keycloak-1, keycloak-2], > persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, > 378015dd-8c56-44a7-ab7e-a93d706dd623]} > 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t4) [Context=sessions][Scope=keycloak-1]ISPN100002: > Started rebalance with topology id 2 > 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] > (remote-thread--p12-t2) ISPN000310: Starting cluster-wide rebalance for > cache client-mappings, topology CacheTopology{id=2, > phase=READ_OLD_WRITE_ALL, rebalanceId=2, > currentCH=ReplicatedConsistentHash{ns = 256, owners = (1)[keycloak-1: > 256]}, pendingCH=ReplicatedConsistentHash{ns = 256, owners = > (2)[keycloak-1: 134, keycloak-2: 122]}, unionCH=null, > actualMembers=[keycloak-1, keycloak-2], > persistentUUIDs=[f239ad45-df8a-4f17-a08b-6962b47ef073, > 33572709-8cca-4daa-a2fd-eee2e3fd4c17]} > 2018-10-24 14:48:03,243 INFO [org.infinispan.CLUSTER] > (remote-thread--p12-t2) > [Context=client-mappings][Scope=keycloak-1]ISPN100002: Started rebalance > with topology id 2 > 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t7) ISPN000310: Starting cluster-wide rebalance for > cache actionTokens, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, > rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = > (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = > (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, > actualMembers=[keycloak-1, keycloak-2], > persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, > 378015dd-8c56-44a7-ab7e-a93d706dd623]} > 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t7) [Context=actionTokens][Scope=keycloak-1]ISPN100002: > Started rebalance with topology id 2 > 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t3) ISPN000310: Starting cluster-wide rebalance for > cache loginFailures, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, > rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = > (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = > (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, > actualMembers=[keycloak-1, keycloak-2], > persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, > 378015dd-8c56-44a7-ab7e-a93d706dd623]} > 2018-10-24 14:48:03,271 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t2) > [Context=offlineSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 > finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t6) ISPN000310: Starting cluster-wide rebalance for > cache offlineClientSessions, topology CacheTopology{id=2, > phase=READ_OLD_WRITE_ALL, rebalanceId=2, > currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, > pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, > keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, > keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, > 378015dd-8c56-44a7-ab7e-a93d706dd623]} > 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] > (remote-thread--p16-t6) > [Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started > rebalance with topology id 2 > 2018-10-24 14:48:03,278 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t3) [Context=sessions][Scope=keycloak-1]ISPN100003: > Node keycloak-1 finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,293 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t8) > [Context=actionTokens][Scope=keycloak-1]ISPN100003: Node keycloak-1 > finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t4) > [Context=clientSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 > finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t9) > [Context=loginFailures][Scope=keycloak-1]ISPN100003: Node keycloak-1 > finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t18) > [Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Node > keycloak-1 finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t18) [Context=work][Scope=keycloak-1]ISPN100003: > Node keycloak-1 finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] > (transport-thread--p18-t23) > [Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Node > keycloak-1 finished rebalance phase with topology id 2 > 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] > (transport-thread--p20-t8) > [Context=client-mappings][Scope=keycloak-1]ISPN100003: Node keycloak-1 > finished rebalance phase with topology id 2 > 2018-10-24 14:49:02,158 WARN > [org.infinispan.topology.ClusterTopologyManagerImpl] > (transport-thread--p19-t2) ISPN000197: Error updating cluster member list: > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out > waiting for responses for request 1 from keycloak-2 > at > org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) > at > org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) > at > org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > On Wed, Oct 24, 2018 at 10:29 AM Sebastian Laskawiec wrote: > The new view log messages look a bit weird. It seems that JGroups > installed new view every 1 ms, which is very unusual. There are three > scenarios where this may happen (at least that I can think from the top of > my head): > - Very short timeout on FD_* protocols > - Faulty NIC or incorrect network level configuration in the datacenter > - Network packets are cut when in transport. I've seen it with one of the > hardware firewalls (don't remember which one though). Due to faulty > configuration it was cutting packets to certain length causing other layers > to fail miserably. > > Perhaps you could set the logging level to DEBUG on org.jgroups package > and check if there's anything interesting there? > > On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Hello Keycloakers, >> I am having some problems with Keycloak 4.5.0. I basically have set up two >> nodes, and they see each other. I am using MPING (the default >> configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In >> front of these Keycloak nodes I have an HTTPD, which is using AJP to >> connect and load balance them. >> >> When the second server starts I can see: >> >> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >> thread >> > 1-5) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|1] >> > (2) [keycloak-1, keycloak-2] >> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >> thread >> > 1-2) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|1] >> > (2) [keycloak-1, keycloak-2] >> > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service >> thread >> > 1-3) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|1] >> > (2) [keycloak-1, keycloak-2] >> > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service >> thread >> > 1-8) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|1] >> > (2) [keycloak-1, keycloak-2] >> > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service >> thread >> > 1-7) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|1] >> > (2) [keycloak-1, keycloak-2] >> > >> >> So, they are seeing/reaching each other. The problem happens when I try to >> login. I then get the following: >> >> > MSC000001: Failed to start service >> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >> > org.jboss.msc.service.StartException in service >> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >> > org.infinispan.commons.CacheException: Unable to invoke method public >> void >> > >> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >> > throws java.lang.Exception on object of type StateTransferManagerImpl >> > >> >> And errors like: >> >> > Suppressed: java.util.concurrent.ExecutionException: >> > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >> > waiting for responses for request 2 from keycloak-2 >> > >> >> 018-10-24 12:55:48,990 ERROR >> [org.jboss.as.controller.management-operation] >> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - >> address: ([ >> > ("subsystem" => "infinispan"), >> > ("cache-container" => "ejb"), >> > ("thread-pool" => "transport") >> > ]) - failure description: { >> > "WFLYCTL0080: Failed services" => >> > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => >> > "org.infinispan.commons.CacheException: Unable to invoke method public >> void >> > >> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >> > throws java.lang.Exception on object of type StateTransferManagerImpl >> > Caused by: org.infinispan.commons.CacheException: Unable to invoke >> > method public void >> > >> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >> > throws java.lang.Exception on object of type StateTransferManagerImpl >> > Caused by: org.infinispan.commons.CacheException: Initial state >> > transfer timed out for cache client-mappings on keycloak-2"}, >> > "WFLYCTL0288: One or more services were unable to start due to one >> or >> > more indirect dependencies not being available." => { >> > "Services that were unable to start:" => >> > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], >> > "Services that may be the cause:" => [ >> > "jboss.clustering.web.route.default-server", >> > "jboss.deployment.discovery.\"keycloak-server.war\"", >> > "jboss.ejb.association", >> > "jboss.ejb.remoting.connector.client-mappings", >> > "jboss.iiop-openjdk.poa-service.rootpoa", >> > >> >> >> I am quite puzzled, there is not ports being blocked, and the system has >> no >> load at all. Why would this timeout happen? >> >> -- >> Rafael Weing?rtner >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Rafael Weing?rtner From andreas.lau at outlook.com Wed Oct 24 11:16:23 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Wed, 24 Oct 2018 15:16:23 +0000 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources Message-ID: Hello, we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. We configured the web.xml like this: [web.xml] ... portal /portal/* user public /portal/pages/willkommen.jsf /portal/pages/logout.jsf KEYCLOAK user ... keycloak.config.resolver de.sample.security.MandantBasedKeycloakConfigResolver ... As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. Regards, Andreas [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [2] public KeycloakDeployment resolve(HttpFacade.Request request) { LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); final String mandantId = request.getFirstParam("kId"); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); if (mandantId == null || mandantId.isEmpty()) { // throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); return null; } KeycloakDeployment deployment = cache.get(mandantId); if (deployment == null) { String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); if (is == null) { // throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); return null; } LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); deployment = KeycloakDeploymentBuilder.build(is); cache.put(mandantId, deployment); } return deployment; } [3] 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen 17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<< 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ....... 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] From Don.Reynolds at quest.com Wed Oct 24 12:16:50 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Wed, 24 Oct 2018 16:16:50 +0000 Subject: [keycloak-user] User Federation for Admin Users In-Reply-To: References: Message-ID: Hello Pulkit, You could setup and an identity provider in the Master realm which only your admin user have access to authenticate against, and then setup a "hardcoded role" mapper for that identity provider to map all who authenticate to the "admin" role. This will grant all your admins (who can authenticate against the identity provider you configured) admin access within the keycloak admin console. If you only want to grant these users keycloak admin access for a particular realm, set up the identity provider in the desired realm and create the "hardcoded role" mapper to map the "realm-management" Client Role of "realm-admin" to those users. See more about "Dedicated Realm Admin Consoles" at: https://www.keycloak.org/docs/latest/server_admin/index.html#_per_realm_admin_permissions Regards, Don Reynolds > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Pulkit Srivastava > Sent: Wednesday, October 24, 2018 12:59 AM > To: keycloak-user > Subject: [keycloak-user] User Federation for Admin Users > > Hi, > Is it possible to use an external user federation for admin users in keycloak. > These users should be able to login to keycloak admin. > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jcain at redhat.com Wed Oct 24 16:48:49 2018 From: jcain at redhat.com (Josh Cain) Date: Wed, 24 Oct 2018 15:48:49 -0500 Subject: [keycloak-user] SAML 2.0 Broker Kickoff - Config Issue or Bug? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all, I'm trying to drop into a SAML 2.0 brokered flow, and I can't seem to get Keycloak to kick if off right. Here's what I'm doing: 1) Setting up a third-party IDP as an Identity Provider by importing SAML 2.0 metadata. 2) Attempting a standard login flow against a client, then clicking the newly added identity provider on the login screen. 3) Watch, as Keycloak gives me an "Invalid Request" error message After looking under the hood, I can see that it's fussing about not having a ClientID: [2018-10-24 20:12:41,591+0000] DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task- 61) Invalid request. Authorization code, clientId or tabId was null. Code=IugzCrTYU0xfZ_sLF1prPRTZC5WsR9-F3HrDyCUegLE, clientId=null, tabID=vPZ0M6-0eao I also just attempted with a Github provider, and encountered the same issue. Not sure what's going on, as the IdentityProviderBean doesn't use the clientId (as I'd imagine it shouldn't?) when constructing the provider urls, seems strange that it would be required: String loginUrl = Urls.identityProviderAuthnRequest(baseURI, identityProvider.getAlias(), realm.getName()).toString(); Sooo... can someone help me figure out what I'm doing wrong here? I'm guessing user error is the problem here (otherwise, alot of brokering would be busted). Thanks! - -- Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAlvQ2rEACgkQrGNtyYPQ wPhVPhAApyIVMKeGMfGsMr2HNeNIngfG91posPwGWoNWUjy8ZD6dBXgM8qbUnIgr SC9i43Kde6EyANNA1dy5Wh45xCX3SlyFm4Pet5IvoxRa1/+hx8OEGMW0R9hfNm33 36ZyrbJtZtowtXJzZklATxAoT5yuzZe+tLmEn3edj9rSV3U6LfRrrFbGHkq+qPp6 rsN5/BkBemP1aQH/ssw/lX137js83B8XELfXvfkf53AIZWDTS5v2ssSR5eUOu+bc 15vzg9uWJtmhi7hr2Ws9StKVWARttnjR0Q0gXf4Fy4IqCEK4TfTZhDmv60wNfUsR B1S6OGcxNjzmjbtvwqSxEAxGt/Ll9SLTJLVMbddpIIWmPJs0edhz8pr3etYOFtQr LriHg4iBZ/CTdMBI47oYHbg/uc0XFtbLQ3RnZ8GmOwq9b4BvxJ8rNiHWhdACW4MN Gi5EUHn6kfXDRs/WVGFJ5LFQgBDEMwbCpoBtXBoZisC8KJZCKVDe1fcw90U256iF o1+pWZiJtq7/VfohKFMOeQJ79lym5VieAgVB7TwoITNWKYKL4gVVuEi6pcAhrdNd fVy2f4dS1qqN8Meq04iCMejpDI8zU+XLv6HEkWqxVgyvULDJA56o4Fpsc7KtIq07 UzxpmQ34FoGXz8JwlMjCVT6ZJ4X8BHYAf8KRkKWSNO3fgubnWN0= =y2UI -----END PGP SIGNATURE----- From jcain at redhat.com Wed Oct 24 18:02:52 2018 From: jcain at redhat.com (Josh Cain) Date: Wed, 24 Oct 2018 17:02:52 -0500 Subject: [keycloak-user] SAML 2.0 Broker Kickoff - Config Issue or Bug? In-Reply-To: References: Message-ID: <5f7699c62180ea1d017467e93288cbb95d1b7514.camel@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OK... figured it out. Turns out if I'm using an idp-initiated flow (I.E. hitting the keycloak URL for that SAML client), then that field is blank. I've got the docs[1] on how to configure this flow. Thanks for being my rubber duck keycloak-user list. [1] https://www.keycloak.org/docs/2.5/server_admin/topics/clients/saml/idp-initiated-login.html#_identity_broker On Wed, 2018-10-24 at 15:48 -0500, Josh Cain wrote: > Hi all, > > I'm trying to drop into a SAML 2.0 brokered flow, and I can't seem to > get Keycloak to kick if off right. Here's what I'm doing: > > 1) Setting up a third-party IDP as an Identity Provider by importing > SAML 2.0 metadata. > 2) Attempting a standard login flow against a client, then clicking > the newly added identity provider on the login screen. > 3) Watch, as Keycloak gives me an "Invalid Request" error message > > After looking under the hood, I can see that it's fussing about not > having a ClientID: > > [2018-10-24 20:12:41,591+0000] DEBUG > [org.keycloak.services.resources.IdentityBrokerService] (default > task- > 61) Invalid request. Authorization code, clientId or tabId was null. > Code=IugzCrTYU0xfZ_sLF1prPRTZC5WsR9-F3HrDyCUegLE, clientId=null, > tabID=vPZ0M6-0eao > > I also just attempted with a Github provider, and encountered the > same > issue. Not sure what's going on, as the IdentityProviderBean doesn't > use the clientId (as I'd imagine it shouldn't?) when constructing the > provider urls, seems strange that it would be required: > > String loginUrl = Urls.identityProviderAuthnRequest(baseURI, > identityProvider.getAlias(), realm.getName()).toString(); > > Sooo... can someone help me figure out what I'm doing wrong > here? I'm > guessing user error is the problem here (otherwise, alot of brokering > would be busted). Thanks! > -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEyXW6Vl+0L9r9LpVurGNtyYPQwPgFAlvQ7AwACgkQrGNtyYPQ wPhxlA//UXG5Xqc9xsn9XlKb/C3HNXxSi3cBhrSETDfRkEsv6WS2Ka/htzNC+xJ1 YqRXiCKGeqAUuNoQZ+t0gpC/PB2KM3Z2VWFjv7HFl4KFiRsuyWffpCzL2xKy8gYs wqnnMcTlaOIYALyijrC5zlucd+2ZgU7c5eo+260D2L8IyKuRHHItkYzDUXLlitRO 5ivt+heJXP0WlX/jDSGyGeBR9rcUuxggxVt79Nd7tAuTa7Fn4iYUyKCMXWpPSFFN 4KDZpKGEp46anyoyCl0Y8+qJRTMiw7rHSU0FSJwQj9V6oeZkX0duwp9Z7yEYy0nH Av7MYBWBZ+Ga+Bkda4WoLMG6L8qvFhiVxHHaHKAfDvNTNY5WOrUGvs4sMQc1oidk o4rGVZ1PWjr4vP8/OKNNUJS55zFt0vxmnNsjg45dE6Y5PlsjZ4Wq/BuwhHW5NstE 0h7UtOSaVFDcJGPb4Zvk2unWuKEPE1OVB9cKYp+ehKMt9M6/F148D6KUDceiEKrg 7Y6qGfclgnaPM7xDY5KlObsBYS1BLA0CbbhOHahj/FIIsjdq2lNNOU2PfpBbEFmh ZRkBX2n8HoucTMzInabbGQOBmm8lDPgO0DsCulwWCDKMT8HJKMhOFYFHcjP7DWpM nt47EBtX/B2Y95M1YGQPQdUWk+gqBmc3fGa2b1dw8IyEIqY3w/8= =Mmn2 -----END PGP SIGNATURE----- From dt at acutus.pro Wed Oct 24 20:20:59 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 25 Oct 2018 03:20:59 +0300 Subject: [keycloak-user] OIDC protocol extension In-Reply-To: References: Message-ID: <1540426859.22397.1.camel@acutus.pro> Hello Neelima, I think this can be solved with a custom authenticator, as Stian suggested. To make it appear unconditionally, regardless of the authentication status, configure your flow like this: https://i.imgur.com/TwslFME.png The idea is to move the actual authentication stuff into a subflow and make it "alternative", while your authenticator should be "required". Each time Keycloak auth endpoint is requested, the authenticator will be invoked even if the user is already logged in. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-23 at 18:03 +0000, Karipineni, Neelima,M.D. wrote: > I believe that?s essentially what the action-token-authenticator quickstart does. I tested this out and it only shows the additional step if the user has not previously authenticated. If the user has an existing session, it forwards to an error page that says ?You are already logged in?. I did make it required and not optional though, since my understanding is that only one optional authenticator needs to successfully run. > > We need something that displays the additional consent step every time there is a new auth code request with the specified scope, regardless of whether the user has previously authenticated. It?s also preferable that the user has successfully authenticated prior to showing the additional consent page, because there may be confidential data on the consent page (ie, a search widget for a patient identifier). > > > From: Stian Thorgersen > > > Reply-To: "stian at redhat.com" > Date: Tuesday, October 23, 2018 at 1:51 PM > > To: "Karipineni, Neelima,M.D." > > Cc: keycloak-user > Subject: Re: [keycloak-user] OIDC protocol extension > > > ????????External Email - Use Caution > I wouldn't to a custom login protocol as that would be very hard to maintain. We've actually ended up refactoring the branch you point to into not using a login protocol. > > Why not use an optional authenticator for this purpose? It can check the scope and only display the additional consent step if the certain auth request scope is there. It can then add a note to the user session which you can map into the token with a protocol mapper. > > > > > On Tue, 23 Oct 2018 at 18:29, Karipineni, Neelima,M.D. > wrote: > We have a use case where we?re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. > The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. > > Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It?s like an additional consent step after user and client authentication rather than an additional authentication step. > > My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/src/main/java/org/keycloak/protocol/kubernetes, and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. > > I?m not sure it?s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it?s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? > > As an additional wrench, we?re still on v3.3.0 and upgrade is not on the schedule as of now. > > > > > The information in this e-mail is intended only for the person to whom it is > addressed. If you believe this e-mail was sent to you in error and the e-mail > contains patient information, please contact the Partners Compliance HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you in error > but does not contain patient information, please contact the sender and properly > dispose of the e-mail. > _______________________________________________ > keycloak-user mailing list > > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Wed Oct 24 20:39:43 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 24 Oct 2018 21:39:43 -0300 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: Just an update. It is interesting, at least to me, but version 4.0.0.Final of Keycloak works just fine in the same set up. It seems that there is something that was changed in Keycloak 4.5.0, which is somehow sensitive to something in this environment. I have not being able to pin point it though. On Wed, Oct 24, 2018 at 12:09 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Thanks for the prompt reply. To answer you: > >> - Very short timeout on FD_* protocols >> > It is the standard configuration, so, this should not be a problem. > > - Faulty NIC or incorrect network level configuration in the datacenter >> - Network packets are cut when in transport. I've seen it with one of the >> hardware firewalls (don't remember which one though). Due to faulty >> configuration it was cutting packets to certain length causing other layers >> to fail miserably. >> > > Maybe? Well, both VMs are in the same broadcast domain, and there is no > firewall in-between them. > > Here go some log entries. There are some things that I do not understand > here. Why am I seing multiple ?keycloak-1: installing view?? Shouldn't it > only happen once? The same situation is happening with ?created cluster > (first member). My view is [keycloak-1|0]? > > > >> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] (ServerService >> Thread Pool -- 50) socket information: >> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >> sock: bound to <>:55200, receive buffer >> size=212992, send buffer size=212992 >> mcast_sock: bound to <>:45688, send buffer >> size=212992, receive buffer size=212992 >> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] (ServerService >> Thread Pool -- 50) socket information: >> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >> sock: bound to <>:55200, receive buffer >> size=212992, send buffer size=212992 >> mcast_sock: bound to <>:45688, send buffer >> size=212992, receive buffer size=212992 >> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >> address=<>:55200 >> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >> address=<>:55200 >> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >> (ServerService Thread Pool -- 50) >> [keycloak-1 setDigest()] >> existing digest: [] >> new digest: keycloak-1: [0 (0)] >> resulting digest: keycloak-1: [0 (0)] >> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >> (ServerService Thread Pool -- 50) >> [keycloak-1 setDigest()] >> existing digest: [] >> new digest: keycloak-1: [0 (0)] >> resulting digest: keycloak-1: [0 (0)] >> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) keycloak-1: installing view >> [keycloak-1|0] (1) [keycloak-1] >> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) keycloak-1: installing view >> [keycloak-1|0] (1) [keycloak-1] >> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (ServerService Thread Pool -- 50) resuming message garbage collection >> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (ServerService Thread Pool -- 50) resuming message garbage collection >> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (ServerService Thread Pool -- 50) resuming message garbage collection >> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (ServerService Thread Pool -- 50) resuming message garbage collection >> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >> member). My view is [keycloak-1|0], impl is >> org.jgroups.protocols.pbcast.CoordGmsImpl >> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >> member). My view is [keycloak-1|0], impl is >> org.jgroups.protocols.pbcast.CoordGmsImpl >> 2018-10-24 14:45:28,621 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-3) ISPN000078: Starting JGroups channel ejb >> 2018-10-24 14:45:28,620 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000078: Starting JGroups channel ejb >> 2018-10-24 14:45:28,620 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-5) ISPN000078: Starting JGroups channel ejb >> 2018-10-24 14:45:28,625 INFO [org.infinispan.CLUSTER] (MSC service >> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >> [keycloak-1|0] (1) [keycloak-1] >> > > > 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) suspending message garbage collection >> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) suspending message garbage collection >> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >> max_suspend_time=33000 >> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >> max_suspend_time=33000 >> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >> [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >> [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,142 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >> keycloak-2], ping_dest=keycloak-2 >> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >> keycloak-2], ping_dest=keycloak-2 >> 2018-10-24 14:48:02,148 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> 2018-10-24 14:48:02,149 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,151 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> 2018-10-24 14:48:02,153 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> > > 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) resuming message garbage collection >> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >> (thread-9,ejb,keycloak-1) resuming message garbage collection >> 2018-10-24 14:48:03,229 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t2) ISPN000310: Starting cluster-wide rebalance for >> cache offlineSessions, topology CacheTopology{id=2, >> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >> 2018-10-24 14:48:03,231 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t2) >> [Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started rebalance >> with topology id 2 >> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t4) ISPN000310: Starting cluster-wide rebalance for >> cache sessions, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >> actualMembers=[keycloak-1, keycloak-2], >> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t4) [Context=sessions][Scope=keycloak-1]ISPN100002: >> Started rebalance with topology id 2 >> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >> (remote-thread--p12-t2) ISPN000310: Starting cluster-wide rebalance for >> cache client-mappings, topology CacheTopology{id=2, >> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >> currentCH=ReplicatedConsistentHash{ns = 256, owners = (1)[keycloak-1: >> 256]}, pendingCH=ReplicatedConsistentHash{ns = 256, owners = >> (2)[keycloak-1: 134, keycloak-2: 122]}, unionCH=null, >> actualMembers=[keycloak-1, keycloak-2], >> persistentUUIDs=[f239ad45-df8a-4f17-a08b-6962b47ef073, >> 33572709-8cca-4daa-a2fd-eee2e3fd4c17]} >> 2018-10-24 14:48:03,243 INFO [org.infinispan.CLUSTER] >> (remote-thread--p12-t2) >> [Context=client-mappings][Scope=keycloak-1]ISPN100002: Started rebalance >> with topology id 2 >> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t7) ISPN000310: Starting cluster-wide rebalance for >> cache actionTokens, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >> actualMembers=[keycloak-1, keycloak-2], >> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t7) [Context=actionTokens][Scope=keycloak-1]ISPN100002: >> Started rebalance with topology id 2 >> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t3) ISPN000310: Starting cluster-wide rebalance for >> cache loginFailures, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >> actualMembers=[keycloak-1, keycloak-2], >> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >> > > 2018-10-24 14:48:03,271 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t2) >> [Context=offlineSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >> finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t6) ISPN000310: Starting cluster-wide rebalance for >> cache offlineClientSessions, topology CacheTopology{id=2, >> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >> (remote-thread--p16-t6) >> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started >> rebalance with topology id 2 >> 2018-10-24 14:48:03,278 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t3) [Context=sessions][Scope=keycloak-1]ISPN100003: >> Node keycloak-1 finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,293 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t8) >> [Context=actionTokens][Scope=keycloak-1]ISPN100003: Node keycloak-1 >> finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t4) >> [Context=clientSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >> finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t9) >> [Context=loginFailures][Scope=keycloak-1]ISPN100003: Node keycloak-1 >> finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t18) >> [Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Node >> keycloak-1 finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t18) [Context=work][Scope=keycloak-1]ISPN100003: >> Node keycloak-1 finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >> (transport-thread--p18-t23) >> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Node >> keycloak-1 finished rebalance phase with topology id 2 >> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >> (transport-thread--p20-t8) >> [Context=client-mappings][Scope=keycloak-1]ISPN100003: Node keycloak-1 >> finished rebalance phase with topology id 2 >> 2018-10-24 14:49:02,158 WARN >> [org.infinispan.topology.ClusterTopologyManagerImpl] >> (transport-thread--p19-t2) ISPN000197: Error updating cluster member list: >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >> waiting for responses for request 1 from keycloak-2 >> at >> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) >> at >> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) >> at >> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at >> > > > > On Wed, Oct 24, 2018 at 10:29 AM Sebastian Laskawiec > wrote: > >> The new view log messages look a bit weird. It seems that JGroups >> installed new view every 1 ms, which is very unusual. There are three >> scenarios where this may happen (at least that I can think from the top of >> my head): >> - Very short timeout on FD_* protocols >> - Faulty NIC or incorrect network level configuration in the datacenter >> - Network packets are cut when in transport. I've seen it with one of the >> hardware firewalls (don't remember which one though). Due to faulty >> configuration it was cutting packets to certain length causing other layers >> to fail miserably. >> >> Perhaps you could set the logging level to DEBUG on org.jgroups package >> and check if there's anything interesting there? >> >> On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < >> rafaelweingartner at gmail.com> wrote: >> >>> Hello Keycloakers, >>> I am having some problems with Keycloak 4.5.0. I basically have set up >>> two >>> nodes, and they see each other. I am using MPING (the default >>> configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In >>> front of these Keycloak nodes I have an HTTPD, which is using AJP to >>> connect and load balance them. >>> >>> When the second server starts I can see: >>> >>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>> thread >>> > 1-5) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|1] >>> > (2) [keycloak-1, keycloak-2] >>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>> thread >>> > 1-2) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|1] >>> > (2) [keycloak-1, keycloak-2] >>> > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service >>> thread >>> > 1-3) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|1] >>> > (2) [keycloak-1, keycloak-2] >>> > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service >>> thread >>> > 1-8) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|1] >>> > (2) [keycloak-1, keycloak-2] >>> > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service >>> thread >>> > 1-7) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|1] >>> > (2) [keycloak-1, keycloak-2] >>> > >>> >>> So, they are seeing/reaching each other. The problem happens when I try >>> to >>> login. I then get the following: >>> >>> > MSC000001: Failed to start service >>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>> > org.jboss.msc.service.StartException in service >>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>> > org.infinispan.commons.CacheException: Unable to invoke method public >>> void >>> > >>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>> > >>> >>> And errors like: >>> >>> > Suppressed: java.util.concurrent.ExecutionException: >>> > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >>> > waiting for responses for request 2 from keycloak-2 >>> > >>> >>> 018-10-24 12:55:48,990 ERROR >>> [org.jboss.as.controller.management-operation] >>> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - >>> address: ([ >>> > ("subsystem" => "infinispan"), >>> > ("cache-container" => "ejb"), >>> > ("thread-pool" => "transport") >>> > ]) - failure description: { >>> > "WFLYCTL0080: Failed services" => >>> > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => >>> > "org.infinispan.commons.CacheException: Unable to invoke method public >>> void >>> > >>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>> > Caused by: org.infinispan.commons.CacheException: Unable to invoke >>> > method public void >>> > >>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>> > Caused by: org.infinispan.commons.CacheException: Initial state >>> > transfer timed out for cache client-mappings on keycloak-2"}, >>> > "WFLYCTL0288: One or more services were unable to start due to one >>> or >>> > more indirect dependencies not being available." => { >>> > "Services that were unable to start:" => >>> > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], >>> > "Services that may be the cause:" => [ >>> > "jboss.clustering.web.route.default-server", >>> > "jboss.deployment.discovery.\"keycloak-server.war\"", >>> > "jboss.ejb.association", >>> > "jboss.ejb.remoting.connector.client-mappings", >>> > "jboss.iiop-openjdk.poa-service.rootpoa", >>> > >>> >>> >>> I am quite puzzled, there is not ports being blocked, and the system has >>> no >>> load at all. Why would this timeout happen? >>> >>> -- >>> Rafael Weing?rtner >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -- > Rafael Weing?rtner > -- Rafael Weing?rtner From Mallikarjuna.Biradar_HCL at kantar.com Thu Oct 25 02:21:19 2018 From: Mallikarjuna.Biradar_HCL at kantar.com (Biradar, Mallikarjuna (HYD)) Date: Thu, 25 Oct 2018 06:21:19 +0000 Subject: [keycloak-user] Help Message-ID: Hi Team, I have implemented cookie based Keycloak Authentication in my Asp.net MVC with C# & Jquery application. It's WORKING FINE in LOCAL when run from Visual Studio but not working when DEPLOYED to Web Server Hosted environment. 1.Accessing the Web Sever domain hosted Url, I am able to get KeyCloak Login screen as shown below. [cid:image001.png at 01D46C4D.60B3BA60] 2.Enter Username & Password that are configured for a user in Keycloak server and click on 'Access'. Authentication is successful but I get error as shown in below screenshot instead of redirecting to View/Page or Action method in Controller class that has been set attribute [Authorize] and same Action method is set as default in Gloabal.asx.cs fle. [cid:image002.png at 01D46C4D.E69C1FA0] Please help me to resolve this issue. My implementation: 1. startup.cs code [cid:image003.png at 01D46C4E.13D63000] 2. Global.asax.cs code: [cid:image004.png at 01D46C4E.613F6320] 3. Controller class - Action method [cid:image005.png at 01D46C4E.613F6320] Regards, Mallikarjun Biradar Kantar Disclaimer -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 16586 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181025/81cb88fb/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 16753 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181025/81cb88fb/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 53547 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181025/81cb88fb/attachment-0007.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 17805 bytes Desc: image004.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181025/81cb88fb/attachment-0008.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.png Type: image/png Size: 43766 bytes Desc: image005.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181025/81cb88fb/attachment-0009.png From vaggarwal at gigsky.com Thu Oct 25 02:31:42 2018 From: vaggarwal at gigsky.com (Vivek Aggarwal) Date: Thu, 25 Oct 2018 12:01:42 +0530 Subject: [keycloak-user] [KeyCloak] - LDAP Query Message-ID: Hi Team, We've started exploring KeyCloak from Identity & Access Management perspective & intended to integrate it with various other tools like Jenkins Console, Mongo Console , Linux user administration etc. But have related concern, currently we're unable to figure out that how can we use KeyCloak as a LDAP for Linux machines , for instance can we integrate it with our Linux Machines to manage SSH users ? And related question , we've read somewhere in the community forums that KeyCloak is not meant for LDAP ,well in that case how we're able to manage users for Jenkins console using KeyCloak.Currently we've successfully integrated Keycloak with Jenkins console . Is it not acting as LDAP for Jenkins console ? Kindly help in understand the above concerns & suggest if there are any recommendations. regards Vivek From testoauth55 at gmail.com Thu Oct 25 03:46:59 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Thu, 25 Oct 2018 13:16:59 +0530 Subject: [keycloak-user] Import/export realm : Getting Client secret not provided in request for imported realm Message-ID: I have exported realm from one keycloak server and imported into another but I keep getting below error if authorization is enabled i.e. in case of confidential client. *failed to turn code into token* *status from server: 400* * {"error":"unauthorized_client","error_description":"Client secret not provided in request"}* *I made sure my keycloak.json contains the client secret same as that under Realm->Client->Credentials. My client app is same i.e. same client app with server-1 works fine but something has been missed in export step which causes client app with server-2 to be not able to work.* Is any additional step is required for exporting? I have tried exporting both from Admin console GUI as well as this doc (through standalone.sh) https://www.keycloak.org/docs/4.5/server_admin/index.html#_export_import From mposolda at redhat.com Thu Oct 25 05:38:11 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 25 Oct 2018 11:38:11 +0200 Subject: [keycloak-user] [KeyCloak] - LDAP Query In-Reply-To: References: Message-ID: <650dbe7b-dafc-d771-1914-2f02f1efac7d@redhat.com> Hi, On 25/10/18 08:31, Vivek Aggarwal wrote: > Hi Team, > > We've started exploring KeyCloak from Identity & Access Management > perspective & intended to integrate it with various other tools like > Jenkins Console, Mongo Console , Linux user administration etc. > > But have related concern, currently we're unable to figure out that how can > we use KeyCloak as a LDAP for Linux machines , for instance can we > integrate it with our Linux Machines to manage SSH users ? Keycloak itself is not LDAP server. However Keycloak can be integrated with the LDAP server, so that Keycloak uses LDAP server to authenticate users. With that in mind, I think you can indirectly achieve what you want. You just need to integrate Keycloak with the LDAP and configure it with editMode WRITABLE. And you will integrate same LDAP for your linux/SSH authentication. This means that if you create new user in Keycloak, this user will be propagated to the LDAP and so he can also authenticate to SSH/Linux through the usage of same LDAP server like Keycloak is using. > > And related question , we've read somewhere in the community forums that > KeyCloak is not meant for LDAP ,well in that case how we're able to manage > users for Jenkins console using KeyCloak.Currently we've successfully > integrated Keycloak with Jenkins console . Is it not acting as LDAP for > Jenkins console ? I guess you integrated jenkins to use Keycloak for authentication. In that case, you can either: - Manage users just through the Keycloak console and never from jenkins console. The updates from Keycloak will be propagated to LDAP. So this way, it will ensure that users will be able to authenticate to jenkins and jenkins will see latest user profile info from Keycloak/LDAP - Manage users through the Jenkins. I assume your Jenkins will write users to LDAP then. In Keycloak, you will then also see the updated user as Keycloak uses LDAP as a source of the info. However you may need to adjust caching policies on Keycloak side due to this to see the updates on Keycloak side immediatelly (see docs for more details). So maybe I would personally prefer the option 1 if possible. Marek > > Kindly help in understand the above concerns & suggest if there are any > recommendations. > > > regards > Vivek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ndekefa at gmail.com Thu Oct 25 05:50:56 2018 From: ndekefa at gmail.com (Anselme Ndeke) Date: Thu, 25 Oct 2018 11:50:56 +0200 Subject: [keycloak-user] Keycloak Docker image: unable to import a realm Message-ID: Hello, It looks like the following documented docker import options are ignored: docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak while importing the same file using GUI works. Am I missing something? keycloak version is 4.5.0.final -- Regards, Anselme From Mattia.Bello at horsa.it Thu Oct 25 09:34:50 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Thu, 25 Oct 2018 13:34:50 +0000 Subject: [keycloak-user] Need to log in to all realms with unique admin users Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local> We have this situation: master realm -> used to manage other realms realm1, realm2, realm3, .. -> are retailers and contain companies for each realm we have group1, group2, group3, .. -> are companies and contain a group of users we have to see all the retailers (realms), the companies (groups) and the users How can I do it? Can i create a master realm user and use it to access all the other realms? Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? Thank to all Mattia Bello Developer [Descrizione: cid:image001.jpg at 01CEB308.188717E0] Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 340 36 07 937 www.horsa.it From slaskawi at redhat.com Thu Oct 25 09:59:53 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 25 Oct 2018 15:59:53 +0200 Subject: [keycloak-user] Java 11 (Docker container base) In-Reply-To: <1d8ec6c8800f46aa82e3ba96c8951086@zoomint.com> References: <564d3037b9974039868327e2ed2bee3d@zoomint.com> <1d8ec6c8800f46aa82e3ba96c8951086@zoomint.com> Message-ID: >From the support perspective, Red Hat offers extended support till June 2023 [1]. Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we still have plenty of time to do the switch, so I wouldn't rush things too much. BTW, why do you need JDK11, especially in the container? [1] https://access.redhat.com/articles/1299013 On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka wrote: > Sorry, end of january (my fault): > https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java > and OpenJDK will most probably start to diverge, as OpenJDK will not have > access to Oracle repos (afaik). So the speed of security fixes will depend > on willigness of community to fix the upcomming issues. > > Pavel > > From: Meissa M'baye Sakho > Sent: Tuesday, October 23, 2018 11:04 AM > To: Pavel Micka > Cc: keycloak-user > Subject: Re: [keycloak-user] Java 11 (Docker container base) > > Hello, > Pavel, where did you get the information that the official Java 8 support > will cease at the end of december? > https://access.redhat.com/articles/1299013 > https://www.oracle.com/technetwork/java/javase/eol-135779.html > Meissa > > Le lun. 22 oct. 2018 ? 16:33, Pavel Micka Pavel.Micka at zoomint.com>> a ?crit : > Hello everyone, > > What is the plan for Java 11 support? The point is that current versions > of Docker containers are based on OpenJDK 8, but the official Java 8 > support will cease at the end of December. Will Keycloak use Java 11 by > that time or will it rely on updates provided by the community. > > This is important to us, as Keycloak is important part of our app security. > > Thanks, > > Pavel > > // I have found this ticket in Jira, but it does not provide too many > details: https://issues.jboss.org/browse/KEYCLOAK-7811 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Thu Oct 25 10:56:10 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 25 Oct 2018 11:56:10 -0300 Subject: [keycloak-user] Keycloak Docker image: unable to import a realm In-Reply-To: References: Message-ID: You need to mount the volume like described here: https://hub.docker.com/r/jboss/keycloak/ For example: docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak I hope it helps. On Thu, Oct 25, 2018 at 6:57 AM Anselme Ndeke wrote: > Hello, > > It looks like the following documented docker import options are ignored: > > docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ > -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v > /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak > > while importing the same file using GUI works. Am I missing something? > > keycloak version is 4.5.0.final > > -- > > Regards, > > Anselme > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ndekefa at gmail.com Thu Oct 25 11:14:15 2018 From: ndekefa at gmail.com (Anselme Ndeke) Date: Thu, 25 Oct 2018 17:14:15 +0200 Subject: [keycloak-user] Keycloak Docker image: unable to import a realm In-Reply-To: References: Message-ID: Yes, it is the command which I run. The json file can be found inside the container's tmp folder. While creating admin user works, I don't see any reference to KEYCLOAK_IMPORT inside tools/docker-entrypoint.sh file. Le jeu. 25 oct. 2018 ? 16:56, Bruno Oliveira a ?crit : > You need to mount the volume like described here: > https://hub.docker.com/r/jboss/keycloak/ > > For example: > > > docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ > -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v > /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak > > I hope it helps. > > On Thu, Oct 25, 2018 at 6:57 AM Anselme Ndeke wrote: > >> Hello, >> >> It looks like the following documented docker import options are ignored: >> >> docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ >> -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v >> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak >> >> while importing the same file using GUI works. Am I missing something? >> >> keycloak version is 4.5.0.final >> >> -- >> >> Regards, >> >> Anselme >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Cordialement, Fran?ois Anselme NDEKE From ndekefa at gmail.com Thu Oct 25 11:42:59 2018 From: ndekefa at gmail.com (Anselme Ndeke) Date: Thu, 25 Oct 2018 17:42:59 +0200 Subject: [keycloak-user] Keycloak Docker image: unable to import a realm In-Reply-To: References: Message-ID: Sorry, my bad. It is a feature added in 4.5.0.Final and I was using 4.4.0.Final Le jeu. 25 oct. 2018 ? 17:14, Anselme Ndeke a ?crit : > Yes, it is the command which I run. The json file can be found inside the > container's tmp folder. > > While creating admin user works, I don't see any reference to KEYCLOAK_IMPORT > inside tools/docker-entrypoint.sh file. > > Le jeu. 25 oct. 2018 ? 16:56, Bruno Oliveira a > ?crit : > >> You need to mount the volume like described here: >> https://hub.docker.com/r/jboss/keycloak/ >> >> For example: >> >> >> docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ >> -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v >> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak >> >> I hope it helps. >> >> On Thu, Oct 25, 2018 at 6:57 AM Anselme Ndeke wrote: >> >>> Hello, >>> >>> It looks like the following documented docker import options are ignored: >>> >>> docker run -e KEYCLOAK_USER= -e KEYCLOAK_PASSWORD= \ >>> -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v >>> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak >>> >>> while importing the same file using GUI works. Am I missing something? >>> >>> keycloak version is 4.5.0.final >>> >>> -- >>> >>> Regards, >>> >>> Anselme >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > -- > > Cordialement, > > Fran?ois Anselme NDEKE > -- Cordialement, Fran?ois Anselme NDEKE From dheeraj.madhu at gmail.com Thu Oct 25 11:47:59 2018 From: dheeraj.madhu at gmail.com (Dheeraj Joshi) Date: Thu, 25 Oct 2018 21:17:59 +0530 Subject: [keycloak-user] Acquire access token using offline token Message-ID: down vote favorite I am working on an offline NodeJS application which will call some REST API to perform some operation. This has no web UI etc. I was checking ways to get authentication token from keycloak using offline token. I can find method to get access token using grant object which uses username and password. GrantManager.prototype.obtainDirectly = function obtainDirectly (username, password, callback, scopeParam) { //Code } But I am looking a similar method which will take offline token and give me back authentication token? I see that ensureFreshness method does get a access_token for a refresh_token but it needs grant object as an input. Or somehow can I call all const in my NodeJS file and call nodeify method? Kind Regards Dheeraj Joshi From melissa.palmer at gmail.com Thu Oct 25 13:53:28 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Thu, 25 Oct 2018 19:53:28 +0200 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Hi Pedro, How do I get get at the resource (and its attributes) via the JS policy? I have tried .. but not working. var resource = context.getResource(); var resource = $evaluation.getResource(); Thanks Melissa On Wed, 24 Oct 2018 at 15:56, Melissa Palmer wrote: > Ok thank you, yes I have seen the Rest API > hadn?t really thought I needed to use the api for this. What you thinking > > On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva wrote: > > Yeah, I think so. I need to document this ... But we also expose endpoints > in Admin REST API which you could use to manage these permissions/policies > from your app. > > On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer > wrote: > >> Thanks Pedro, I will take a closer look. >> Yes I?ll put the work flow in the app. But we do want to manage the >> permissions in KEy, >> >> I tried to align with the QuickStart ti explain. But it?s not necessarily >> on resource that I own with I want to do this. For example it could be >> against adding products in and ecommerce app, or transactions for a company >> >> It sounds like I should rather use the non >> UMA example to try this against. Would that be better? >> >> Thanks >> Melissa >> >> >> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: >> >> Hi Melissa, >> >> I don't think this is very different than what we have in the quickstart >> you mentioned. >> >> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer >> wrote: >> >>> Hi, >>> >>> I am trying to do something similar to the following: >>> - have a resource (say album) in app-authz-uma-photoz quickstart that >>> includes a status attribute against it. >>> - status such as: CREATED, APPROVED, DECLINED, >>> >> >> You probably noticed that resources in Keycloak have attributes, so you >> could set a "status" accordingly. You should be able to write JS policies >> that can access any attribute associated with a resource. >> >> >>> - a person can then be given a role that allows for permissions (via a >>> role) such as >>> >>> - album:create >>> - album:approve >>> - album:decline >>> >> >> If you have different authorization requirements for each scope, you can >> create a scope-based permission for each scope. Otherwise, a single >> scope-permission managing access for all of them. >> >> >>> >>> - BUT a person is not allowed to approve any albums they created >>> themselves >>> >> >> I would create a scope-permission specific for album:approve and >> associate it with a JS policy that deny access to the the resource owner >> (considering the owner is the person that created the resource). >> >> >>> >>> Is there a keycloak-quickstarts/example I can start from? >>> Or a recommended way I should attempt to tackle this? >>> >> >> It is worthy to highlight that when using UMA and, specially, the "My >> Resources" page in the Account Service, resource owners are always allowed >> to manage their resources. It seems you are more interested in a worflow >> that does not really fit this functionality in particular. I think you >> would need to manage this workflow from your app based on the permissions >> you have in Keycloak. >> >> >>> >>> Thank You in advance, >>> Melissa >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From corentin.dupont at gmail.com Thu Oct 25 14:27:02 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Thu, 25 Oct 2018 20:27:02 +0200 Subject: [keycloak-user] Delete user Message-ID: Hi guys, I wonder if there is a way to allow a user to delete his own account from the "account management console"? Currently I see that users can setup their details and password, but I don't see any option for deleting his account. Thanks Corentin From rafaelweingartner at gmail.com Thu Oct 25 14:46:29 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 25 Oct 2018 15:46:29 -0300 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: Another discovery. I changed the configuration: > > > > > to: > > > > > This change has fixed the problem. It seems that there is a networking problem that is affecting UDP. However, I still have not figured out the root cause of the problem though. On Wed, Oct 24, 2018 at 9:39 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Just an update. > > It is interesting, at least to me, but version 4.0.0.Final of Keycloak > works just fine in the same set up. It seems that there is something that > was changed in Keycloak 4.5.0, which is somehow sensitive to something in > this environment. I have not being able to pin point it though. > > On Wed, Oct 24, 2018 at 12:09 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Thanks for the prompt reply. To answer you: >> >>> - Very short timeout on FD_* protocols >>> >> It is the standard configuration, so, this should not be a problem. >> >> - Faulty NIC or incorrect network level configuration in the datacenter >>> - Network packets are cut when in transport. I've seen it with one of >>> the hardware firewalls (don't remember which one though). Due to faulty >>> configuration it was cutting packets to certain length causing other layers >>> to fail miserably. >>> >> >> Maybe? Well, both VMs are in the same broadcast domain, and there is no >> firewall in-between them. >> >> Here go some log entries. There are some things that I do not understand >> here. Why am I seing multiple ?keycloak-1: installing view?? Shouldn't it >> only happen once? The same situation is happening with ?created cluster >> (first member). My view is [keycloak-1|0]? >> >> >> >>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] >>> (ServerService Thread Pool -- 50) socket information: >>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>> sock: bound to <>:55200, receive buffer >>> size=212992, send buffer size=212992 >>> mcast_sock: bound to <>:45688, send buffer >>> size=212992, receive buffer size=212992 >>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] (ServerService >>> Thread Pool -- 50) socket information: >>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>> sock: bound to <>:55200, receive buffer >>> size=212992, send buffer size=212992 >>> mcast_sock: bound to <>:45688, send buffer >>> size=212992, receive buffer size=212992 >>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>> address=<>:55200 >>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>> address=<>:55200 >>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>> (ServerService Thread Pool -- 50) >>> [keycloak-1 setDigest()] >>> existing digest: [] >>> new digest: keycloak-1: [0 (0)] >>> resulting digest: keycloak-1: [0 (0)] >>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>> (ServerService Thread Pool -- 50) >>> [keycloak-1 setDigest()] >>> existing digest: [] >>> new digest: keycloak-1: [0 (0)] >>> resulting digest: keycloak-1: [0 (0)] >>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>> [keycloak-1|0] (1) [keycloak-1] >>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>> [keycloak-1|0] (1) [keycloak-1] >>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (ServerService Thread Pool -- 50) resuming message garbage collection >>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (ServerService Thread Pool -- 50) resuming message garbage collection >>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (ServerService Thread Pool -- 50) resuming message garbage collection >>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (ServerService Thread Pool -- 50) resuming message garbage collection >>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>> member). My view is [keycloak-1|0], impl is >>> org.jgroups.protocols.pbcast.CoordGmsImpl >>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>> member). My view is [keycloak-1|0], impl is >>> org.jgroups.protocols.pbcast.CoordGmsImpl >>> 2018-10-24 14:45:28,621 INFO >>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>> thread 1-3) ISPN000078: Starting JGroups channel ejb >>> 2018-10-24 14:45:28,620 INFO >>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>> thread 1-1) ISPN000078: Starting JGroups channel ejb >>> 2018-10-24 14:45:28,620 INFO >>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>> thread 1-5) ISPN000078: Starting JGroups channel ejb >>> 2018-10-24 14:45:28,625 INFO [org.infinispan.CLUSTER] (MSC service >>> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >>> [keycloak-1|0] (1) [keycloak-1] >>> >> >> >> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>> max_suspend_time=33000 >>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>> max_suspend_time=33000 >>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>> [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>> [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,142 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>> keycloak-2], ping_dest=keycloak-2 >>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>> keycloak-2], ping_dest=keycloak-2 >>> 2018-10-24 14:48:02,148 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> 2018-10-24 14:48:02,149 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,151 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> 2018-10-24 14:48:02,153 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> >> >> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>> 2018-10-24 14:48:03,229 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t2) ISPN000310: Starting cluster-wide rebalance for >>> cache offlineSessions, topology CacheTopology{id=2, >>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>> 2018-10-24 14:48:03,231 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t2) >>> [Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started rebalance >>> with topology id 2 >>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t4) ISPN000310: Starting cluster-wide rebalance for >>> cache sessions, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>> actualMembers=[keycloak-1, keycloak-2], >>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t4) [Context=sessions][Scope=keycloak-1]ISPN100002: >>> Started rebalance with topology id 2 >>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p12-t2) ISPN000310: Starting cluster-wide rebalance for >>> cache client-mappings, topology CacheTopology{id=2, >>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>> currentCH=ReplicatedConsistentHash{ns = 256, owners = (1)[keycloak-1: >>> 256]}, pendingCH=ReplicatedConsistentHash{ns = 256, owners = >>> (2)[keycloak-1: 134, keycloak-2: 122]}, unionCH=null, >>> actualMembers=[keycloak-1, keycloak-2], >>> persistentUUIDs=[f239ad45-df8a-4f17-a08b-6962b47ef073, >>> 33572709-8cca-4daa-a2fd-eee2e3fd4c17]} >>> 2018-10-24 14:48:03,243 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p12-t2) >>> [Context=client-mappings][Scope=keycloak-1]ISPN100002: Started rebalance >>> with topology id 2 >>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t7) ISPN000310: Starting cluster-wide rebalance for >>> cache actionTokens, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>> actualMembers=[keycloak-1, keycloak-2], >>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t7) [Context=actionTokens][Scope=keycloak-1]ISPN100002: >>> Started rebalance with topology id 2 >>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t3) ISPN000310: Starting cluster-wide rebalance for >>> cache loginFailures, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>> actualMembers=[keycloak-1, keycloak-2], >>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>> >> >> 2018-10-24 14:48:03,271 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t2) >>> [Context=offlineSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>> finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t6) ISPN000310: Starting cluster-wide rebalance for >>> cache offlineClientSessions, topology CacheTopology{id=2, >>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>> (remote-thread--p16-t6) >>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started >>> rebalance with topology id 2 >>> 2018-10-24 14:48:03,278 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t3) [Context=sessions][Scope=keycloak-1]ISPN100003: >>> Node keycloak-1 finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,293 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t8) >>> [Context=actionTokens][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>> finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t4) >>> [Context=clientSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>> finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t9) >>> [Context=loginFailures][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>> finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t18) >>> [Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Node >>> keycloak-1 finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t18) [Context=work][Scope=keycloak-1]ISPN100003: >>> Node keycloak-1 finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p18-t23) >>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Node >>> keycloak-1 finished rebalance phase with topology id 2 >>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>> (transport-thread--p20-t8) >>> [Context=client-mappings][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>> finished rebalance phase with topology id 2 >>> 2018-10-24 14:49:02,158 WARN >>> [org.infinispan.topology.ClusterTopologyManagerImpl] >>> (transport-thread--p19-t2) ISPN000197: Error updating cluster member list: >>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >>> waiting for responses for request 1 from keycloak-2 >>> at >>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) >>> at >>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) >>> at >>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>> at >>> >> >> >> >> On Wed, Oct 24, 2018 at 10:29 AM Sebastian Laskawiec >> wrote: >> >>> The new view log messages look a bit weird. It seems that JGroups >>> installed new view every 1 ms, which is very unusual. There are three >>> scenarios where this may happen (at least that I can think from the top of >>> my head): >>> - Very short timeout on FD_* protocols >>> - Faulty NIC or incorrect network level configuration in the datacenter >>> - Network packets are cut when in transport. I've seen it with one of >>> the hardware firewalls (don't remember which one though). Due to faulty >>> configuration it was cutting packets to certain length causing other layers >>> to fail miserably. >>> >>> Perhaps you could set the logging level to DEBUG on org.jgroups package >>> and check if there's anything interesting there? >>> >>> On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < >>> rafaelweingartner at gmail.com> wrote: >>> >>>> Hello Keycloakers, >>>> I am having some problems with Keycloak 4.5.0. I basically have set up >>>> two >>>> nodes, and they see each other. I am using MPING (the default >>>> configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In >>>> front of these Keycloak nodes I have an HTTPD, which is using AJP to >>>> connect and load balance them. >>>> >>>> When the second server starts I can see: >>>> >>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread >>>> > 1-5) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|1] >>>> > (2) [keycloak-1, keycloak-2] >>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread >>>> > 1-2) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|1] >>>> > (2) [keycloak-1, keycloak-2] >>>> > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread >>>> > 1-3) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|1] >>>> > (2) [keycloak-1, keycloak-2] >>>> > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread >>>> > 1-8) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|1] >>>> > (2) [keycloak-1, keycloak-2] >>>> > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread >>>> > 1-7) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|1] >>>> > (2) [keycloak-1, keycloak-2] >>>> > >>>> >>>> So, they are seeing/reaching each other. The problem happens when I try >>>> to >>>> login. I then get the following: >>>> >>>> > MSC000001: Failed to start service >>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>> > org.jboss.msc.service.StartException in service >>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>> > org.infinispan.commons.CacheException: Unable to invoke method public >>>> void >>>> > >>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>> > >>>> >>>> And errors like: >>>> >>>> > Suppressed: java.util.concurrent.ExecutionException: >>>> > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >>>> > waiting for responses for request 2 from keycloak-2 >>>> > >>>> >>>> 018-10-24 12:55:48,990 ERROR >>>> [org.jboss.as.controller.management-operation] >>>> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - >>>> address: ([ >>>> > ("subsystem" => "infinispan"), >>>> > ("cache-container" => "ejb"), >>>> > ("thread-pool" => "transport") >>>> > ]) - failure description: { >>>> > "WFLYCTL0080: Failed services" => >>>> > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => >>>> > "org.infinispan.commons.CacheException: Unable to invoke method >>>> public void >>>> > >>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>> > Caused by: org.infinispan.commons.CacheException: Unable to invoke >>>> > method public void >>>> > >>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>> > Caused by: org.infinispan.commons.CacheException: Initial state >>>> > transfer timed out for cache client-mappings on keycloak-2"}, >>>> > "WFLYCTL0288: One or more services were unable to start due to >>>> one or >>>> > more indirect dependencies not being available." => { >>>> > "Services that were unable to start:" => >>>> > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], >>>> > "Services that may be the cause:" => [ >>>> > "jboss.clustering.web.route.default-server", >>>> > "jboss.deployment.discovery.\"keycloak-server.war\"", >>>> > "jboss.ejb.association", >>>> > "jboss.ejb.remoting.connector.client-mappings", >>>> > "jboss.iiop-openjdk.poa-service.rootpoa", >>>> > >>>> >>>> >>>> I am quite puzzled, there is not ports being blocked, and the system >>>> has no >>>> load at all. Why would this timeout happen? >>>> >>>> -- >>>> Rafael Weing?rtner >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> -- >> Rafael Weing?rtner >> > > > -- > Rafael Weing?rtner > -- Rafael Weing?rtner From dt at acutus.pro Thu Oct 25 15:00:19 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 25 Oct 2018 22:00:19 +0300 Subject: [keycloak-user] Delete user In-Reply-To: References: Message-ID: <1540494019.5566.7.camel@acutus.pro> Hello Corentin, See discussion [1] and JIRA issue [2]. Long story short, this is not OOTB now, but I think could be implemented as an add-on, using custom REST endpoint and the new generation management console aka "account2". [1] http://lists.jboss.org/pipermail/keycloak-user/2018-August/015194.html [2] https://issues.jboss.org/browse/KEYCLOAK-953 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-10-25 at 20:27 +0200, Corentin Dupont wrote: > Hi guys, > I wonder if there is a way to allow a user to delete his own account from > the "account management console"? > Currently I see that users can setup their details and password, but I > don't see any option for deleting his account. > > Thanks > Corentin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Thu Oct 25 15:12:17 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 25 Oct 2018 16:12:17 -0300 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: You can check both the Evaluation API[1] and JS Policy[2] documentation. I'll update docs with some examples of fetching resources/scopes and attributes from JS policies, meanwhile here it is: var permission = $evaluation.getPermission(); var resource = permission.getResource(); var attributes = resource.getAttributes(); For more information about methods that you can use to fetch attributes, check https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157 . Regards. Pedro Igor [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api [2] https://www.keycloak.org/docs/latest/authorization_services/index.html#examples On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer wrote: > > Hi Pedro, > > How do I get get at the resource (and its attributes) via the JS policy? > I have tried .. but not working. > var resource = context.getResource(); > var resource = $evaluation.getResource(); > > Thanks > Melissa > > > > On Wed, 24 Oct 2018 at 15:56, Melissa Palmer > wrote: > >> Ok thank you, yes I have seen the Rest API >> hadn?t really thought I needed to use the api for this. What you thinking >> >> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva wrote: >> >> Yeah, I think so. I need to document this ... But we also expose >> endpoints in Admin REST API which you could use to manage these >> permissions/policies from your app. >> >> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer >> wrote: >> >>> Thanks Pedro, I will take a closer look. >>> Yes I?ll put the work flow in the app. But we do want to manage the >>> permissions in KEy, >>> >>> I tried to align with the QuickStart ti explain. But it?s not >>> necessarily on resource that I own with I want to do this. For example it >>> could be against adding products in and ecommerce app, or transactions for >>> a company >>> >>> It sounds like I should rather use the non >>> UMA example to try this against. Would that be better? >>> >>> Thanks >>> Melissa >>> >>> >>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: >>> >>> Hi Melissa, >>> >>> I don't think this is very different than what we have in the quickstart >>> you mentioned. >>> >>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer >>> wrote: >>> >>>> Hi, >>>> >>>> I am trying to do something similar to the following: >>>> - have a resource (say album) in app-authz-uma-photoz quickstart that >>>> includes a status attribute against it. >>>> - status such as: CREATED, APPROVED, DECLINED, >>>> >>> >>> You probably noticed that resources in Keycloak have attributes, so you >>> could set a "status" accordingly. You should be able to write JS policies >>> that can access any attribute associated with a resource. >>> >>> >>>> - a person can then be given a role that allows for permissions (via a >>>> role) such as >>>> >>>> - album:create >>>> - album:approve >>>> - album:decline >>>> >>> >>> If you have different authorization requirements for each scope, you can >>> create a scope-based permission for each scope. Otherwise, a single >>> scope-permission managing access for all of them. >>> >>> >>>> >>>> - BUT a person is not allowed to approve any albums they created >>>> themselves >>>> >>> >>> I would create a scope-permission specific for album:approve and >>> associate it with a JS policy that deny access to the the resource owner >>> (considering the owner is the person that created the resource). >>> >>> >>>> >>>> Is there a keycloak-quickstarts/example I can start from? >>>> Or a recommended way I should attempt to tackle this? >>>> >>> >>> It is worthy to highlight that when using UMA and, specially, the "My >>> Resources" page in the Account Service, resource owners are always allowed >>> to manage their resources. It seems you are more interested in a worflow >>> that does not really fit this functionality in particular. I think you >>> would need to manage this workflow from your app based on the permissions >>> you have in Keycloak. >>> >>> >>>> >>>> Thank You in advance, >>>> Melissa >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From dt at acutus.pro Thu Oct 25 16:07:42 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 25 Oct 2018 23:07:42 +0300 Subject: [keycloak-user] Need to log in to all realms with unique admin users In-Reply-To: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local> References: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local> Message-ID: <1540498062.5566.9.camel@acutus.pro> Hello Mattia, answers inline, On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > We have this situation: > > master realm -> used to manage other realms > > realm1, realm2, realm3, .. -> are retailers and contain companies > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > we have to see all the retailers (realms), the companies (groups) and the users > > How can I do it? > > Can i create a master realm user and use it to access all the other realms? Yes you can.?In fact, there is already such a user - it's admin that you've created on the first run. If you want more users with such an access in master realm, grant them "admin" realm role. If you look into "admin" role details, you'll see that it automatically includes all the client roles of *-realm clients, that's how it works under the hood. If you don't want to grant that powerful admin role, go to user -> Role mappings and assign the necessary client roles from the *-realm clients. The user will get access to the admin functions for that realm(s). > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? This is possible too. Create a user in the target realm, go to Role mappings and assign the necessary roles from the realm-management client. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Thank to all > > > > Mattia Bello > Developer > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > Horsa S.p.A. > Via Cadorna, 67 > Vimodrone (MI) > Mobile??(+39) 340 36 07 937 > www.horsa.it; > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Mattia.Bello at horsa.it Thu Oct 25 17:01:48 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Thu, 25 Oct 2018 21:01:48 +0000 Subject: [keycloak-user] Need to log in to all realms with unique admin users In-Reply-To: <1540498062.5566.9.camel@acutus.pro> References: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local>, <1540498062.5566.9.camel@acutus.pro> Message-ID: Sorry, I probably did not explain well. I have a client application that is accessible from all realms. I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm. I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist. Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? Thank you Get Outlook for Android On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
> wrote: Hello Mattia, answers inline, On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > We have this situation: > > master realm -> used to manage other realms > > realm1, realm2, realm3, .. -> are retailers and contain companies > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > we have to see all the retailers (realms), the companies (groups) and the users > > How can I do it? > > Can i create a master realm user and use it to access all the other realms? Yes you can. In fact, there is already such a user - it's admin that you've created on the first run. If you want more users with such an access in master realm, grant them "admin" realm role. If you look into "admin" role details, you'll see that it automatically includes all the client roles of *-realm clients, that's how it works under the hood. If you don't want to grant that powerful admin role, go to user -> Role mappings and assign the necessary client roles from the *-realm clients. The user will get access to the admin functions for that realm(s). > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? This is possible too. Create a user in the target realm, go to Role mappings and assign the necessary roles from the realm-management client. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Thank to all > > > > Mattia Bello > Developer > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > Horsa S.p.A. > Via Cadorna, 67 > Vimodrone (MI) > Mobile (+39) 340 36 07 937 > https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y < https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9afd&h=af419ba9&f=n&p=y >; > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y From dt at acutus.pro Thu Oct 25 21:29:04 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 26 Oct 2018 04:29:04 +0300 Subject: [keycloak-user] Need to log in to all realms with unique admin users In-Reply-To: References: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local> ,<1540498062.5566.9.camel@acutus.pro> Message-ID: <1540517344.26050.1.camel@acutus.pro> Mattia, Thanks for your explanation, the problem is clear now. I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials. If you're ok with this additional step, this could be an easy solution. [1] https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker Dmitry On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote: > Sorry,? > I probably did not explain well.? > I have a client application that is accessible from all realms. > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm.? > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist.? > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? > Thank you? > > Get Outlook for Android > > > > > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
wrote: > > > Hello Mattia, answers inline, > > > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > > > We have this situation: > > >? > > > master realm -> used to manage other realms > > >? > > > realm1, realm2, realm3, .. -> are retailers and contain companies > > >? > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > >? > > > we have to see all the retailers (realms), the companies (groups) and the users > > >? > > > How can I do it? > > >? > > > Can i create a master realm user and use it to access all the other realms? > > > > Yes you can.?In fact, there is already such a user - it's admin that > > you've created on the first run. If you want more users with such an > > access in master realm, grant them "admin" realm role. If you look into > > "admin" role details, you'll see that it automatically includes all the > > client roles of *-realm clients, that's how it works under the hood. > > > > If you don't want to grant that powerful admin role, go to user -> Role > > mappings and assign the necessary client roles from the *-realm > > clients. The user will get access to the admin functions for that realm(s). > > > > >? > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? > > > > This is possible too. Create a user in the target realm, go to Role > > mappings and assign the necessary roles from the realm-management > > client. > > > > Good luck, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > >? > > > Thank to all > > >? > > >? > > >? > > > Mattia Bello > > > Developer > > >? > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > > > Horsa S.p.A. > > > Via Cadorna, 67 > > > Vimodrone (MI) > > > Mobile??(+39) 340 36 07 937 > > >??https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y < https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9afd&h=af419ba9&f=n&p=y >; > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > >??https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y? > > From melissa.palmer at gmail.com Fri Oct 26 02:21:26 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Fri, 26 Oct 2018 08:21:26 +0200 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Thanks Pedro I had figured that out before your email and tried it, unfortunately I am always getting a null for the resource, any pointers on that one? - I don't know how to debug this, any pointers [image: image.png] *CODE in JS PREMISSION* var permission = $evaluation.getPermission(); var resource = permission.getResource(); var attributes = resource.getAttributes(); var anotherStatus = attributes.getValue('status'); if (anotherStatus.equals('APPROVED')) { $evaluation.grant(); } *ERROR* Caused by: java.lang.RuntimeException: Error evaluating JS Policy [Album Resource status.APPROVED]. at org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:56) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51) at java.lang.Iterable.forEach(Iterable.java:75) at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43) at org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:939) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:863) at org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:390) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:75) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:59) ... 75 more Caused by: java.lang.RuntimeException: javax.script.ScriptException: TypeError: null is not a function in at line number 5 at org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:47) at org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:53) ... 86 more Caused by: javax.script.ScriptException: TypeError: null is not a function in at line number 5 at jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:423) at jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73) at jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:511) at org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:45) ... 87 more Caused by: :5 TypeError: null is not a function at jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57) at jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213) at jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:185) at jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:172) at jdk.nashorn.internal.runtime.linker.NashornBottomLinker.linkNull(NashornBottomLinker.java:177) at jdk.nashorn.internal.runtime.linker.NashornBottomLinker.getGuardedInvocation(NashornBottomLinker.java:66) at jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124) at jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154) at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253) at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(:5) at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637) at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494) at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:418) ... 90 more On Thu, 25 Oct 2018 at 21:12, Pedro Igor Silva wrote: > You can check both the Evaluation API[1] and JS Policy[2] documentation. > I'll update docs with some examples of fetching resources/scopes and > attributes from JS policies, meanwhile here it is: > > var permission = $evaluation.getPermission(); > var resource = permission.getResource(); > var attributes = resource.getAttributes(); > > For more information about methods that you can use to fetch attributes, > check > https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157 > . > > Regards. > Pedro Igor > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api > [2] > https://www.keycloak.org/docs/latest/authorization_services/index.html#examples > > On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer > wrote: > >> >> Hi Pedro, >> >> How do I get get at the resource (and its attributes) via the JS policy? >> I have tried .. but not working. >> var resource = context.getResource(); >> var resource = $evaluation.getResource(); >> >> Thanks >> Melissa >> >> >> >> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer >> wrote: >> >>> Ok thank you, yes I have seen the Rest API >>> hadn?t really thought I needed to use the api for this. What you >>> thinking >>> >>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva wrote: >>> >>> Yeah, I think so. I need to document this ... But we also expose >>> endpoints in Admin REST API which you could use to manage these >>> permissions/policies from your app. >>> >>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer < >>> melissa.palmer at gmail.com> wrote: >>> >>>> Thanks Pedro, I will take a closer look. >>>> Yes I?ll put the work flow in the app. But we do want to manage the >>>> permissions in KEy, >>>> >>>> I tried to align with the QuickStart ti explain. But it?s not >>>> necessarily on resource that I own with I want to do this. For example it >>>> could be against adding products in and ecommerce app, or transactions for >>>> a company >>>> >>>> It sounds like I should rather use the non >>>> UMA example to try this against. Would that be better? >>>> >>>> Thanks >>>> Melissa >>>> >>>> >>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva wrote: >>>> >>>> Hi Melissa, >>>> >>>> I don't think this is very different than what we have in the >>>> quickstart you mentioned. >>>> >>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer < >>>> melissa.palmer at gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I am trying to do something similar to the following: >>>>> - have a resource (say album) in app-authz-uma-photoz quickstart that >>>>> includes a status attribute against it. >>>>> - status such as: CREATED, APPROVED, DECLINED, >>>>> >>>> >>>> You probably noticed that resources in Keycloak have attributes, so you >>>> could set a "status" accordingly. You should be able to write JS policies >>>> that can access any attribute associated with a resource. >>>> >>>> >>>>> - a person can then be given a role that allows for permissions (via a >>>>> role) such as >>>>> >>>>> - album:create >>>>> - album:approve >>>>> - album:decline >>>>> >>>> >>>> If you have different authorization requirements for each scope, you >>>> can create a scope-based permission for each scope. Otherwise, a single >>>> scope-permission managing access for all of them. >>>> >>>> >>>>> >>>>> - BUT a person is not allowed to approve any albums they created >>>>> themselves >>>>> >>>> >>>> I would create a scope-permission specific for album:approve and >>>> associate it with a JS policy that deny access to the the resource owner >>>> (considering the owner is the person that created the resource). >>>> >>>> >>>>> >>>>> Is there a keycloak-quickstarts/example I can start from? >>>>> Or a recommended way I should attempt to tackle this? >>>>> >>>> >>>> It is worthy to highlight that when using UMA and, specially, the "My >>>> Resources" page in the Account Service, resource owners are always allowed >>>> to manage their resources. It seems you are more interested in a worflow >>>> that does not really fit this functionality in particular. I think you >>>> would need to manage this workflow from your app based on the permissions >>>> you have in Keycloak. >>>> >>>> >>>>> >>>>> Thank You in advance, >>>>> Melissa >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 52669 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/ab364010/attachment-0001.png From melissa.palmer at gmail.com Fri Oct 26 04:13:15 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Fri, 26 Oct 2018 10:13:15 +0200 Subject: [keycloak-user] Advanced authorization In-Reply-To: References: Message-ID: Ok I figured out it, it needs to be: var permission = $evaluation.getPermission(); var resource = permission.getResource(); var attributes = resource.getAttributes(); var anotherStatus = attributes.get('status'); On Fri, 26 Oct 2018 at 08:21, Melissa Palmer wrote: > Thanks Pedro > > I had figured that out before your email and tried it, unfortunately I am > always getting a null for the resource, any pointers on that one? > - I don't know how to debug this, any pointers > > [image: image.png] > > *CODE in JS PREMISSION* > var permission = $evaluation.getPermission(); > var resource = permission.getResource(); > var attributes = resource.getAttributes(); > > var anotherStatus = attributes.getValue('status'); > > if (anotherStatus.equals('APPROVED')) { > $evaluation.grant(); > } > > > *ERROR* > Caused by: java.lang.RuntimeException: Error evaluating JS Policy [Album > Resource status.APPROVED]. > at > org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:56) > at > org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51) > at java.lang.Iterable.forEach(Iterable.java:75) > at > java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) > at > org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43) > at > org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52) > at > org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107) > at > org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:939) > at > org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:863) > at > org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:390) > at > org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:75) > at > org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:59) > ... 75 more > Caused by: java.lang.RuntimeException: javax.script.ScriptException: > TypeError: null is not a function in at line number 5 > at > org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:47) > at > org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:53) > ... 86 more > Caused by: javax.script.ScriptException: TypeError: null is not a function > in at line number 5 > at > jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467) > at > jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:423) > at > jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73) > at > jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:511) > at > org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:45) > ... 87 more > Caused by: :5 TypeError: null is not a function > at > jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57) > at > jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213) > at > jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:185) > at > jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:172) > at > jdk.nashorn.internal.runtime.linker.NashornBottomLinker.linkNull(NashornBottomLinker.java:177) > at > jdk.nashorn.internal.runtime.linker.NashornBottomLinker.getGuardedInvocation(NashornBottomLinker.java:66) > at > jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124) > at > jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154) > at > jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253) > at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(:5) > at > jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637) > at > jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494) > at > jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393) > at > jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:418) > ... 90 more > > On Thu, 25 Oct 2018 at 21:12, Pedro Igor Silva wrote: > >> You can check both the Evaluation API[1] and JS Policy[2] documentation. >> I'll update docs with some examples of fetching resources/scopes and >> attributes from JS policies, meanwhile here it is: >> >> var permission = $evaluation.getPermission(); >> var resource = permission.getResource(); >> var attributes = resource.getAttributes(); >> >> For more information about methods that you can use to fetch attributes, >> check >> https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c683c134c2/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java#L157 >> . >> >> Regards. >> Pedro Igor >> >> [1] >> https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_evaluation_api >> [2] >> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples >> >> On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer >> wrote: >> >>> >>> Hi Pedro, >>> >>> How do I get get at the resource (and its attributes) via the JS policy? >>> I have tried .. but not working. >>> var resource = context.getResource(); >>> var resource = $evaluation.getResource(); >>> >>> Thanks >>> Melissa >>> >>> >>> >>> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer >>> wrote: >>> >>>> Ok thank you, yes I have seen the Rest API >>>> hadn?t really thought I needed to use the api for this. What you >>>> thinking >>>> >>>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva wrote: >>>> >>>> Yeah, I think so. I need to document this ... But we also expose >>>> endpoints in Admin REST API which you could use to manage these >>>> permissions/policies from your app. >>>> >>>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer < >>>> melissa.palmer at gmail.com> wrote: >>>> >>>>> Thanks Pedro, I will take a closer look. >>>>> Yes I?ll put the work flow in the app. But we do want to manage the >>>>> permissions in KEy, >>>>> >>>>> I tried to align with the QuickStart ti explain. But it?s not >>>>> necessarily on resource that I own with I want to do this. For example it >>>>> could be against adding products in and ecommerce app, or transactions for >>>>> a company >>>>> >>>>> It sounds like I should rather use the non >>>>> UMA example to try this against. Would that be better? >>>>> >>>>> Thanks >>>>> Melissa >>>>> >>>>> >>>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>> Hi Melissa, >>>>> >>>>> I don't think this is very different than what we have in the >>>>> quickstart you mentioned. >>>>> >>>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer < >>>>> melissa.palmer at gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I am trying to do something similar to the following: >>>>>> - have a resource (say album) in app-authz-uma-photoz quickstart that >>>>>> includes a status attribute against it. >>>>>> - status such as: CREATED, APPROVED, DECLINED, >>>>>> >>>>> >>>>> You probably noticed that resources in Keycloak have attributes, so >>>>> you could set a "status" accordingly. You should be able to write JS >>>>> policies that can access any attribute associated with a resource. >>>>> >>>>> >>>>>> - a person can then be given a role that allows for permissions (via a >>>>>> role) such as >>>>>> >>>>>> - album:create >>>>>> - album:approve >>>>>> - album:decline >>>>>> >>>>> >>>>> If you have different authorization requirements for each scope, you >>>>> can create a scope-based permission for each scope. Otherwise, a single >>>>> scope-permission managing access for all of them. >>>>> >>>>> >>>>>> >>>>>> - BUT a person is not allowed to approve any albums they created >>>>>> themselves >>>>>> >>>>> >>>>> I would create a scope-permission specific for album:approve and >>>>> associate it with a JS policy that deny access to the the resource owner >>>>> (considering the owner is the person that created the resource). >>>>> >>>>> >>>>>> >>>>>> Is there a keycloak-quickstarts/example I can start from? >>>>>> Or a recommended way I should attempt to tackle this? >>>>>> >>>>> >>>>> It is worthy to highlight that when using UMA and, specially, the "My >>>>> Resources" page in the Account Service, resource owners are always allowed >>>>> to manage their resources. It seems you are more interested in a worflow >>>>> that does not really fit this functionality in particular. I think you >>>>> would need to manage this workflow from your app based on the permissions >>>>> you have in Keycloak. >>>>> >>>>> >>>>>> >>>>>> Thank You in advance, >>>>>> Melissa >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 52669 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/17f6deeb/attachment-0001.png From melissa.palmer at gmail.com Fri Oct 26 05:11:13 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Fri, 26 Oct 2018 11:11:13 +0200 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? Message-ID: Hi, *Is it possible to explain the difference between "Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope" more detail? * *I know there is the description here: * https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles *From that I get * - Groups should focus on collections of users and their roles in your organization (Use groups to manage users. ). ? - Use composite roles to manage applications and services. ? - BUT previously said "Roles define a type of user and applications assign permission and access control to roles" & I don't see where you should maintain "access control to roles" In other examples I see scopes being used for access control - album:view - album:delete Some more explanation on these different concepts would be greatly appreciated. Thank You in Advance Melissa From slaskawi at redhat.com Fri Oct 26 08:01:53 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Fri, 26 Oct 2018 14:01:53 +0200 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: It's absolutely fine to stick with TCP. For small clusters (a finger in the air guesstimate - < 10 nodes) you should see no performance difference. For some reason UDP is very sensitive to underlying OS configuration. So I would advice just sticking with TCP. On Thu, Oct 25, 2018 at 8:47 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Another discovery. > I changed the configuration: > >> >> >> >> >> > > to: > >> >> >> >> >> > > This change has fixed the problem. It seems that there is a networking > problem that is affecting UDP. However, I still have not figured out the > root cause of the problem though. > > On Wed, Oct 24, 2018 at 9:39 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Just an update. >> >> It is interesting, at least to me, but version 4.0.0.Final of Keycloak >> works just fine in the same set up. It seems that there is something that >> was changed in Keycloak 4.5.0, which is somehow sensitive to something in >> this environment. I have not being able to pin point it though. >> >> On Wed, Oct 24, 2018 at 12:09 PM Rafael Weing?rtner < >> rafaelweingartner at gmail.com> wrote: >> >>> Thanks for the prompt reply. To answer you: >>> >>>> - Very short timeout on FD_* protocols >>>> >>> It is the standard configuration, so, this should not be a problem. >>> >>> - Faulty NIC or incorrect network level configuration in the datacenter >>>> - Network packets are cut when in transport. I've seen it with one of >>>> the hardware firewalls (don't remember which one though). Due to faulty >>>> configuration it was cutting packets to certain length causing other layers >>>> to fail miserably. >>>> >>> >>> Maybe? Well, both VMs are in the same broadcast domain, and there is no >>> firewall in-between them. >>> >>> Here go some log entries. There are some things that I do not understand >>> here. Why am I seing multiple ?keycloak-1: installing view?? Shouldn't it >>> only happen once? The same situation is happening with ?created cluster >>> (first member). My view is [keycloak-1|0]? >>> >>> >>> >>>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] >>>> (ServerService Thread Pool -- 50) socket information: >>>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>>> sock: bound to <>:55200, receive buffer >>>> size=212992, send buffer size=212992 >>>> mcast_sock: bound to <>:45688, send buffer >>>> size=212992, receive buffer size=212992 >>>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] >>>> (ServerService Thread Pool -- 50) socket information: >>>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>>> sock: bound to <>:55200, receive buffer >>>> size=212992, send buffer size=212992 >>>> mcast_sock: bound to <>:45688, send buffer >>>> size=212992, receive buffer size=212992 >>>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>>> address=<>:55200 >>>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>>> address=<>:55200 >>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>>> (ServerService Thread Pool -- 50) >>>> [keycloak-1 setDigest()] >>>> existing digest: [] >>>> new digest: keycloak-1: [0 (0)] >>>> resulting digest: keycloak-1: [0 (0)] >>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>>> (ServerService Thread Pool -- 50) >>>> [keycloak-1 setDigest()] >>>> existing digest: [] >>>> new digest: keycloak-1: [0 (0)] >>>> resulting digest: keycloak-1: [0 (0)] >>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>>> [keycloak-1|0] (1) [keycloak-1] >>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>>> [keycloak-1|0] (1) [keycloak-1] >>>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>>> member). My view is [keycloak-1|0], impl is >>>> org.jgroups.protocols.pbcast.CoordGmsImpl >>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>>> member). My view is [keycloak-1|0], impl is >>>> org.jgroups.protocols.pbcast.CoordGmsImpl >>>> 2018-10-24 14:45:28,621 INFO >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>> thread 1-3) ISPN000078: Starting JGroups channel ejb >>>> 2018-10-24 14:45:28,620 INFO >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>> thread 1-1) ISPN000078: Starting JGroups channel ejb >>>> 2018-10-24 14:45:28,620 INFO >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>> thread 1-5) ISPN000078: Starting JGroups channel ejb >>>> 2018-10-24 14:45:28,625 INFO [org.infinispan.CLUSTER] (MSC service >>>> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >>>> [keycloak-1|0] (1) [keycloak-1] >>>> >>> >>> >>> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>>> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>>> max_suspend_time=33000 >>>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>>> max_suspend_time=33000 >>>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>>> [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>>> [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,142 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>>> keycloak-2], ping_dest=keycloak-2 >>>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>>> keycloak-2], ping_dest=keycloak-2 >>>> 2018-10-24 14:48:02,148 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> 2018-10-24 14:48:02,149 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,151 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> 2018-10-24 14:48:02,153 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> >>> >>> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>>> 2018-10-24 14:48:03,229 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t2) ISPN000310: Starting cluster-wide rebalance for >>>> cache offlineSessions, topology CacheTopology{id=2, >>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>> 2018-10-24 14:48:03,231 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t2) >>>> [Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started rebalance >>>> with topology id 2 >>>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t4) ISPN000310: Starting cluster-wide rebalance for >>>> cache sessions, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>> actualMembers=[keycloak-1, keycloak-2], >>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t4) [Context=sessions][Scope=keycloak-1]ISPN100002: >>>> Started rebalance with topology id 2 >>>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p12-t2) ISPN000310: Starting cluster-wide rebalance for >>>> cache client-mappings, topology CacheTopology{id=2, >>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>> currentCH=ReplicatedConsistentHash{ns = 256, owners = (1)[keycloak-1: >>>> 256]}, pendingCH=ReplicatedConsistentHash{ns = 256, owners = >>>> (2)[keycloak-1: 134, keycloak-2: 122]}, unionCH=null, >>>> actualMembers=[keycloak-1, keycloak-2], >>>> persistentUUIDs=[f239ad45-df8a-4f17-a08b-6962b47ef073, >>>> 33572709-8cca-4daa-a2fd-eee2e3fd4c17]} >>>> 2018-10-24 14:48:03,243 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p12-t2) >>>> [Context=client-mappings][Scope=keycloak-1]ISPN100002: Started rebalance >>>> with topology id 2 >>>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t7) ISPN000310: Starting cluster-wide rebalance for >>>> cache actionTokens, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>> actualMembers=[keycloak-1, keycloak-2], >>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t7) [Context=actionTokens][Scope=keycloak-1]ISPN100002: >>>> Started rebalance with topology id 2 >>>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t3) ISPN000310: Starting cluster-wide rebalance for >>>> cache loginFailures, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>> actualMembers=[keycloak-1, keycloak-2], >>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>> >>> >>> 2018-10-24 14:48:03,271 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t2) >>>> [Context=offlineSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>> finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t6) ISPN000310: Starting cluster-wide rebalance for >>>> cache offlineClientSessions, topology CacheTopology{id=2, >>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>>> (remote-thread--p16-t6) >>>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started >>>> rebalance with topology id 2 >>>> 2018-10-24 14:48:03,278 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t3) [Context=sessions][Scope=keycloak-1]ISPN100003: >>>> Node keycloak-1 finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,293 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t8) >>>> [Context=actionTokens][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>> finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t4) >>>> [Context=clientSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>> finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t9) >>>> [Context=loginFailures][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>> finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t18) >>>> [Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Node >>>> keycloak-1 finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t18) [Context=work][Scope=keycloak-1]ISPN100003: >>>> Node keycloak-1 finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p18-t23) >>>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Node >>>> keycloak-1 finished rebalance phase with topology id 2 >>>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>>> (transport-thread--p20-t8) >>>> [Context=client-mappings][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>> finished rebalance phase with topology id 2 >>>> 2018-10-24 14:49:02,158 WARN >>>> [org.infinispan.topology.ClusterTopologyManagerImpl] >>>> (transport-thread--p19-t2) ISPN000197: Error updating cluster member list: >>>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >>>> waiting for responses for request 1 from keycloak-2 >>>> at >>>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) >>>> at >>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) >>>> at >>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> at >>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>> at >>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>> at >>>> >>> >>> >>> >>> On Wed, Oct 24, 2018 at 10:29 AM Sebastian Laskawiec < >>> slaskawi at redhat.com> wrote: >>> >>>> The new view log messages look a bit weird. It seems that JGroups >>>> installed new view every 1 ms, which is very unusual. There are three >>>> scenarios where this may happen (at least that I can think from the top of >>>> my head): >>>> - Very short timeout on FD_* protocols >>>> - Faulty NIC or incorrect network level configuration in the datacenter >>>> - Network packets are cut when in transport. I've seen it with one of >>>> the hardware firewalls (don't remember which one though). Due to faulty >>>> configuration it was cutting packets to certain length causing other layers >>>> to fail miserably. >>>> >>>> Perhaps you could set the logging level to DEBUG on org.jgroups package >>>> and check if there's anything interesting there? >>>> >>>> On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < >>>> rafaelweingartner at gmail.com> wrote: >>>> >>>>> Hello Keycloakers, >>>>> I am having some problems with Keycloak 4.5.0. I basically have set up >>>>> two >>>>> nodes, and they see each other. I am using MPING (the default >>>>> configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In >>>>> front of these Keycloak nodes I have an HTTPD, which is using AJP to >>>>> connect and load balance them. >>>>> >>>>> When the second server starts I can see: >>>>> >>>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread >>>>> > 1-5) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|1] >>>>> > (2) [keycloak-1, keycloak-2] >>>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread >>>>> > 1-2) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|1] >>>>> > (2) [keycloak-1, keycloak-2] >>>>> > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread >>>>> > 1-3) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|1] >>>>> > (2) [keycloak-1, keycloak-2] >>>>> > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread >>>>> > 1-8) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|1] >>>>> > (2) [keycloak-1, keycloak-2] >>>>> > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread >>>>> > 1-7) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|1] >>>>> > (2) [keycloak-1, keycloak-2] >>>>> > >>>>> >>>>> So, they are seeing/reaching each other. The problem happens when I >>>>> try to >>>>> login. I then get the following: >>>>> >>>>> > MSC000001: Failed to start service >>>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>>> > org.jboss.msc.service.StartException in service >>>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>>> > org.infinispan.commons.CacheException: Unable to invoke method >>>>> public void >>>>> > >>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>>> > >>>>> >>>>> And errors like: >>>>> >>>>> > Suppressed: java.util.concurrent.ExecutionException: >>>>> > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed >>>>> out >>>>> > waiting for responses for request 2 from keycloak-2 >>>>> > >>>>> >>>>> 018-10-24 12:55:48,990 ERROR >>>>> [org.jboss.as.controller.management-operation] >>>>> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - >>>>> address: ([ >>>>> > ("subsystem" => "infinispan"), >>>>> > ("cache-container" => "ejb"), >>>>> > ("thread-pool" => "transport") >>>>> > ]) - failure description: { >>>>> > "WFLYCTL0080: Failed services" => >>>>> > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => >>>>> > "org.infinispan.commons.CacheException: Unable to invoke method >>>>> public void >>>>> > >>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>>> > Caused by: org.infinispan.commons.CacheException: Unable to >>>>> invoke >>>>> > method public void >>>>> > >>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>> > throws java.lang.Exception on object of type StateTransferManagerImpl >>>>> > Caused by: org.infinispan.commons.CacheException: Initial state >>>>> > transfer timed out for cache client-mappings on keycloak-2"}, >>>>> > "WFLYCTL0288: One or more services were unable to start due to >>>>> one or >>>>> > more indirect dependencies not being available." => { >>>>> > "Services that were unable to start:" => >>>>> > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], >>>>> > "Services that may be the cause:" => [ >>>>> > "jboss.clustering.web.route.default-server", >>>>> > "jboss.deployment.discovery.\"keycloak-server.war\"", >>>>> > "jboss.ejb.association", >>>>> > "jboss.ejb.remoting.connector.client-mappings", >>>>> > "jboss.iiop-openjdk.poa-service.rootpoa", >>>>> > >>>>> >>>>> >>>>> I am quite puzzled, there is not ports being blocked, and the system >>>>> has no >>>>> load at all. Why would this timeout happen? >>>>> >>>>> -- >>>>> Rafael Weing?rtner >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >>> -- >>> Rafael Weing?rtner >>> >> >> >> -- >> Rafael Weing?rtner >> > > > -- > Rafael Weing?rtner > From rafaelweingartner at gmail.com Fri Oct 26 08:07:11 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Fri, 26 Oct 2018 09:07:11 -0300 Subject: [keycloak-user] Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request In-Reply-To: References: Message-ID: That is what we will do for now. Thanks for the help! On Fri, Oct 26, 2018 at 9:02 AM Sebastian Laskawiec wrote: > It's absolutely fine to stick with TCP. For small clusters (a finger in > the air guesstimate - < 10 nodes) you should see no performance difference. > > For some reason UDP is very sensitive to underlying OS configuration. So I > would advice just sticking with TCP. > > On Thu, Oct 25, 2018 at 8:47 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Another discovery. >> I changed the configuration: >> >>> >>> >>> >>> >>> >> >> to: >> >>> >>> >>> >>> >>> >> >> This change has fixed the problem. It seems that there is a networking >> problem that is affecting UDP. However, I still have not figured out the >> root cause of the problem though. >> >> On Wed, Oct 24, 2018 at 9:39 PM Rafael Weing?rtner < >> rafaelweingartner at gmail.com> wrote: >> >>> Just an update. >>> >>> It is interesting, at least to me, but version 4.0.0.Final of Keycloak >>> works just fine in the same set up. It seems that there is something that >>> was changed in Keycloak 4.5.0, which is somehow sensitive to something in >>> this environment. I have not being able to pin point it though. >>> >>> On Wed, Oct 24, 2018 at 12:09 PM Rafael Weing?rtner < >>> rafaelweingartner at gmail.com> wrote: >>> >>>> Thanks for the prompt reply. To answer you: >>>> >>>>> - Very short timeout on FD_* protocols >>>>> >>>> It is the standard configuration, so, this should not be a problem. >>>> >>>> - Faulty NIC or incorrect network level configuration in the datacenter >>>>> - Network packets are cut when in transport. I've seen it with one of >>>>> the hardware firewalls (don't remember which one though). Due to faulty >>>>> configuration it was cutting packets to certain length causing other layers >>>>> to fail miserably. >>>>> >>>> >>>> Maybe? Well, both VMs are in the same broadcast domain, and there is no >>>> firewall in-between them. >>>> >>>> Here go some log entries. There are some things that I do not >>>> understand here. Why am I seing multiple ?keycloak-1: installing view?? >>>> Shouldn't it only happen once? The same situation is happening with >>>> ?created cluster (first member). My view is [keycloak-1|0]? >>>> >>>> >>>> >>>>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] >>>>> (ServerService Thread Pool -- 50) socket information: >>>>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>>>> sock: bound to <>:55200, receive buffer >>>>> size=212992, send buffer size=212992 >>>>> mcast_sock: bound to <>:45688, send buffer >>>>> size=212992, receive buffer size=212992 >>>>> 2018-10-24 14:45:25,130 DEBUG [org.jgroups.protocols.UDP] >>>>> (ServerService Thread Pool -- 50) socket information: >>>>> mcast_addr=230.0.0.4:45688, bind_addr=/<>, ttl=2 >>>>> sock: bound to <>:55200, receive buffer >>>>> size=212992, send buffer size=212992 >>>>> mcast_sock: bound to <>:45688, send buffer >>>>> size=212992, receive buffer size=212992 >>>>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>>>> address=<>:55200 >>>>> 2018-10-24 14:45:25,139 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) address=keycloak-1, cluster=ejb, physical >>>>> address=<>:55200 >>>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>>>> (ServerService Thread Pool -- 50) >>>>> [keycloak-1 setDigest()] >>>>> existing digest: [] >>>>> new digest: keycloak-1: [0 (0)] >>>>> resulting digest: keycloak-1: [0 (0)] >>>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.NAKACK2] >>>>> (ServerService Thread Pool -- 50) >>>>> [keycloak-1 setDigest()] >>>>> existing digest: [] >>>>> new digest: keycloak-1: [0 (0)] >>>>> resulting digest: keycloak-1: [0 (0)] >>>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>>>> [keycloak-1|0] (1) [keycloak-1] >>>>> 2018-10-24 14:45:28,148 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) keycloak-1: installing view >>>>> [keycloak-1|0] (1) [keycloak-1] >>>>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>>> 2018-10-24 14:45:28,150 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (ServerService Thread Pool -- 50) resuming message garbage collection >>>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>>>> member). My view is [keycloak-1|0], impl is >>>>> org.jgroups.protocols.pbcast.CoordGmsImpl >>>>> 2018-10-24 14:45:28,161 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (ServerService Thread Pool -- 50) keycloak-1: created cluster (first >>>>> member). My view is [keycloak-1|0], impl is >>>>> org.jgroups.protocols.pbcast.CoordGmsImpl >>>>> 2018-10-24 14:45:28,621 INFO >>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>>> thread 1-3) ISPN000078: Starting JGroups channel ejb >>>>> 2018-10-24 14:45:28,620 INFO >>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>>> thread 1-1) ISPN000078: Starting JGroups channel ejb >>>>> 2018-10-24 14:45:28,620 INFO >>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >>>>> thread 1-5) ISPN000078: Starting JGroups channel ejb >>>>> 2018-10-24 14:45:28,625 INFO [org.infinispan.CLUSTER] (MSC service >>>>> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >>>>> [keycloak-1|0] (1) [keycloak-1] >>>>> >>>> >>>> >>>> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>>>> 2018-10-24 14:48:02,138 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) suspending message garbage collection >>>>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>>>> max_suspend_time=33000 >>>>> 2018-10-24 14:48:02,139 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) keycloak-1: resume task started, >>>>> max_suspend_time=33000 >>>>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>>>> [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,140 DEBUG [org.jgroups.protocols.pbcast.GMS] >>>>> (thread-9,ejb,keycloak-1) keycloak-1: installing view [keycloak-1|1] (2) >>>>> [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,142 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>>>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>>>> keycloak-2], ping_dest=keycloak-2 >>>>> 2018-10-24 14:48:02,143 DEBUG [org.jgroups.protocols.FD_SOCK] (FD_SOCK >>>>> pinger-10,ejb,keycloak-1) keycloak-1: pingable_mbrs=[keycloak-1, >>>>> keycloak-2], ping_dest=keycloak-2 >>>>> 2018-10-24 14:48:02,148 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> 2018-10-24 14:48:02,149 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,151 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> 2018-10-24 14:48:02,153 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> 2018-10-24 14:48:02,154 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> >>>> >>>> 2018-10-24 14:48:02,155 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN000094: Received new cluster view for channel >>>>> ejb: [keycloak-1|1] (2) [keycloak-1, keycloak-2] >>>>> 2018-10-24 14:48:02,156 INFO [org.infinispan.CLUSTER] >>>>> (thread-9,ejb,keycloak-1) ISPN100000: Node keycloak-2 joined the cluster >>>>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>>>> 2018-10-24 14:48:02,194 DEBUG [org.jgroups.protocols.pbcast.STABLE] >>>>> (thread-9,ejb,keycloak-1) resuming message garbage collection >>>>> 2018-10-24 14:48:03,229 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t2) ISPN000310: Starting cluster-wide rebalance for >>>>> cache offlineSessions, topology CacheTopology{id=2, >>>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>>>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>>>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>>>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>>> 2018-10-24 14:48:03,231 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t2) >>>>> [Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started rebalance >>>>> with topology id 2 >>>>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t4) ISPN000310: Starting cluster-wide rebalance for >>>>> cache sessions, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>>> actualMembers=[keycloak-1, keycloak-2], >>>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>>> 2018-10-24 14:48:03,238 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t4) [Context=sessions][Scope=keycloak-1]ISPN100002: >>>>> Started rebalance with topology id 2 >>>>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p12-t2) ISPN000310: Starting cluster-wide rebalance for >>>>> cache client-mappings, topology CacheTopology{id=2, >>>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>>> currentCH=ReplicatedConsistentHash{ns = 256, owners = (1)[keycloak-1: >>>>> 256]}, pendingCH=ReplicatedConsistentHash{ns = 256, owners = >>>>> (2)[keycloak-1: 134, keycloak-2: 122]}, unionCH=null, >>>>> actualMembers=[keycloak-1, keycloak-2], >>>>> persistentUUIDs=[f239ad45-df8a-4f17-a08b-6962b47ef073, >>>>> 33572709-8cca-4daa-a2fd-eee2e3fd4c17]} >>>>> 2018-10-24 14:48:03,243 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p12-t2) >>>>> [Context=client-mappings][Scope=keycloak-1]ISPN100002: Started rebalance >>>>> with topology id 2 >>>>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t7) ISPN000310: Starting cluster-wide rebalance for >>>>> cache actionTokens, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>>> actualMembers=[keycloak-1, keycloak-2], >>>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>>> 2018-10-24 14:48:03,247 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t7) [Context=actionTokens][Scope=keycloak-1]ISPN100002: >>>>> Started rebalance with topology id 2 >>>>> 2018-10-24 14:48:03,242 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t3) ISPN000310: Starting cluster-wide rebalance for >>>>> cache loginFailures, topology CacheTopology{id=2, phase=READ_OLD_WRITE_ALL, >>>>> rebalanceId=2, currentCH=DefaultConsistentHash{ns=256, owners = >>>>> (1)[keycloak-1: 256+0]}, pendingCH=DefaultConsistentHash{ns=256, owners = >>>>> (2)[keycloak-1: 134+122, keycloak-2: 122+134]}, unionCH=null, >>>>> actualMembers=[keycloak-1, keycloak-2], >>>>> persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>>> >>>> >>>> 2018-10-24 14:48:03,271 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t2) >>>>> [Context=offlineSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>>> finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t6) ISPN000310: Starting cluster-wide rebalance for >>>>> cache offlineClientSessions, topology CacheTopology{id=2, >>>>> phase=READ_OLD_WRITE_ALL, rebalanceId=2, >>>>> currentCH=DefaultConsistentHash{ns=256, owners = (1)[keycloak-1: 256+0]}, >>>>> pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1: 134+122, >>>>> keycloak-2: 122+134]}, unionCH=null, actualMembers=[keycloak-1, >>>>> keycloak-2], persistentUUIDs=[ac5d9ae6-7720-4fd7-8df0-b0727acaed48, >>>>> 378015dd-8c56-44a7-ab7e-a93d706dd623]} >>>>> 2018-10-24 14:48:03,273 INFO [org.infinispan.CLUSTER] >>>>> (remote-thread--p16-t6) >>>>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started >>>>> rebalance with topology id 2 >>>>> 2018-10-24 14:48:03,278 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t3) [Context=sessions][Scope=keycloak-1]ISPN100003: >>>>> Node keycloak-1 finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,293 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t8) >>>>> [Context=actionTokens][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>>> finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t4) >>>>> [Context=clientSessions][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>>> finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,294 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t9) >>>>> [Context=loginFailures][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>>> finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t18) >>>>> [Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Node >>>>> keycloak-1 finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,297 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t18) [Context=work][Scope=keycloak-1]ISPN100003: >>>>> Node keycloak-1 finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p18-t23) >>>>> [Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Node >>>>> keycloak-1 finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:48:03,299 INFO [org.infinispan.CLUSTER] >>>>> (transport-thread--p20-t8) >>>>> [Context=client-mappings][Scope=keycloak-1]ISPN100003: Node keycloak-1 >>>>> finished rebalance phase with topology id 2 >>>>> 2018-10-24 14:49:02,158 WARN >>>>> [org.infinispan.topology.ClusterTopologyManagerImpl] >>>>> (transport-thread--p19-t2) ISPN000197: Error updating cluster member list: >>>>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out >>>>> waiting for responses for request 1 from keycloak-2 >>>>> at >>>>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) >>>>> at >>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) >>>>> at >>>>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at >>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>>> at >>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at >>>>> >>>> >>>> >>>> >>>> On Wed, Oct 24, 2018 at 10:29 AM Sebastian Laskawiec < >>>> slaskawi at redhat.com> wrote: >>>> >>>>> The new view log messages look a bit weird. It seems that JGroups >>>>> installed new view every 1 ms, which is very unusual. There are three >>>>> scenarios where this may happen (at least that I can think from the top of >>>>> my head): >>>>> - Very short timeout on FD_* protocols >>>>> - Faulty NIC or incorrect network level configuration in the datacenter >>>>> - Network packets are cut when in transport. I've seen it with one of >>>>> the hardware firewalls (don't remember which one though). Due to faulty >>>>> configuration it was cutting packets to certain length causing other layers >>>>> to fail miserably. >>>>> >>>>> Perhaps you could set the logging level to DEBUG on org.jgroups >>>>> package and check if there's anything interesting there? >>>>> >>>>> On Wed, Oct 24, 2018 at 3:11 PM Rafael Weing?rtner < >>>>> rafaelweingartner at gmail.com> wrote: >>>>> >>>>>> Hello Keycloakers, >>>>>> I am having some problems with Keycloak 4.5.0. I basically have set >>>>>> up two >>>>>> nodes, and they see each other. I am using MPING (the default >>>>>> configuration). The nodes are called ?Keycloak-1? and ?Keycloak-2?. In >>>>>> front of these Keycloak nodes I have an HTTPD, which is using AJP to >>>>>> connect and load balance them. >>>>>> >>>>>> When the second server starts I can see: >>>>>> >>>>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>>>> thread >>>>>> > 1-5) ISPN000094: Received new cluster view for channel ejb: >>>>>> [keycloak-1|1] >>>>>> > (2) [keycloak-1, keycloak-2] >>>>>> > 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service >>>>>> thread >>>>>> > 1-2) ISPN000094: Received new cluster view for channel ejb: >>>>>> [keycloak-1|1] >>>>>> > (2) [keycloak-1, keycloak-2] >>>>>> > 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service >>>>>> thread >>>>>> > 1-3) ISPN000094: Received new cluster view for channel ejb: >>>>>> [keycloak-1|1] >>>>>> > (2) [keycloak-1, keycloak-2] >>>>>> > 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service >>>>>> thread >>>>>> > 1-8) ISPN000094: Received new cluster view for channel ejb: >>>>>> [keycloak-1|1] >>>>>> > (2) [keycloak-1, keycloak-2] >>>>>> > 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service >>>>>> thread >>>>>> > 1-7) ISPN000094: Received new cluster view for channel ejb: >>>>>> [keycloak-1|1] >>>>>> > (2) [keycloak-1, keycloak-2] >>>>>> > >>>>>> >>>>>> So, they are seeing/reaching each other. The problem happens when I >>>>>> try to >>>>>> login. I then get the following: >>>>>> >>>>>> > MSC000001: Failed to start service >>>>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>>>> > org.jboss.msc.service.StartException in service >>>>>> > org.wildfly.clustering.infinispan.cache.keycloak.loginFailures: >>>>>> > org.infinispan.commons.CacheException: Unable to invoke method >>>>>> public void >>>>>> > >>>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>>> > throws java.lang.Exception on object of type >>>>>> StateTransferManagerImpl >>>>>> > >>>>>> >>>>>> And errors like: >>>>>> >>>>>> > Suppressed: java.util.concurrent.ExecutionException: >>>>>> > org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed >>>>>> out >>>>>> > waiting for responses for request 2 from keycloak-2 >>>>>> > >>>>>> >>>>>> 018-10-24 12:55:48,990 ERROR >>>>>> [org.jboss.as.controller.management-operation] >>>>>> > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - >>>>>> address: ([ >>>>>> > ("subsystem" => "infinispan"), >>>>>> > ("cache-container" => "ejb"), >>>>>> > ("thread-pool" => "transport") >>>>>> > ]) - failure description: { >>>>>> > "WFLYCTL0080: Failed services" => >>>>>> > {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" => >>>>>> > "org.infinispan.commons.CacheException: Unable to invoke method >>>>>> public void >>>>>> > >>>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>>> > throws java.lang.Exception on object of type >>>>>> StateTransferManagerImpl >>>>>> > Caused by: org.infinispan.commons.CacheException: Unable to >>>>>> invoke >>>>>> > method public void >>>>>> > >>>>>> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() >>>>>> > throws java.lang.Exception on object of type >>>>>> StateTransferManagerImpl >>>>>> > Caused by: org.infinispan.commons.CacheException: Initial state >>>>>> > transfer timed out for cache client-mappings on keycloak-2"}, >>>>>> > "WFLYCTL0288: One or more services were unable to start due to >>>>>> one or >>>>>> > more indirect dependencies not being available." => { >>>>>> > "Services that were unable to start:" => >>>>>> > ["org.wildfly.clustering.cache.group.ejb.client-mappings"], >>>>>> > "Services that may be the cause:" => [ >>>>>> > "jboss.clustering.web.route.default-server", >>>>>> > "jboss.deployment.discovery.\"keycloak-server.war\"", >>>>>> > "jboss.ejb.association", >>>>>> > "jboss.ejb.remoting.connector.client-mappings", >>>>>> > "jboss.iiop-openjdk.poa-service.rootpoa", >>>>>> > >>>>>> >>>>>> >>>>>> I am quite puzzled, there is not ports being blocked, and the system >>>>>> has no >>>>>> load at all. Why would this timeout happen? >>>>>> >>>>>> -- >>>>>> Rafael Weing?rtner >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>> >>>> -- >>>> Rafael Weing?rtner >>>> >>> >>> >>> -- >>> Rafael Weing?rtner >>> >> >> >> -- >> Rafael Weing?rtner >> > -- Rafael Weing?rtner From psilva at redhat.com Fri Oct 26 08:18:27 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 26 Oct 2018 09:18:27 -0300 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? In-Reply-To: References: Message-ID: You can achieve authorization using different approaches. I would group these approaches in two main categories: programmatic vs externalized authorization. When doing programmatic authorization, you are responsible to implement the necessary logic to not only check if a subject is allowed to access something but also to put some meaning on specific user attributes, such as roles and groups, in order to decide whether or not access should be granted. All that implemented in your application and subject to change in case your security requirements change. At this category, roles, groups, and even pure OAuth2 scopes, could be used to enforce access to your resources. On the other hand, externalized authorization allows you to decouple your application from the meaning you would normally put on your roles and groups. Your application doesn't really care about the roles or groups that a subject is associated with. It also doesn't care about which access control mechanisms (role-based, group-based, context-based, *-based) was used to grant access to a resource, giving you much more flexibility on how you perform authorization in your application. What it does care is about the permissions the subject has. When you are using our authorization services you are basically abstracting from your application the different access control mechanisms that govern access to the resources (and their actions) and enforcing access based on permissions representing the actual resources/scopes in your application. If your security requirements change and you need to remove/add a new role and grant this role your users, you won't need to change your application but the policies in Keycloak that govern access to these resources. Your application would still enforce access based on the resource: if (canAccess('album:read')) { //read } While the other approach would be: if (hasRole('X') and isMemberOf('Y')) { // read } Different from other solutions, Keycloak Authorization Services is based on OAuth2, mainly. Thus, we include permissions inside tokens without force applications to query the server every time for permissions. We also support incremental authorization in order to allow permissions to be included in tokens on-demand, reducing the size of tokens and more aligned with the user experience. We also enable you to just query these permissions without issuing tokens or just get a decision from the server (grant/denied). Hope it helps. Take a look here for a little more details [1]. More answers inline. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html On Fri, Oct 26, 2018 at 6:23 AM Melissa Palmer wrote: > Hi, > > *Is it possible to explain the difference between "Keycloak Groups vs. > Roles vs. Composite Roles vs. Auth Scope" more detail? * > > *I know there is the description here: * > > https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles > > > *From that I get * > - Groups should focus on collections of users and their roles in your > organization (Use groups to manage users. ). ? > Groups are repositories for users/personas. In Keycloak you can grant *roles* to groups so users withing that groups are automatically granted with these roles. > - Use composite roles to manage applications and services. ? > - BUT previously said "Roles define a type of user and applications assign > permission and access control to roles" > & I don't see where you should maintain "access control to roles" Roles and composite roles are all about defining an access context in your application. You may be a member of a "Sales" group representing a business unit, but you are only a "Manager" if you have a "manager" role assigned to you. > > In other examples I see scopes being used for access control > - album:view > - album:delete > > Some more explanation on these different concepts would be greatly > appreciated. > > Thank You in Advance > Melissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Fri Oct 26 08:51:33 2018 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 26 Oct 2018 18:21:33 +0530 Subject: [keycloak-user] Fine grained Permission Message-ID: Hi Is it possible to implement fine grained permissions - which can restrict an Admin user to assign a specific Realm Role to any group in that realm. The way fine grained permissions works are little complex to understand as there are so many moving parts. Any clues are highly appreciated. Thanks. *- Best* Abhishek From psilva at redhat.com Fri Oct 26 09:10:20 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 26 Oct 2018 10:10:20 -0300 Subject: [keycloak-user] Fine grained Permission In-Reply-To: References: Message-ID: I agree, we have been discussing improvements on how we manage admin permissions. One of the problems is that even when using permissions, access still rely on roles such as manage-*, view-*, query-*. This should be possible for users. I think for groups, you would need to grant the "manage-users" roles with does not make sense for your case. But for users, if you grant only "query-users" to some user and then configure the "map-role" to a specific role, if the user does not have access to the role it will not show up in the list of available roles. Regards. Pedro Igor On Fri, Oct 26, 2018 at 9:56 AM abhishek raghav wrote: > Hi > > Is it possible to implement fine grained permissions - which can restrict > an Admin user to assign a specific Realm Role to any group in that realm. > > The way fine grained permissions works are little complex to understand as > there are so many moving parts. Any clues are highly appreciated. > > Thanks. > > *- Best* > Abhishek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From melissa.palmer at gmail.com Fri Oct 26 09:15:17 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Fri, 26 Oct 2018 15:15:17 +0200 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? In-Reply-To: References: Message-ID: Hi Pedro Thank you for your reply - I understand that I can do programmatic vs externalized authorization. I want to use KC Authorisation Services(externalized authorization), BUT I am still trying to understand the Keyclaok concepts between - Groups vs. Roles vs. Composite Roles and most especially Roles vs. Composite Roles and how to get to the finer level of granularity. For example in a bug tracking tool I could have - Groups [eg: Audit, Contractors, Development, DevOps, QA, HODs, Help Desk] - Roles [eg: Manager, Developer, Tester, Audit, Owner] - Permissions/Functions which each have similar Access Control(privileged) [eg: Project: create, read, update, close/open, manage members, manage versions Issues: create, read, update, delete, move, Time: create, read, update, delete, manage activity types ] Generically I am thinking in terms of something like: Group --> Role --> Permission/Function --> Access Control (privileged) Development --> Manager --> Issues --> create/read/update/delete/move Development --> Tester --> Issues --> read/update/move Development --> Developer --> Issues --> read/update I am still not seeing how to do this in Keyclaok? The above example I have 4 levels (Group, Role, Permission, Privileged) where as in KC I only see 3 (Group, Composite Role, Role) Thank you Melissa On Fri, 26 Oct 2018 at 14:18, Pedro Igor Silva wrote: > You can achieve authorization using different approaches. I would group > these approaches in two main categories: programmatic vs externalized > authorization. > > When doing programmatic authorization, you are responsible to implement > the necessary logic to not only check if a subject is allowed to access > something but also to put some meaning on specific user attributes, such as > roles and groups, in order to decide whether or not access should be > granted. All that implemented in your application and subject to change in > case your security requirements change. At this category, roles, groups, > and even pure OAuth2 scopes, could be used to enforce access to your > resources. > > On the other hand, externalized authorization allows you to decouple your > application from the meaning you would normally put on your roles and > groups. Your application doesn't really care about the roles or groups that > a subject is associated with. It also doesn't care about which access > control mechanisms (role-based, group-based, context-based, *-based) was > used to grant access to a resource, giving you much more flexibility on how > you perform authorization in your application. What it does care is about > the permissions the subject has. When you are using our authorization > services you are basically abstracting from your application the different > access control mechanisms that govern access to the resources (and their > actions) and enforcing access based on permissions representing the actual > resources/scopes in your application. If your security requirements change > and you need to remove/add a new role and grant this role your users, you > won't need to change your application but the policies in Keycloak that > govern access to these resources. Your application would still enforce > access based on the resource: > > if (canAccess('album:read')) { > //read > } > > While the other approach would be: > > if (hasRole('X') and isMemberOf('Y')) { > // read > } > > Different from other solutions, Keycloak Authorization Services is based > on OAuth2, mainly. Thus, we include permissions inside tokens without force > applications to query the server every time for permissions. We also > support incremental authorization in order to allow permissions to be > included in tokens on-demand, reducing the size of tokens and more aligned > with the user experience. We also enable you to just query these > permissions without issuing tokens or just get a decision from the server > (grant/denied). > > Hope it helps. Take a look here for a little more details [1]. > > More answers inline. > > [1] https://www.keycloak.org/docs/latest/authorization_services/index.html > > On Fri, Oct 26, 2018 at 6:23 AM Melissa Palmer > wrote: > >> Hi, >> >> *Is it possible to explain the difference between "Keycloak Groups vs. >> Roles vs. Composite Roles vs. Auth Scope" more detail? * >> >> *I know there is the description here: * >> >> https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles >> >> >> *From that I get * >> - Groups should focus on collections of users and their roles in your >> organization (Use groups to manage users. ). ? >> > > Groups are repositories for users/personas. In Keycloak you can grant > *roles* to groups so users withing that groups are automatically granted > with these roles. > > >> - Use composite roles to manage applications and services. ? >> - BUT previously said "Roles define a type of user and applications assign >> permission and access control to roles" >> & I don't see where you should maintain "access control to roles" > > > Roles and composite roles are all about defining an access context in your > application. You may be a member of a "Sales" group representing a business > unit, but you are only a "Manager" if you have a "manager" role assigned to > you. > >> >> In other examples I see scopes being used for access control >> - album:view >> - album:delete >> >> Some more explanation on these different concepts would be greatly >> appreciated. >> >> Thank You in Advance >> Melissa >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From psilva at redhat.com Fri Oct 26 09:20:16 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 26 Oct 2018 10:20:16 -0300 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? In-Reply-To: References: Message-ID: On Fri, Oct 26, 2018 at 10:15 AM Melissa Palmer wrote: > Hi Pedro > > Thank you for your reply - I understand that I can do programmatic vs > externalized authorization. > > I want to use KC Authorisation Services(externalized authorization), BUT I > am still trying to understand the Keyclaok concepts between > - Groups vs. Roles vs. Composite Roles and most especially Roles vs. > Composite Roles > and how to get to the finer level of granularity. > > For example in a bug tracking tool I could have > - Groups [eg: Audit, Contractors, Development, DevOps, QA, HODs, Help Desk] > - Roles [eg: Manager, Developer, Tester, Audit, Owner] > - Permissions/Functions which each have similar Access Control(privileged) > [eg: Project: create, read, update, close/open, manage members, manage > versions > Issues: create, read, update, delete, move, > Time: create, read, update, delete, manage activity types > ] > > Generically I am thinking in terms of something like: > Group --> Role --> Permission/Function --> Access > Control (privileged) > Development --> Manager --> Issues --> > create/read/update/delete/move > Development --> Tester --> Issues --> > read/update/move > Development --> Developer --> Issues --> read/update > > I am still not seeing how to do this in Keyclaok? > The above example I have 4 levels (Group, Role, Permission, Privileged) > where as in KC I only see 3 (Group, Composite Role, Role) > I don't get ... the missing level, "permission", would be the resources/scopes you create for your client under the "Authorization" tab. Where the permissions in the "authorization" tab will actually define who/how/what can access things. For instances, I guess "Issues" and "CRUD" are resources and scopes, respectively, right ? > > Thank you > Melissa > > On Fri, 26 Oct 2018 at 14:18, Pedro Igor Silva wrote: > >> You can achieve authorization using different approaches. I would group >> these approaches in two main categories: programmatic vs externalized >> authorization. >> >> When doing programmatic authorization, you are responsible to implement >> the necessary logic to not only check if a subject is allowed to access >> something but also to put some meaning on specific user attributes, such as >> roles and groups, in order to decide whether or not access should be >> granted. All that implemented in your application and subject to change in >> case your security requirements change. At this category, roles, groups, >> and even pure OAuth2 scopes, could be used to enforce access to your >> resources. >> >> On the other hand, externalized authorization allows you to decouple your >> application from the meaning you would normally put on your roles and >> groups. Your application doesn't really care about the roles or groups that >> a subject is associated with. It also doesn't care about which access >> control mechanisms (role-based, group-based, context-based, *-based) was >> used to grant access to a resource, giving you much more flexibility on how >> you perform authorization in your application. What it does care is about >> the permissions the subject has. When you are using our authorization >> services you are basically abstracting from your application the different >> access control mechanisms that govern access to the resources (and their >> actions) and enforcing access based on permissions representing the actual >> resources/scopes in your application. If your security requirements change >> and you need to remove/add a new role and grant this role your users, you >> won't need to change your application but the policies in Keycloak that >> govern access to these resources. Your application would still enforce >> access based on the resource: >> >> if (canAccess('album:read')) { >> //read >> } >> >> While the other approach would be: >> >> if (hasRole('X') and isMemberOf('Y')) { >> // read >> } >> >> Different from other solutions, Keycloak Authorization Services is based >> on OAuth2, mainly. Thus, we include permissions inside tokens without force >> applications to query the server every time for permissions. We also >> support incremental authorization in order to allow permissions to be >> included in tokens on-demand, reducing the size of tokens and more aligned >> with the user experience. We also enable you to just query these >> permissions without issuing tokens or just get a decision from the server >> (grant/denied). >> >> Hope it helps. Take a look here for a little more details [1]. >> >> More answers inline. >> >> [1] >> https://www.keycloak.org/docs/latest/authorization_services/index.html >> >> On Fri, Oct 26, 2018 at 6:23 AM Melissa Palmer >> wrote: >> >>> Hi, >>> >>> *Is it possible to explain the difference between "Keycloak Groups vs. >>> Roles vs. Composite Roles vs. Auth Scope" more detail? * >>> >>> *I know there is the description here: * >>> >>> https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles >>> >>> >>> *From that I get * >>> - Groups should focus on collections of users and their roles in your >>> organization (Use groups to manage users. ). ? >>> >> >> Groups are repositories for users/personas. In Keycloak you can grant >> *roles* to groups so users withing that groups are automatically granted >> with these roles. >> >> >>> - Use composite roles to manage applications and services. ? >>> - BUT previously said "Roles define a type of user and applications >>> assign >>> permission and access control to roles" >>> & I don't see where you should maintain "access control to roles" >> >> >> Roles and composite roles are all about defining an access context in >> your application. You may be a member of a "Sales" group representing a >> business unit, but you are only a "Manager" if you have a "manager" role >> assigned to you. >> >>> >>> In other examples I see scopes being used for access control >>> - album:view >>> - album:delete >>> >>> Some more explanation on these different concepts would be greatly >>> appreciated. >>> >>> Thank You in Advance >>> Melissa >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From cristi.cioriia at gmail.com Fri Oct 26 09:25:09 2018 From: cristi.cioriia at gmail.com (Cristi Cioriia) Date: Fri, 26 Oct 2018 15:25:09 +0200 Subject: [keycloak-user] Deploying Keycloak on Openshift with MariaDB persistence produces errors in logs Message-ID: Hello, While deploying Keycloak 4.5.0.Final in an Openshift environment, using Mariadb (Galera) as a database produces several exceptions in the logs, all of them being related to the communication between the Keycloak server and the database. The access to the Galera server (3 instances) is performed via a Maxscale proxy. The Galera server, Maxscale (deployment of 3 pods) and Keycloak (deployment of 2 replicas) are all deployed inside Openshift, on AWS (1master + 3 workers). I am hoping you guys can help with fixing these issues. The errors look like below: 08:40:46,603 WARN [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (ConnectionValidator) IJ030027: Destroying connection that is not valid, due to the following exception: org.mariadb.jdbc.MariaDbConnection at 76883993: java.sql.SQLNonTransientConnectionException: (conn=24) unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:334) at org.mariadb.jdbc.MariaDbStatement.execute(MariaDbStatement.java:386) at org.jboss.jca.adapters.jdbc.CheckValidConnectionSQL.isValidConnection(CheckValidConnectionSQL.java:74) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.isValidConnection(BaseWrapperManagedConnectionFactory.java:1273) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getInvalidConnections(BaseWrapperManagedConnectionFactory.java:1086) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.validateConnections(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1442) at org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator$ConnectionValidatorRunner.run(ConnectionValidator.java:277) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.sql.SQLException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) Query is: SELECT 1 at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:119) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:199) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:328) ... 9 more Caused by: java.io.EOFException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacketArray(StandardPacketInputStream.java:239) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacket(StandardPacketInputStream.java:207) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.readPacket(AbstractQueryProtocol.java:1347) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.getResult(AbstractQueryProtocol.java:1328) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:196) ... 10 more I suspect that the errors come from the way the jdbc data source is configured. The mariadb configurations related to connections and wait timeouts are like below: max_connections=1000 wait_timeout=180 The second issue I noticed was the following: one of the pods in the deployments (we deploy 2 replicas of Keycloak) sometimes does not start correctly because of the following exception, which is still related to the database connection: 08:13:03,409 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) ... 43 more Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 45 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) ... 48 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1093) at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:494) at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:150) at org.mariadb.jdbc.Driver.connect(Driver.java:86) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.connException(ExceptionMapper.java:83) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:606) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:477) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1089) ... 59 more Caused by: java.sql.SQLException: Error reading SessionVariables results. Socket is connected ? true at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readRequestSessionVariables(AbstractConnectProtocol.java:572) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:603) ... 61 more The pod is in state running, but it is not ready, as it can be seen below: oc describe pod keycloak-787795bbcb-qng6j Name: keycloak-787795bbcb-qng6j Namespace: frame-2900 Start Time: Thu, 25 Oct 2018 10:03:30 +0200 Labels: application=keycloak pod-template-hash=3433516676 Annotations: openshift.io/scc=restricted Status: *Running* IP: 10.131.0.12 Controlled By: ReplicaSet/keycloak-787795bbcb Containers: keycloak: Container ID: docker://b703c13a70ffa24f696e08996590b972ec65e6b6041f8d08f50a44372b9e4760 Image: jboss/keycloak Image ID: docker-pullable:// docker.io/jboss/keycloak at sha256:cb5c24d06f22c51ca193e6d1e930d206ef0b841a745f8e475a08e33f10b38ad4 Ports: 8080/TCP, 8443/TCP *State: Waiting* * Reason: CrashLoopBackOff* Last State: Terminated Reason: Error Exit Code: 1 Started: Thu, 25 Oct 2018 10:12:43 +0200 Finished: Thu, 25 Oct 2018 10:13:03 +0200 Ready: False * Restart Count: 6* Liveness: http-get http://:8080/auth/realms/master delay=60s timeout=1s period=10s #success=1 #failure=3 Readiness: http-get http://:8080/auth/realms/master delay=30s timeout=1s period=10s #success=1 #failure=10 Environment: KEYCLOAK_USER: BokIm2Kl KEYCLOAK_PASSWORD: o8QobI0D PROXY_ADDRESS_FORWARDING: true DB_VENDOR: MARIADB JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING JGROUPS_DISCOVERY_PROPERTIES: dns_query=keycloak.default.svc.cluster.local DB_ADDR: max-scale DB_DATABASE: keycloak DB_PORT: 4408 DB_USER: Optional: false DB_PASSWORD: Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from frame-2900-token-k8cwj (ro) Conditions: Type Status Initialized True Ready False PodScheduled True Volumes: frame-2900-token-k8cwj: Type: Secret (a volume populated by a Secret) SecretName: frame-2900-token-k8cwj Optional: false QoS Class: BestEffort Node-Selectors: node-role.kubernetes.io/compute=true Tolerations: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 11m default-scheduler Successfully assigned keycloak-787795bbcb-qng6j to ip-10-0-141-24.eu-west-1.compute.internal Normal SuccessfulMountVolume 11m kubelet, ip-10-0-141-24.eu-west-1.compute.internal MountVolume.SetUp succeeded for volume "frame-2900-token-k8cwj" Normal Pulled 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Successfully pulled image "jboss/keycloak" Normal Created 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Created container Normal Started 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Started container Normal Pulling 6m (x5 over 10m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal pulling image "jboss/keycloak" Warning BackOff 53s (x31 over 8m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Back-off restarting failed container The pod is restarted several times it seems, but it does not start correctly. I deleted the pod and it was recreated automatically by Openshift and the new pod started correctly. Then, there is a third issue that I've encountered while trying to login into the deployed application. While entering some wrong credentials I got an error page and noticed in the logs that there is still a database connection error: 08:18:12,405 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaUserProvider.getUserByUsername(JpaUserProvider.java:526) at org.keycloak.storage.UserStorageManager.getUserByUsername(UserStorageManager.java:390) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:253) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:213) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:153) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:48) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79) at org.hibernate.loader.Loader.getResultSet(Loader.java:2122) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) at org.hibernate.loader.Loader.doQuery(Loader.java:925) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) at org.hibernate.loader.Loader.doList(Loader.java:2622) at org.hibernate.loader.Loader.doList(Loader.java:2605) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) at org.hibernate.loader.Loader.list(Loader.java:2429) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:370) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 83 more Caused by: java.sql.SQLNonTransientConnectionException: (conn=476) Connection is closed at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) at org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) at org.mariadb.jdb c.MariaDbPreparedStatementClient.executeQuery(MariaDbPreparedStatementClient.java:164) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) ... 99 more Caused by: java.sql.SQLException: Connection is closed at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.cmdPrologue(AbstractQueryProtocol.java:1711) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:237) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) ... 103 more After a couple of seconds, the issue dissapeared, probably because Keycloak was able to get a valid connection from the connection pool. Thanks in advance for your help. Greetings, Cristi From melissa.palmer at gmail.com Fri Oct 26 09:27:59 2018 From: melissa.palmer at gmail.com (Melissa Palmer) Date: Fri, 26 Oct 2018 15:27:59 +0200 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? In-Reply-To: References: Message-ID: ok, so you saying for this example *Group --> Role --> Permission/Function --> Access Control (privileged)* Development --> Manager --> Issues --> create/read/update/delete/move Development --> Tester --> Issues --> read/update/move Development --> Developer --> Issues --> read/update in Keycloak model it as *Group --> Composite Role --> Role --> Scopes (of the "Authorization" tab)* Development --> Manager --> Issues --> create/read/update/delete/move Development --> Tester --> Issues --> read/update/move Development --> Developer --> Issues --> read/update On Fri, 26 Oct 2018 at 15:20, Pedro Igor Silva wrote: > > > On Fri, Oct 26, 2018 at 10:15 AM Melissa Palmer > wrote: > >> Hi Pedro >> >> Thank you for your reply - I understand that I can do programmatic vs >> externalized authorization. >> >> I want to use KC Authorisation Services(externalized authorization), BUT >> I am still trying to understand the Keyclaok concepts between >> - Groups vs. Roles vs. Composite Roles and most especially Roles vs. >> Composite Roles >> and how to get to the finer level of granularity. >> >> For example in a bug tracking tool I could have >> - Groups [eg: Audit, Contractors, Development, DevOps, QA, HODs, Help >> Desk] >> - Roles [eg: Manager, Developer, Tester, Audit, Owner] >> - Permissions/Functions which each have similar Access >> Control(privileged) >> [eg: Project: create, read, update, close/open, manage members, manage >> versions >> Issues: create, read, update, delete, move, >> Time: create, read, update, delete, manage activity types >> ] >> >> Generically I am thinking in terms of something like: >> Group --> Role --> Permission/Function --> Access >> Control (privileged) >> Development --> Manager --> Issues --> >> create/read/update/delete/move >> Development --> Tester --> Issues --> >> read/update/move >> Development --> Developer --> Issues --> read/update >> >> I am still not seeing how to do this in Keyclaok? >> The above example I have 4 levels (Group, Role, Permission, Privileged) >> where as in KC I only see 3 (Group, Composite Role, Role) >> > > I don't get ... the missing level, "permission", would be the > resources/scopes you create for your client under the "Authorization" tab. > Where the permissions in the "authorization" tab will actually define > who/how/what can access things. For instances, I guess "Issues" and "CRUD" > are resources and scopes, respectively, right ? > > >> >> Thank you >> Melissa >> >> On Fri, 26 Oct 2018 at 14:18, Pedro Igor Silva wrote: >> >>> You can achieve authorization using different approaches. I would group >>> these approaches in two main categories: programmatic vs externalized >>> authorization. >>> >>> When doing programmatic authorization, you are responsible to implement >>> the necessary logic to not only check if a subject is allowed to access >>> something but also to put some meaning on specific user attributes, such as >>> roles and groups, in order to decide whether or not access should be >>> granted. All that implemented in your application and subject to change in >>> case your security requirements change. At this category, roles, groups, >>> and even pure OAuth2 scopes, could be used to enforce access to your >>> resources. >>> >>> On the other hand, externalized authorization allows you to decouple >>> your application from the meaning you would normally put on your roles and >>> groups. Your application doesn't really care about the roles or groups that >>> a subject is associated with. It also doesn't care about which access >>> control mechanisms (role-based, group-based, context-based, *-based) was >>> used to grant access to a resource, giving you much more flexibility on how >>> you perform authorization in your application. What it does care is about >>> the permissions the subject has. When you are using our authorization >>> services you are basically abstracting from your application the different >>> access control mechanisms that govern access to the resources (and their >>> actions) and enforcing access based on permissions representing the actual >>> resources/scopes in your application. If your security requirements change >>> and you need to remove/add a new role and grant this role your users, you >>> won't need to change your application but the policies in Keycloak that >>> govern access to these resources. Your application would still enforce >>> access based on the resource: >>> >>> if (canAccess('album:read')) { >>> //read >>> } >>> >>> While the other approach would be: >>> >>> if (hasRole('X') and isMemberOf('Y')) { >>> // read >>> } >>> >>> Different from other solutions, Keycloak Authorization Services is based >>> on OAuth2, mainly. Thus, we include permissions inside tokens without force >>> applications to query the server every time for permissions. We also >>> support incremental authorization in order to allow permissions to be >>> included in tokens on-demand, reducing the size of tokens and more aligned >>> with the user experience. We also enable you to just query these >>> permissions without issuing tokens or just get a decision from the server >>> (grant/denied). >>> >>> Hope it helps. Take a look here for a little more details [1]. >>> >>> More answers inline. >>> >>> [1] >>> https://www.keycloak.org/docs/latest/authorization_services/index.html >>> >>> On Fri, Oct 26, 2018 at 6:23 AM Melissa Palmer >>> wrote: >>> >>>> Hi, >>>> >>>> *Is it possible to explain the difference between "Keycloak Groups vs. >>>> Roles vs. Composite Roles vs. Auth Scope" more detail? * >>>> >>>> *I know there is the description here: * >>>> >>>> https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles >>>> >>>> >>>> *From that I get * >>>> - Groups should focus on collections of users and their roles in your >>>> organization (Use groups to manage users. ). ? >>>> >>> >>> Groups are repositories for users/personas. In Keycloak you can grant >>> *roles* to groups so users withing that groups are automatically granted >>> with these roles. >>> >>> >>>> - Use composite roles to manage applications and services. ? >>>> - BUT previously said "Roles define a type of user and applications >>>> assign >>>> permission and access control to roles" >>>> & I don't see where you should maintain "access control to roles" >>> >>> >>> Roles and composite roles are all about defining an access context in >>> your application. You may be a member of a "Sales" group representing a >>> business unit, but you are only a "Manager" if you have a "manager" role >>> assigned to you. >>> >>>> >>>> In other examples I see scopes being used for access control >>>> - album:view >>>> - album:delete >>>> >>>> Some more explanation on these different concepts would be greatly >>>> appreciated. >>>> >>>> Thank You in Advance >>>> Melissa >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> From psilva at redhat.com Fri Oct 26 09:35:02 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 26 Oct 2018 10:35:02 -0300 Subject: [keycloak-user] Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope? In-Reply-To: References: Message-ID: Yes, "Resources/Scopes (of the Authorization tab). Where "Issue" is a resource with CRUD scopes. You could define permissions for each individual scope, for all of them, of a sub set of them, etc. Associating these permissions to policies like "Only Manager", "Only Tester", etc. For instance, consider the "delete" scope. You may have a scope-permission as follows: - Scopes: delete - Policies: Only Manager For the "move" scope: - Scopes: move - Policies: Only Manager, Only Tester - Decision Strategy: AFFIRMATIVE (grants access if any policy gives a grant). On Fri, Oct 26, 2018 at 10:28 AM Melissa Palmer wrote: > ok, so you saying for this example > *Group --> Role --> Permission/Function --> Access > Control (privileged)* > Development --> Manager --> Issues --> > create/read/update/delete/move > Development --> Tester --> Issues --> > read/update/move > Development --> Developer --> Issues --> read/update > > in Keycloak model it as > *Group --> Composite Role --> Role > --> Scopes (of the "Authorization" tab)* > Development --> Manager --> Issues > --> create/read/update/delete/move > Development --> Tester --> Issues > --> read/update/move > Development --> Developer --> Issues > --> read/update > > > On Fri, 26 Oct 2018 at 15:20, Pedro Igor Silva wrote: > >> >> >> On Fri, Oct 26, 2018 at 10:15 AM Melissa Palmer >> wrote: >> >>> Hi Pedro >>> >>> Thank you for your reply - I understand that I can do programmatic vs >>> externalized authorization. >>> >>> I want to use KC Authorisation Services(externalized authorization), BUT >>> I am still trying to understand the Keyclaok concepts between >>> - Groups vs. Roles vs. Composite Roles and most especially Roles vs. >>> Composite Roles >>> and how to get to the finer level of granularity. >>> >>> For example in a bug tracking tool I could have >>> - Groups [eg: Audit, Contractors, Development, DevOps, QA, HODs, Help >>> Desk] >>> - Roles [eg: Manager, Developer, Tester, Audit, Owner] >>> - Permissions/Functions which each have similar Access >>> Control(privileged) >>> [eg: Project: create, read, update, close/open, manage members, manage >>> versions >>> Issues: create, read, update, delete, move, >>> Time: create, read, update, delete, manage activity types >>> ] >>> >>> Generically I am thinking in terms of something like: >>> Group --> Role --> Permission/Function --> Access >>> Control (privileged) >>> Development --> Manager --> Issues --> >>> create/read/update/delete/move >>> Development --> Tester --> Issues --> >>> read/update/move >>> Development --> Developer --> Issues --> >>> read/update >>> >>> I am still not seeing how to do this in Keyclaok? >>> The above example I have 4 levels (Group, Role, Permission, Privileged) >>> where as in KC I only see 3 (Group, Composite Role, Role) >>> >> >> I don't get ... the missing level, "permission", would be the >> resources/scopes you create for your client under the "Authorization" tab. >> Where the permissions in the "authorization" tab will actually define >> who/how/what can access things. For instances, I guess "Issues" and "CRUD" >> are resources and scopes, respectively, right ? >> >> >>> >>> Thank you >>> Melissa >>> >>> On Fri, 26 Oct 2018 at 14:18, Pedro Igor Silva >>> wrote: >>> >>>> You can achieve authorization using different approaches. I would group >>>> these approaches in two main categories: programmatic vs externalized >>>> authorization. >>>> >>>> When doing programmatic authorization, you are responsible to implement >>>> the necessary logic to not only check if a subject is allowed to access >>>> something but also to put some meaning on specific user attributes, such as >>>> roles and groups, in order to decide whether or not access should be >>>> granted. All that implemented in your application and subject to change in >>>> case your security requirements change. At this category, roles, groups, >>>> and even pure OAuth2 scopes, could be used to enforce access to your >>>> resources. >>>> >>>> On the other hand, externalized authorization allows you to decouple >>>> your application from the meaning you would normally put on your roles and >>>> groups. Your application doesn't really care about the roles or groups that >>>> a subject is associated with. It also doesn't care about which access >>>> control mechanisms (role-based, group-based, context-based, *-based) was >>>> used to grant access to a resource, giving you much more flexibility on how >>>> you perform authorization in your application. What it does care is about >>>> the permissions the subject has. When you are using our authorization >>>> services you are basically abstracting from your application the different >>>> access control mechanisms that govern access to the resources (and their >>>> actions) and enforcing access based on permissions representing the actual >>>> resources/scopes in your application. If your security requirements change >>>> and you need to remove/add a new role and grant this role your users, you >>>> won't need to change your application but the policies in Keycloak that >>>> govern access to these resources. Your application would still enforce >>>> access based on the resource: >>>> >>>> if (canAccess('album:read')) { >>>> //read >>>> } >>>> >>>> While the other approach would be: >>>> >>>> if (hasRole('X') and isMemberOf('Y')) { >>>> // read >>>> } >>>> >>>> Different from other solutions, Keycloak Authorization Services is >>>> based on OAuth2, mainly. Thus, we include permissions inside tokens without >>>> force applications to query the server every time for permissions. We also >>>> support incremental authorization in order to allow permissions to be >>>> included in tokens on-demand, reducing the size of tokens and more aligned >>>> with the user experience. We also enable you to just query these >>>> permissions without issuing tokens or just get a decision from the server >>>> (grant/denied). >>>> >>>> Hope it helps. Take a look here for a little more details [1]. >>>> >>>> More answers inline. >>>> >>>> [1] >>>> https://www.keycloak.org/docs/latest/authorization_services/index.html >>>> >>>> On Fri, Oct 26, 2018 at 6:23 AM Melissa Palmer < >>>> melissa.palmer at gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> *Is it possible to explain the difference between "Keycloak Groups vs. >>>>> Roles vs. Composite Roles vs. Auth Scope" more detail? * >>>>> >>>>> *I know there is the description here: * >>>>> >>>>> https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles >>>>> >>>>> >>>>> *From that I get * >>>>> - Groups should focus on collections of users and their roles in your >>>>> organization (Use groups to manage users. ). ? >>>>> >>>> >>>> Groups are repositories for users/personas. In Keycloak you can grant >>>> *roles* to groups so users withing that groups are automatically granted >>>> with these roles. >>>> >>>> >>>>> - Use composite roles to manage applications and services. ? >>>>> - BUT previously said "Roles define a type of user and applications >>>>> assign >>>>> permission and access control to roles" >>>>> & I don't see where you should maintain "access control to roles" >>>> >>>> >>>> Roles and composite roles are all about defining an access context in >>>> your application. You may be a member of a "Sales" group representing a >>>> business unit, but you are only a "Manager" if you have a "manager" role >>>> assigned to you. >>>> >>>>> >>>>> In other examples I see scopes being used for access control >>>>> - album:view >>>>> - album:delete >>>>> >>>>> Some more explanation on these different concepts would be greatly >>>>> appreciated. >>>>> >>>>> Thank You in Advance >>>>> Melissa >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> From thomas.richner at oviva.com Fri Oct 26 10:07:24 2018 From: thomas.richner at oviva.com (Thomas Richner) Date: Fri, 26 Oct 2018 16:07:24 +0200 Subject: [keycloak-user] Login via Magic URL Message-ID: Hi All, I'm trying to lower the barrier for users by sending them a 'magic' link to login without a password into a mobile app. The general flow would be as following: 1. backend requests 'single use token' from Keycloak via API 2. backend sends email with this token to user via e.g. email as part of a magic link 3. user opens the link on a mobile device 4. the uri scheme/domain is registered in the mobile OS for a specific app, app gets opened 5. mobile app exchanges 'single use token' for a refresh token 6. user is logged in :) As I understand there is no such flow available in Keycloak. Looking at the SPI interfaces one might be able to implement something like this by adding custom API endpoints and ActionTokenHandler. Since I doubt I'm the first one to explore magic deep links with Keycloak, did anybody already implement that? Did I miss a feature that already exists? Is there an easier way to achieve this with Keycloak? Cheers, Thomas From bruno at abstractj.org Fri Oct 26 10:24:11 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 26 Oct 2018 11:24:11 -0300 Subject: [keycloak-user] Login via Magic URL In-Reply-To: References: Message-ID: Hi Thomas, Stian explored this some time ago https://www.youtube.com/watch?v=oyUsI3QgEq8. Maybe you can find some inspiration here: https://github.com/stianst/keycloak-experimental/tree/master/magic-link On Fri, Oct 26, 2018 at 11:11 AM Thomas Richner wrote: > Hi All, > > I'm trying to lower the barrier for users by sending them a 'magic' > link to login without a password into a mobile app. > > The general flow would be as following: > 1. backend requests 'single use token' from Keycloak via API > 2. backend sends email with this token to user via e.g. email as part > of a magic link > 3. user opens the link on a mobile device > 4. the uri scheme/domain is registered in the mobile OS for a specific > app, app gets opened > 5. mobile app exchanges 'single use token' for a refresh token > 6. user is logged in :) > > As I understand there is no such flow available in Keycloak. Looking > at the SPI interfaces one might be able to implement something like > this by adding custom API endpoints and ActionTokenHandler. > > Since I doubt I'm the first one to explore magic deep links with > Keycloak, did anybody already implement that? Did I miss a feature > that already exists? Is there an easier way to achieve this with > Keycloak? > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ieugen at netdava.com Fri Oct 26 11:01:28 2018 From: ieugen at netdava.com (Eugen Stan) Date: Fri, 26 Oct 2018 18:01:28 +0300 Subject: [keycloak-user] how to handle upgrade for Keycloak docker deployment Message-ID: Hello, What are the steps to upgrade a Keycloak Docker deployment? The steps in [upgrade-guide] are valid for normal deployments. Docker upgrades can simply be done by changing the version number. I know some steps are necesary. I also know that databse migration can be handled by Keycloak automatically. What about the other steps? TLDR: We are using keycloak to secure some of our services. We have deployed it via Docker, following the instructions on [keycloak-docker]. However, there is something that bugs me: How to to upgrades. I've read the [upgrade-guide] and the steps are: - stoping the server - run some script - start the server (to do databasse migrations). Our setup is simple, we have a single keycloak instance with PostgtreSQL and no changes other than a custom theme. [keycloak-docker] https://hub.docker.com/r/jboss/keycloak/ [upgrade-guide] https://www.keycloak.org/docs/4.5/upgrading/ Thanks, Eugen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/bf18349d/attachment.bin From graham.burgess at razer.com Fri Oct 26 11:24:06 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 26 Oct 2018 15:24:06 +0000 Subject: [keycloak-user] how to handle upgrade for Keycloak docker deployment In-Reply-To: References: Message-ID: I rolled from 4.4 to 4.5 without thinking about any steps. I am running the container using the Helm chart for Kubernetes with some addons for the database but nothing that seems to need anything special for upgrades. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Eugen Stan Sent: Friday, October 26, 2018 8:01 AM To: keycloak-user Subject: [keycloak-user] how to handle upgrade for Keycloak docker deployment Hello, What are the steps to upgrade a Keycloak Docker deployment? The steps in [upgrade-guide] are valid for normal deployments. Docker upgrades can simply be done by changing the version number. I know some steps are necesary. I also know that databse migration can be handled by Keycloak automatically. What about the other steps? TLDR: We are using keycloak to secure some of our services. We have deployed it via Docker, following the instructions on [keycloak-docker]. However, there is something that bugs me: How to to upgrades. I've read the [upgrade-guide] and the steps are: - stoping the server - run some script - start the server (to do databasse migrations). Our setup is simple, we have a single keycloak instance with PostgtreSQL and no changes other than a custom theme. [keycloak-docker] https://hub.docker.com/r/jboss/keycloak/ [upgrade-guide] https://www.keycloak.org/docs/4.5/upgrading/ Thanks, Eugen From jspittel at intimesoft.com Fri Oct 26 13:45:31 2018 From: jspittel at intimesoft.com (Jason Spittel) Date: Fri, 26 Oct 2018 17:45:31 +0000 Subject: [keycloak-user] Keycloak OutOfMemoryError Message-ID: Hello, We are currently experiencing an OutOfMemoryError / Memory Leak on our Keycloak servers. This occurs intermittently within a span of a few weeks to months between incidents. When it does happen, the entire server is brought down. It's a very small load, less than 3000 users, with default settings across the board. One of the keycloak servers is an identity broker, and the other is an IdP that points to the broker (behind the broker is our actual application). Looking at JVM logs, the memory is GC'ed regularly with no long term increase, then suddenly, over a period of 5 minutes, spikes to beyond what is allocated to the server (2GB). We ran the Eclipse Memory Analyser against the .hprof file and found this as the memory leak suspect: default I/O-4 at java.lang.OutOfMemoryError.()V (OutOfMemoryError.java:48) at java.util.ArrayDeque.doubleCapacity()V (ArrayDeque.java:162) at java.util.ArrayDeque.addLast(Ljava/lang/Object;)V (ArrayDeque.java:252) at java.util.ArrayDeque.add(Ljava/lang/Object;)Z (ArrayDeque.java:423) at org.xnio.nio.WorkerThread.execute(Ljava/lang/Runnable;)V (WorkerThread.java:591) at io.undertow.protocols.ssl.SslConduit.runReadListener(Z)V (SslConduit.java:223) at io.undertow.protocols.ssl.SslConduit.access$1300(Lio/undertow/protocols/ssl/SslConduit;Z)V (SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady()V (SslConduit.java:1081) at io.undertow.protocols.ssl.SslConduit$1.run()V (SslConduit.java:229) at org.xnio.nio.WorkerThread.safeRun(Ljava/lang/Runnable;)V (WorkerThread.java:580) at org.xnio.nio.WorkerThread.run()V (WorkerThread.java:464) Which seems related to this bug: https://stackoverflow.com/questions/43661909/keycloak-1-9-4-using-custom-federation-running-out-off-memory The dev in that situation put Apache in front of keycloak to handle the SSL and seemed to resolve the issue. We'd prefer not to do this. Following this SO post to the mailing list thread: http://lists.jboss.org/pipermail/keycloak-user/2016-June/006771.html There was some interest in the bug but it was then was abandoned. Now, we are running an older version of Keycloak , 3.1.0.Final. But I looked through all the change logs from 3.1.0.Final to 4.5.0.Final as well as all the Jira Issues between those two versions that have to do with SSL, and found no fixes for this issue. Is this a problem that is on the radar of the Keycloak devs? Is this the sort of bugfix that would only be in RH SSO? Thanks, Jason [cid:8dad4d85-d402-4612-81a1-ded4d2092813] [cid:ba354506-fb8c-46a0-b587-1430e9afe9a2] -------------- next part -------------- A non-text attachment was scrubbed... Name: pastedImage.png Type: image/png Size: 52981 bytes Desc: pastedImage.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/af2e0bf7/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: pastedImage.png Type: image/png Size: 45477 bytes Desc: pastedImage.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181026/af2e0bf7/attachment-0003.png From aechols at bfcsaz.com Fri Oct 26 18:35:01 2018 From: aechols at bfcsaz.com (Aaron Echols) Date: Fri, 26 Oct 2018 15:35:01 -0700 Subject: [keycloak-user] Account Page Fields Message-ID: Hello All, How hard is to modify or add fields that could be modified in the users account page? It would be nice to add a personal email field to have be able to send their password reset email to. Currently, they can only send to their employee addresses, which if they forget their password, makes the email a moot point. Thank in advance for any ideas. :) -- *Aaron Echols* From andreas.lau at outlook.com Sat Oct 27 03:21:33 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Sat, 27 Oct 2018 07:21:33 +0000 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources In-Reply-To: References: Message-ID: Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible. So we desparatly ask for your help. Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau : Hello, we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. We configured the web.xml like this: [web.xml] ... portal /portal/* user public /portal/pages/willkommen.jsf /portal/pages/logout.jsf KEYCLOAK user ... keycloak.config.resolver de.sample.security.MandantBasedKeycloakConfigResolver ... As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. Regards, Andreas [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [2] public KeycloakDeployment resolve(HttpFacade.Request request) { LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); final String mandantId = request.getFirstParam("kId"); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); if (mandantId == null || mandantId.isEmpty()) { // throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); return null; } KeycloakDeployment deployment = cache.get(mandantId); if (deployment == null) { String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); if (is == null) { // throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); return null; } LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); deployment = KeycloakDeploymentBuilder.build(is); cache.put(mandantId, deployment); } return deployment; } [3] 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen 17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<< 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ....... 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ieugen at netdava.com Sat Oct 27 04:16:38 2018 From: ieugen at netdava.com (Ioan Eugen Stan) Date: Sat, 27 Oct 2018 11:16:38 +0300 Subject: [keycloak-user] how to handle upgrade for Keycloak docker deployment In-Reply-To: Message-ID: Hello, Thank you Graham. I also upgrade from 4.0 up to 4.5 going through all the versions. Things seem to work ok but I asked because there is that chance of not being ok. I've read the upgrade docs and they do mention those steps so I imagine that is jot by accident. It would be great if the docs where enhanced to cover this case as well. Thank you, Eugen Stan Netdava International ? Mesaj original ? De la: graham.burgess at razer.com Trimis: 26 octombrie 2018 18:24 C?tre: ieugen at netdava.com; keycloak-user at lists.jboss.org Subiect: RE: [keycloak-user] how to handle upgrade for Keycloak docker deployment I rolled from 4.4 to 4.5 without thinking about any steps. I am running the container using the Helm chart for Kubernetes with some addons for the database but nothing that seems to need anything special for upgrades. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Eugen Stan Sent: Friday, October 26, 2018 8:01 AM To: keycloak-user Subject: [keycloak-user] how to handle upgrade for Keycloak docker deployment Hello, What are the steps to upgrade a Keycloak Docker deployment? The steps in [upgrade-guide] are valid for normal deployments. Docker upgrades can simply be done by changing the version number. I know some steps are necesary. I also know that databse migration can be handled by Keycloak automatically. What about the other steps? TLDR: We are using keycloak to secure some of our services. We have deployed it via Docker, following the instructions on [keycloak-docker]. However, there is something that bugs me: How to to upgrades. I've read the [upgrade-guide] and the steps are: - stoping the server - run some script - start the server (to do databasse migrations). Our setup is simple, we have a single keycloak instance with PostgtreSQL and no changes other than a custom theme. [keycloak-docker] https://hub.docker.com/r/jboss/keycloak/ [upgrade-guide] https://www.keycloak.org/docs/4.5/upgrading/ Thanks, Eugen From huwmcnamara at msn.com Sat Oct 27 05:52:05 2018 From: huwmcnamara at msn.com (Huw McNamara) Date: Sat, 27 Oct 2018 09:52:05 +0000 Subject: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date Message-ID: Hello, I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online. After turning on some trace logging I get the following stack trace: [0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185) at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... Which, in the source code, seems to correspond with these lines: if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) { throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token"); } https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc405623617d3/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L184 My Offline Session Idle for the realm is set to 30 days which was definitely not breached. Can anyone tell me what the not before of the user is and how do I set its value? From dt at acutus.pro Sat Oct 27 23:21:22 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sun, 28 Oct 2018 06:21:22 +0300 Subject: [keycloak-user] Keycloak OutOfMemoryError In-Reply-To: References: Message-ID: <1540696882.15921.1.camel@acutus.pro> Hello Jason, The problem seems to be in the SSL stack, which is not a part of Keycloak itself. Keycloak is built on top of Wildfly application server, and SSL is implemented by one of Wildfly components, namely Undertow. You seem to be hitting this bug: https://issues.jboss.org/browse/UNDERTOW-472 Though JIRA says that it should have been fixed in Undertow 1.3.10, the version shipped with Keycloak 3.1.0 still seems to be buggy (1.3.15). Either way, it is highly recommended that you upgrade to the recent Keycloak that uses up-to-date Wildfly (and therefore Undertow). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-10-26 at 17:45 +0000, Jason Spittel wrote: > ????????Hello, > > ???????????We are currently experiencing an OutOfMemoryError / Memory Leak on our Keycloak servers. This occurs intermittently within a span of a few weeks to months between incidents. When it does happen, the entire server is brought down. > > ???????????It's a very small load, less than 3000 users, with default settings across the board. One of the keycloak servers is an identity broker, and the other is an IdP that points to the broker (behind the broker is our actual application). > > ???????????Looking at JVM logs, the memory is GC'ed regularly with no long term increase, then suddenly, over a period of 5 minutes, spikes to beyond what is allocated to the server (2GB). > > ???????????We ran the Eclipse Memory Analyser against the .hprof file and found this as the memory leak suspect: > > > ????????default I/O-4 > ????????????at java.lang.OutOfMemoryError.()V (OutOfMemoryError.java:48) > ????????????at java.util.ArrayDeque.doubleCapacity()V (ArrayDeque.java:162) > ????????????at java.util.ArrayDeque.addLast(Ljava/lang/Object;)V (ArrayDeque.java:252) > ????????????at java.util.ArrayDeque.add(Ljava/lang/Object;)Z (ArrayDeque.java:423) > ????????????at org.xnio.nio.WorkerThread.execute(Ljava/lang/Runnable;)V (WorkerThread.java:591) > ????????????at io.undertow.protocols.ssl.SslConduit.runReadListener(Z)V (SslConduit.java:223) > ????????????at io.undertow.protocols.ssl.SslConduit.access$1300(Lio/undertow/protocols/ssl/SslConduit;Z)V (SslConduit.java:63) > ????????????at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady()V (SslConduit.java:1081) > ????????????at io.undertow.protocols.ssl.SslConduit$1.run()V (SslConduit.java:229) > ????????????at org.xnio.nio.WorkerThread.safeRun(Ljava/lang/Runnable;)V (WorkerThread.java:580) > ????????????at org.xnio.nio.WorkerThread.run()V (WorkerThread.java:464) > > > ????????????Which seems related to this bug: > > ????????????????https://stackoverflow.com/questions/43661909/keycloak-1-9-4-using-custom-federation-running-out-off-memory > > ????????????The dev in that situation put Apache in front of keycloak to handle the SSL and seemed to resolve the issue. We'd prefer not to do this. Following this SO post to the mailing list thread: > > ????????????????http://lists.jboss.org/pipermail/keycloak-user/2016-June/006771.html > > ????????????There was some interest in the bug but it was then was abandoned. > > ????????????Now, we are running an older version of Keycloak , 3.1.0.Final. But I looked through all the change logs from 3.1.0.Final to 4.5.0.Final as well as all the Jira Issues between those two versions that have to do with SSL, and found no fixes for this issue. > > ????????????Is this a problem that is on the radar of the Keycloak devs? Is this the sort of bugfix that would only be in RH SSO? > > ????????????Thanks, > > ????????????Jason > > [cid:8dad4d85-d402-4612-81a1-ded4d2092813] > > [cid:ba354506-fb8c-46a0-b587-1430e9afe9a2] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hylton.peimer at datos-health.com Sun Oct 28 07:24:39 2018 From: hylton.peimer at datos-health.com (Hylton Peimer) Date: Sun, 28 Oct 2018 13:24:39 +0200 Subject: [keycloak-user] Temporarily Locked response from openid-connect Message-ID: We have a user that is Temporarily Locked due to incorrect password entry. When attempting to get the access/refresh token from the openid-connect endpoint: /protocol/openid-connect/token with grant_type=password, we receive the following error message: Http Status: 401 { "error": "invalid_grant", "error_description": "Invalid user credentials" } In a previous version we received a message that indicated the user was Locked. Is there another way to get this information in response to token request? From dt at acutus.pro Sun Oct 28 17:22:46 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 29 Oct 2018 00:22:46 +0300 Subject: [keycloak-user] Temporarily Locked response from openid-connect In-Reply-To: References: Message-ID: <1540761766.2215.1.camel@acutus.pro> Hello Hylton, The change was intentional, see this: https://issues.jboss.org/browse/KEYCLOAK-5284 For Keycloak 3.4.1+, you can restore previous behavior by forking pre-3.4.1 ValidateUsername [1], deploying it as a custom authenticator and configuring your client's direct grant flow to use it. Please beware that by doing so you could potentially re-introduce the security issue addressed by KEYCLOAK-5284 (unless of course your client is confidential). [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/directgrant/ValidateUsername.java Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sun, 2018-10-28 at 13:24 +0200, Hylton Peimer wrote: > We have a user that is Temporarily Locked due to incorrect password entry. > > When attempting to get the access/refresh token from the openid-connect > endpoint: /protocol/openid-connect/token > with grant_type=password, we receive the following error message: > > Http Status: 401 > > { > ????"error": "invalid_grant", > ????"error_description": "Invalid user credentials" > } > > In a previous version we received a message that indicated the user was > Locked. > > Is there another way to get this information in response to token request? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sun Oct 28 19:35:44 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 29 Oct 2018 02:35:44 +0300 Subject: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date In-Reply-To: References: Message-ID: <1540769744.2215.3.camel@acutus.pro> Hello Huw, The "notBefore" user property is mapped to the NOT_BEFORE column of the USER_ENTITY table. If you have access to the DB, please check it. Most likely this value is non-zero for your user. AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to zero, and there are several scenarios that can lead to a non-zero value. It needs to be further investigated which one is the cause in your case. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote: > Hello, > > I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online. > > After turning on some trace logging I get the following stack trace: > > [0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ... > > Which, in the source code, seems to correspond with these lines: > > if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) { > ????throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token"); > } > > https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc405623617d3/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L184 > > My Offline Session Idle for the realm is set to 30 days which was definitely not breached. > > Can anyone tell me what the not before of the user is and how do I set its value? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Mattia.Bello at horsa.it Mon Oct 29 05:56:38 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Mon, 29 Oct 2018 09:56:38 +0000 Subject: [keycloak-user] R: Need to log in to all realms with unique admin users In-Reply-To: <1540517344.26050.1.camel@acutus.pro> References: <92E1246EF925084F978BEEDBCF3711F10275F19393@barcellona.horsa.local> ,<1540498062.5566.9.camel@acutus.pro> , <1540517344.26050.1.camel@acutus.pro> Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F19F7B@barcellona.horsa.local> Dmitry, the solution is acceptable. However, the documentation does not explain how to configure each non-master realm to do broker with master realm. Please, could you support me in the steps to be taken: 1. Which identity provider should i choose? openID Connect or Keycloak OpenID Connect? 2. How do I configure it? 3. Where do I get information? (Authorization URL, token URL, ..) Thank you. Mattia Bello Developer Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 340 36 07 937 www.horsa.it ________________________________________ Da: Dmitry Telegin [dt at acutus.pro] Inviato: venerd? 26 ottobre 2018 3.29 A: Mattia Bello; keycloak-user at lists.jboss.org Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users Mattia, Thanks for your explanation, the problem is clear now. I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials. If you're ok with this additional step, this could be an easy solution. [1] https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y Dmitry On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote: > Sorry, > I probably did not explain well. > I have a client application that is accessible from all realms. > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm. > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist. > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? > Thank you > > Get Outlook for Android > > > > > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
wrote: > > > Hello Mattia, answers inline, > > > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > > > We have this situation: > > >? > > > master realm -> used to manage other realms > > >? > > > realm1, realm2, realm3, .. -> are retailers and contain companies > > >? > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > >? > > > we have to see all the retailers (realms), the companies (groups) and the users > > >? > > > How can I do it? > > >? > > > Can i create a master realm user and use it to access all the other realms? > > > > Yes you can. In fact, there is already such a user - it's admin that > > you've created on the first run. If you want more users with such an > > access in master realm, grant them "admin" realm role. If you look into > > "admin" role details, you'll see that it automatically includes all the > > client roles of *-realm clients, that's how it works under the hood. > > > > If you don't want to grant that powerful admin role, go to user -> Role > > mappings and assign the necessary client roles from the *-realm > > clients. The user will get access to the admin functions for that realm(s). > > > > >? > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? > > > > This is possible too. Create a user in the target realm, go to Role > > mappings and assign the necessary roles from the realm-management > > client. > > > > Good luck, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > >? > > > Thank to all > > >? > > >? > > >? > > > Mattia Bello > > > Developer > > >? > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > > > Horsa S.p.A. > > > Via Cadorna, 67 > > > Vimodrone (MI) > > > Mobile (+39) 340 36 07 937 > > >??https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y ; > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > >??https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y > > From msakho at redhat.com Mon Oct 29 07:03:44 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Mon, 29 Oct 2018 12:03:44 +0100 Subject: [keycloak-user] keycloak docker image clustering section is not working as expected Message-ID: Hello everyone, There a confusing section in the clustering [1] section of the keycloak docker image. The documentation states that: *JGROUPS_DISCOVERY_PROPERTIES - an optional parameter with the discovery protocol properties in the following format: * *PROP1=FOO,PROP2=BAR * I can confirm that this parameter is not optional at all. When I run the image with the JGROUPS_DISCOVERY_PROTOCOL environnement variable set and without the JGROUPS_DISCOVERY_PROPERTIES set (since it's said to be optionnal), the container fails to start with the error message below: *10:50:11,999 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([* * ("subsystem" => "jgroups"),* * ("channel" => "ee")* *]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.clustering.jgroups.channel.ee " => "java.lang.IllegalArgumentException: dns_query can not be null or empty* * Caused by: java.lang.IllegalArgumentException: dns_query can not be null or empty"}}* Setting the JGROUPS_DISCOVERY_PROPERTIES environnement variable fix the error. So this is not an optional parameter. [1]=https://hub.docker.com/r/jboss/keycloak/ Regards, Meissa From jambo_mcd at yahoo.co.uk Mon Oct 29 07:56:25 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Mon, 29 Oct 2018 11:56:25 +0000 (UTC) Subject: [keycloak-user] Keycloak realm certificates export and be passed to Knox? In-Reply-To: <366471873.18450736.1539868880248@mail.yahoo.com> References: <366471873.18450736.1539868880248.ref@mail.yahoo.com> <366471873.18450736.1539868880248@mail.yahoo.com> Message-ID: <653502666.27637230.1540814185148@mail.yahoo.com> Hi, I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.? Knox is used to decrypt singed JWT's. Is this something that can be achieved? I have tried running kcadm to pull the certificate details however i am unable to provide only the cert details which i would then want to output into another file. Examples of kcadm? /opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r Regards, Jamie From arbiterofwhim at gmail.com Mon Oct 29 10:22:48 2018 From: arbiterofwhim at gmail.com (Riley Kohl) Date: Mon, 29 Oct 2018 10:22:48 -0400 Subject: [keycloak-user] Request to post Message-ID: arbiterofwhim at gmail.com From arbiterofwhim at gmail.com Mon Oct 29 10:37:59 2018 From: arbiterofwhim at gmail.com (arbiterfwhim) Date: Mon, 29 Oct 2018 07:37:59 -0700 (MST) Subject: [keycloak-user] LDAP user group membership not syncing In-Reply-To: References: Message-ID: <1540823879795-0.post@n6.nabble.com> Luiz Carlos wrote > I'm trying to sync the LDAP groups into Keycloak but it doesn't update the > membership if I add or remove it from a group in LDAP. > -- > Luiz Carlos > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Bumping this. I'm currently using Keycloak 3.2.1 and am having similar issues with LDAP syncing. My main issue is that when a user is granted a new role on the LDAP side, that user (on the Keycloak side) doesn't get updated to have that role when running a full sync (manual or scheduled). In order to sync these changes I have to delete the user(s) and then run an LDAP sync. This re-adds the user(s), this time with their latest set of roles. Unfortunately I haven't found any settings in the Keycloak admin console that can fix this. A solution would be greatly appreciated. - Whim -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From max.allan+keycloak at surevine.com Mon Oct 29 10:41:35 2018 From: max.allan+keycloak at surevine.com (Max Allan) Date: Mon, 29 Oct 2018 14:41:35 +0000 Subject: [keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints! In-Reply-To: <5B4D8CC9.3070707@nri.co.jp> References: <5B4D8CC9.3070707@nri.co.jp> Message-ID: FYI, if you are using an ALB with Keycloak, AWS appear to have quietly fixed the B/b problem and it all works nicely out of the box now. Problem solved. Max On Tue, 17 Jul 2018 at 07:29, Hiroyuki Wada wrote: > Hi Max, > > I tried integrating AWS ELB and Keycloak one month ago > and I encountered same problem. > > Because AWS ELB doesn't follow the OAuth2 spec correctly, > it rejects the token endpoint response from Keycloak. > The response from Keycloak contains "token_type" as follows: > > "token_type":"bearer" > > But AWS ELB expects as follows: > > "token_type":"Bearer" > > OAuth2 spec says the value is case insensitive as below. > > > https://tools.ietf.org/html/rfc6749#section-4.2.2 > > > > token_type > > REQUIRED. The type of the token issued as described in > > Section 7.1. Value is case insensitive. > > So, I think we need to wait until AWS fixes this issue... > From Pablo.Bravo at osudio.com Mon Oct 29 11:06:41 2018 From: Pablo.Bravo at osudio.com (Pablo Bravo) Date: Mon, 29 Oct 2018 15:06:41 +0000 Subject: [keycloak-user] =?iso-8859-1?q?RV=3A_How_to_force_login_=28=BFbes?= =?iso-8859-1?q?t_practice=3F=29?= In-Reply-To: References: Message-ID: Hi all, We are currently implementing keycloak and we are facing an issue that we are not sure what's the best way to solve it. We have different webapps making use of the sso and that's working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp. Initially this second webapp does not know which user is coming (and it's not necessary to be logged in to make use of it). When clicking on "login", it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens "transparently" to the user, since the redirection to keycloak is very fast and it's not noticeable. This behaviour is not very user friendly. The question is: Taking into account that this second webapp can't know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients. What's the best practice for this use case? Thanks in advance! Pablo From jambo_mcd at yahoo.co.uk Mon Oct 29 11:34:37 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Mon, 29 Oct 2018 15:34:37 +0000 (UTC) Subject: [keycloak-user] Keycloak realm certificates export In-Reply-To: <653502666.27637230.1540814185148@mail.yahoo.com> References: <366471873.18450736.1539868880248.ref@mail.yahoo.com> <366471873.18450736.1539868880248@mail.yahoo.com> <653502666.27637230.1540814185148@mail.yahoo.com> Message-ID: <1868981234.27918435.1540827277989@mail.yahoo.com> I have managed to obtain just the certificate using the below command in case anyone needs this in future /opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r | grep "certificate*" Regards, Jamie On Monday, 29 October 2018, 11:56:25 GMT, Jamie McDowell wrote: Hi, I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.? Knox is used to decrypt singed JWT's. Is this something that can be achieved? I have tried running kcadm to pull the certificate details however i am unable to provide only the cert details which i would then want to output into another file. Examples of kcadm? /opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r Regards, Jamie From ronald.demneri at amdtia.com Mon Oct 29 11:35:32 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Mon, 29 Oct 2018 15:35:32 +0000 Subject: [keycloak-user] group mapper per client Message-ID: Hello everyone, Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. Thanks in advance, Ronald From huwmcnamara at msn.com Mon Oct 29 16:26:29 2018 From: huwmcnamara at msn.com (Huw McNamara) Date: Mon, 29 Oct 2018 20:26:29 +0000 Subject: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date In-Reply-To: <1540769744.2215.3.camel@acutus.pro> References: , <1540769744.2215.3.camel@acutus.pro> Message-ID: Hi Dmitry, Thanks for answering, you are correct. The user NOT_BEFORE is non-zero and is after the token was issued. After searching the code base it seems this value is set on logout, which makes sense. Cheers, Huw ________________________________ From: Dmitry Telegin
Sent: 28 October 2018 23:35 To: Huw McNamara; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date Hello Huw, The "notBefore" user property is mapped to the NOT_BEFORE column of the USER_ENTITY table. If you have access to the DB, please check it. Most likely this value is non-zero for your user. AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to zero, and there are several scenarios that can lead to a non-zero value. It needs to be further investigated which one is the cause in your case. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote: > Hello, > > I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online. > > After turning on some trace logging I get the following stack trace: > > [0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ... > > Which, in the source code, seems to correspond with these lines: > > if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) { > throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token"); > } > > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F517588ecca8e8749c70c7a28706fc405623617d3%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprotocol%2Foidc%2FTokenManager.java%23L184&data=02%7C01%7C%7Ce4383cfc8aee4069d2da08d63d2e166a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636763665488169887&sdata=nWRBLEJ2gbDFrTxZVCSJOw68%2Fb2Rl4ksFIDzLQL0S1U%3D&reserved=0 > > My Offline Session Idle for the realm is set to 30 days which was definitely not breached. > > Can anyone tell me what the not before of the user is and how do I set its value? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Ce4383cfc8aee4069d2da08d63d2e166a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636763665488169887&sdata=ZpB%2B8S%2FwqmG1Z14%2FCG9SDQJKTkK%2F8W2QXz142gjcjgE%3D&reserved=0 From dt at acutus.pro Mon Oct 29 23:06:44 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 06:06:44 +0300 Subject: [keycloak-user] group mapper per client In-Reply-To: References: Message-ID: <1540868804.2121.1.camel@acutus.pro> Hello Ronald, If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > Hello everyone, > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > Thanks in advance, > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Oct 29 23:13:13 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 06:13:13 +0300 Subject: [keycloak-user] Keycloak realm certificates export In-Reply-To: <1868981234.27918435.1540827277989@mail.yahoo.com> References: <366471873.18450736.1539868880248.ref@mail.yahoo.com> <366471873.18450736.1539868880248@mail.yahoo.com> <653502666.27637230.1540814185148@mail.yahoo.com> <1868981234.27918435.1540827277989@mail.yahoo.com> Message-ID: <1540869193.2121.3.camel@acutus.pro> Hello Jamie, Just FYU, there is also certificate endpoint that does not require authentication: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs (replace your server name, port and realm) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:34 +0000, Jamie McDowell wrote: > I have managed to obtain just the certificate using the below command in case anyone needs this in future > ?/opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r | grep "certificate*" > Regards, > Jamie? > > ????On Monday, 29 October 2018, 11:56:25 GMT, Jamie McDowell wrote:?? > ? > ?Hi, > > I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.? > Knox is used to decrypt singed JWT's. > Is this something that can be achieved? > I have tried running kcadm to pull the certificate details however i am unable to provide only the cert details which i would then want to output into another file. > Examples of kcadm? > /opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r > Regards, > Jamie???? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Oct 30 00:18:32 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 07:18:32 +0300 Subject: [keycloak-user] R: Need to log in to all realms with unique admin users In-Reply-To: <92E1246EF925084F978BEEDBCF3711F10275F1A095@barcellona.horsa.local> References: <92E1246EF925084F978BEEDBCF3711F10275F1A095@barcellona.horsa.local> Message-ID: <1540873112.2121.7.camel@acutus.pro> Ciao Mattia, Let's assume your realm (non-master) is named "foo". Here are the steps: 1. In admin console,?go to master realm -> clients -> broker -> Credentials, copy the secret; 2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it an alias (like "master"); 3. set Client ID to "broker" (w/o quotes) and paste the Client Secret; 4. scroll down to "Import from URL", paste the following: http://localhost:8180/auth/realms/master/.well-known/openid-configuration and click Import. The necessary fields will be filled in automatically; 5. scroll up, copy Redirect URI (should be like http://localhost:8180/auth/realms/foo/broker/master/endpoint); 6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect URIs", click save. After that, your users will be able authenticate on non-master realms via the master realm. Upon the first successful login, the user will be presented with the Update Account Information form. If you want to bypass that, you can enable identity auto-linking. For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered Account" authenticator in your first broker login flow. For Kyecloak <4.5.0, you can use this: https://github.com/ohioit/keycloak-link-idp-with-user Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote: > Dmitry, > > ?????????? i found that information in master realm settings ->> OpenID Endpoint Configuration link: > ? > > {"issuer":"http://localhost:8180/au th/realms/master", > > "authorization_endpoint":"http://localhost:8180/auth/ realms/master/protocol/openid-connect/auth", > > "token_endpoint":"http://lo calhost:8180/auth/realms/master/protocol/openid-connect/token", > > > "token_i ntrospection_endpoint":"http://localhost:8180/auth/realms/master/protoc ol/openid-connect/token/introspect", > > "userinfo_endpoint":"http://localho st:8180/auth/realms/master/protocol/openid-connect/userinfo", > > > "end_sessi on_endpoint":"http://localhost:8180/auth/realms/master/protocol/openid- connect/logout", > > "jwks_uri":"http://localhost:8180/auth/realms/master/pr otocol/openid-connect/certs", > > > "check_session_iframe":"http://localhost:8 180/auth/realms/master/protocol/openid-connect/login-status- iframe.html", > > "grant_types_supported":["authorization_code", "implicit",> "refresh_token", "password", "client_credentials"], > > > "response_types_supp orted":["code","none","id_token","token","id_token token","code> id_token","code token","code id_token token"], > > "subject_types_supported" :["public","pairwise"], > > "id_token_signing_alg_values_supported":["RS256" ], > "userinfo_signing_alg_values_supported":["RS256"], > > "request_object_sig ning_alg_values_supported":["none","RS256"], > > "response_modes_supported": ["query","fragment","form_post"], > > "registration_endpoint":"http://localh ost:8180/auth/realms/master/clients-registrations/openid-connect", > > > "toke n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba sic", "client_secret_post","client_secret_jwt"], > > "token_endpoint_auth_si gning_alg_values_supported":["RS256"], > > "claims_supported":["sub","iss"," auth_time","name","given_name", > > "family_name","preferred_username","emai l"], > > "claim_types_supported":["normal"],"claims_parameter_supported":fal se, > > "scopes_supported":["openid","address","email","offline_access","pho ne","profile"], > "request_parameter_supported":true, > > "request_uri_paramete r_supported":true, > "code_challenge_methods_supported":["plain","S256"], > > " tls_client_certificate_bound_access_tokens":true > } > ? > > I used it to compile> the form, as you can see from the image attached. > ? > > But, when i click on> the TECNICO link inl ogin form, the keycloak page return this message: > ? > We're sorry... > Invalid parameter: redirect_uri > ? > ? Back to Application > ? > > and> server logs are: > ? > > > > > 15:57:09,193 WARN? [org.keycloak.events] (default> task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,> userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,> redirect_uri=http://localhost:8180/auth/realms/default/broker/master- oidc/endpoint > ? > What am i doing wrong? > > Thank you > ? > Inviato da Posta per Windows 10 > ? > Da: Dmitry Telegin > Inviato: venerd? 26 ottobre 2018 03:29 > A: Mattia Bello; keycloak-user at lists.jboss.org > Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users > ? > Mattia, > ? > Thanks for your explanation, the problem is clear now. > ? > I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials. > ? > If you're ok with this additional step, this could be an easy solution. > ? > [1]? https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y > ? > Dmitry > ? > On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote: > > Sorry,? > > I probably did not explain well.? > > I have a client application that is accessible from all realms. > > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm.? > > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist.? > > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. > > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? > > Thank you? > > > > Get Outlook for Android > > > > > > > > > > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
wrote: > > > > > Hello Mattia, answers inline, > > > > > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > > > > We have this situation: > > > >? > > > > master realm -> used to manage other realms > > > >? > > > > realm1, realm2, realm3, .. -> are retailers and contain companies > > > >? > > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > > >? > > > > we have to see all the retailers (realms), the companies (groups) and the users > > > >? > > > > How can I do it? > > > >? > > > > Can i create a master realm user and use it to access all the other realms? > > > > > > Yes you can.?In fact, there is already such a user - it's admin that > > > you've created on the first run. If you want more users with such an > > > access in master realm, grant them "admin" realm role. If you look into > > > "admin" role details, you'll see that it automatically includes all the > > > client roles of *-realm clients, that's how it works under the hood. > > > > > > If you don't want to grant that powerful admin role, go to user -> Role > > > mappings and assign the necessary client roles from the *-realm > > > clients. The user will get access to the admin functions for that realm(s). > > > > > > >? > > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? > > > > > > This is possible too. Create a user in the target realm, go to Role > > > mappings and assign the necessary roles from the realm-management > > > client. > > > > > > Good luck, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > >? > > > > Thank to all > > > >? > > > >? > > > >? > > > > Mattia Bello > > > > Developer > > > >? > > > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > > > > Horsa S.p.A. > > > > Via Cadorna, 67 > > > > Vimodrone (MI) > > > > Mobile??(+39) 340 36 07 937 > > > >??https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y ; > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > >??https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y? > > > > ? From dt at acutus.pro Tue Oct 30 00:32:37 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 07:32:37 +0300 Subject: [keycloak-user] =?iso-8859-1?q?RV=3A_How_to_force_login_=28=BFbes?= =?iso-8859-1?q?t_practice=3F=29?= In-Reply-To: References: Message-ID: <1540873957.2121.9.camel@acutus.pro> Hello Pablo, It's a bit unusual to hear people asking for how to *disable* SSO :) but here you go: 1. in admin console, go to Authentication; 2. make a copy of Browser flow; 3. in this new flow, disable or delete Cookie; 4. go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save. After that, the client will always prompt for authentication, despite the previous login state. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:06 +0000, Pablo Bravo wrote: > Hi all, > > We are currently implementing keycloak and we are facing an issue that we are not sure what's the best way to solve it. > > We have different webapps making use of the sso and that's working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp. > > Initially this second webapp does not know which user is coming (and it's not necessary to be logged in to make use of it). When clicking on "login", it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens "transparently" to the user, since the redirection to keycloak is very fast and it's not noticeable. This behaviour is not very user friendly. > > The question is: Taking into account that this second webapp can't know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients. > > What's the best practice for this use case? > > Thanks in advance! > > Pablo > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Oct 30 00:41:30 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 07:41:30 +0300 Subject: [keycloak-user] LDAP user group membership not syncing In-Reply-To: <1540823879795-0.post@n6.nabble.com> References: <1540823879795-0.post@n6.nabble.com> Message-ID: <1540874490.2121.11.camel@acutus.pro> Hi, Could you please test it with the recent version of Keycloak? Since 3.x, quite a lot has been done on user?federation in general and LDAP in particular. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 07:37 -0700, arbiterfwhim wrote: > Luiz Carlos wrote > > I'm trying to sync the LDAP groups into Keycloak but it doesn't update the > > membership if I add or remove it from a group in LDAP. > > --? > > Luiz Carlos > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at .jboss > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > Bumping this. I'm currently using Keycloak 3.2.1 and am having similar > issues with LDAP syncing. My main issue is that when a user is granted a new > role on the LDAP side, that user (on the Keycloak side) doesn't get updated > to have that role when running a full sync (manual or scheduled). > > In order to sync these changes I have to delete the user(s) and then run an > LDAP sync. This re-adds the user(s), this time with their latest set of > roles. Unfortunately I haven't found any settings in the Keycloak admin > console that can fix this. A solution would be greatly appreciated. > > - Whim > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bojan.milosavljevic95 at gmail.com Tue Oct 30 00:45:39 2018 From: bojan.milosavljevic95 at gmail.com (=?UTF-8?Q?Bojan_Milosavljevi=C4=87?=) Date: Tue, 30 Oct 2018 05:45:39 +0100 Subject: [keycloak-user] Instalation and configuration dilemmas Message-ID: Hello, With respect, I'll get straight to the point - I installed Keycloak on remote machine, there I have PostgreSQL database which I want to secure with Keycloak. However, I have 2 doubts. 1) Does Keycloak (4.5.0) require to be used with WildFly server in order to be able to properly secure applications (I will connect to db using Android and iOS apps)? Because AeroGear has tutorials but with 1.1.0 version of Keycloak where WildFly is necessary to secure application. 2) As far as I've understood I need to have some sort of back-end service which will be used to unpack and test permissions written on tokens (cause I don't see how can I use only Keycloak to access to db through it?) and that back-end will take care of db access and Keycloak is only used as token provider as far as I can tell? Am I wrong? If so, how can I use Keycloak to properly secure this db and access it through say Android app? Thank you in advance, Bojan Milosavljevic. From dt at acutus.pro Tue Oct 30 01:29:56 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 08:29:56 +0300 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources In-Reply-To: References: Message-ID: <1540877396.3824.1.camel@acutus.pro> Hello Andreas, I'm afraid this is by design - one of the reasons may be Java EE programmatic security [1], where the application can instigate login even from the resources not protected by web.xml security constraints. But I don't think you should be bothered - in your resolver, there is a cache for KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit, except for the very first invocation). Even if there had been the code to determine whether the resolver should or should not kick in, according to web.xml rules, - this code would have been more expensive, let alone it would have broken programmatic security. If you are super determined, you can craft a simple performance test using e.g. Gatling [2] - I'm pretty sure the results for resolver vs. no resolver will differ insignificantly. [1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm [2] https://gatling.io/ Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote: > Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible. > So we desparatly ask for your help. > > Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau : > > Hello, > we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. > We configured the web.xml like this: > [web.xml] > > ... > > ? > ? portal > ? /portal/* > ? > ? > ? user > ? > > > ? > ? public > ? /portal/pages/willkommen.jsf > ? /portal/pages/logout.jsf > ? > > > > ?KEYCLOAK > > > > ?user > > ... > > ?keycloak.config.resolver > ?de.sample.security.MandantBasedKeycloakConfigResolver > > ... > > > As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". > > After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. > > Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? > While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. > > Regards, > Andreas > > [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy > > [2] public KeycloakDeployment resolve(HttpFacade.Request request) { > > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); > ????????final String mandantId = request.getFirstParam("kId"); > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); > > ????????if (mandantId == null || mandantId.isEmpty()) { > ????????????// throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); > ????????????return null; > ????????} > > ????????KeycloakDeployment deployment = cache.get(mandantId); > ????????if (deployment == null) { > > ????????????String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); > > ????????????InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); > ????????????if (is == null) { > ????????????????// throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); > ????????????????return null; > ????????????} > ????????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); > > ????????????deployment = KeycloakDeploymentBuilder.build(is); > ????????????cache.put(mandantId, deployment); > ????????} > > ????????return deployment; > ????} > > [3] > 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 > 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,933 INFO??[stdout] (default task-4) INIT Willkommen > 17:28:50,933 INFO??[stdout] (default task-4) initialized mandant <<<<<<<<<<<<< > > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 > 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! > at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] > at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] > > ....... > > 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 > 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null > 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout > 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! > at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] > at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] > ________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Oct 30 01:52:44 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 30 Oct 2018 08:52:44 +0300 Subject: [keycloak-user] Account Page Fields In-Reply-To: References: Message-ID: <1540878764.3824.3.camel@acutus.pro> Hello Aaron, I don't think this is easily doable with the current account UI. However, there are chances we will have it in the forthcoming rewrite thereof [1]. The revamped account UI should use REST APIs and be extensible with the means of React.js. This topic is of particular interest to me, as we in Mageia Linux are planning to migrate our IDM to Keycloak, and one of the problems to solve is to allow the users to upload their SSH pubkeys via the account UI. We're pretty determined to solve it, and to solve it soon, so stay tuned :) [1] https://issues.jboss.org/browse/KEYCLOAK-8421 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-10-26 at 15:35 -0700, Aaron Echols wrote: > Hello All, > > How hard is to modify or add fields that could be modified in the users > account page? It would be nice to add a personal email field to have be > able to send their password reset email to. Currently, they can only send > to their employee addresses, which if they forget their password, makes the > email a moot point. Thank in advance for any ideas. :) > -- > *Aaron Echols* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vagelis.savvas at gmail.com Tue Oct 30 03:19:13 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Tue, 30 Oct 2018 09:19:13 +0200 Subject: [keycloak-user] Multitenant KeycloakConfigResolver Message-ID: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> Hello, in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to protect I would like some URLs to not be secured. So I would like my custom KeycloakConfigResolver implementation to not be called when those URLs are hit but it is. The reason I don't want my KeycloakConfigResolver to be called is simply because I have no clue as to what to return in that case: its a non-secured REST endpoint so a Keycloak realm doesn't make sense in my understanding. My setup follows the docs: I've installed the adapter for Wildfly and the web.xml has the necessary setup for not securing some URLs (no auth-constraint for those URLs) Also in jboss-web.xml the security-domain element isn't defined, although I don't know if that plays any role. My final goal is to have some URLs secured by using the JBoss specific @SecurityDomain and the standard @RolesAllowed etc annotations. Can you please shed some light on this matter? I'd greatly appreciate any detailed explanation of the mechanisms involved in this area. Cheers, Vagelis From devops at tromsso.com Tue Oct 30 03:49:25 2018 From: devops at tromsso.com (DevOps - Tromsso) Date: Tue, 30 Oct 2018 16:49:25 +0900 Subject: [keycloak-user] Keycloak as a Service - Beta testers wanted Message-ID: Hi all, After successfully using Keycloak for a while now a small group of engineers would like to see if there is space for Authentication-as-a-Service powered by Keycloak. Our aim is to securely manage a Keycloak cluster where organisations can provision realms and be billed based on the number of active users per month. There are some limitations (we do not allow addition of SPI?s for security reasons) however we hope for most use cases this should be good enough. We have our initial project and are slowly adding beta users to play with our interface and provide us with feedback as we develop. **Production use is not recommended** but we will offer free unlimited usage during the Beta period and when moving to the production cluster provide the option to migrate users/realms as required. If anybody on this mailing list is interested please get in touch or sign up to be a Beta tester at our website below - we are happy to hear all feedback and answer questions moving forward. Many thanks, Team Tromsso https://tromsso.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181030/b6a29aab/attachment.bin From Pablo.Bravo at osudio.com Tue Oct 30 05:09:01 2018 From: Pablo.Bravo at osudio.com (Pablo Bravo) Date: Tue, 30 Oct 2018 09:09:01 +0000 Subject: [keycloak-user] =?utf-8?q?_RE=3A__RV=3A_How_to_force_login_=28?= =?utf-8?b?wr9iZXN0IHByYWN0aWNlPyk=?= In-Reply-To: <1540873957.2121.9.camel@acutus.pro> References: <1540873957.2121.9.camel@acutus.pro> Message-ID: Hi Dimitry, Thanks for answering! I'm trying to follow your steps, but on the last step, I can't seem to find the way to assign the new flow in the client, I can't find the "Authentication Flow Overrides" setting. We actually would like to not "disable" the SSO, if we could solve the following use case: Step 1 - User opens WEBAPP 1, logs in and starts using the webapp. Step 2 - User opens WEBAPP 2 on a different tab and he sees the "login" button because WEBAPP 2 knows nothing about this visitor at this point. Step 3 - User clicks on "login" button and it automatically gets logged without seen any login screen (in the background the browser went to keycloak, got the authentication OK and went back to the WEBAPP 2). How can we achieve that the user at the second step already gets logged in without having to actively click on login? This WEBAPP 2 is usable without login, so it shouldn't redirect all users to the login screen. Thanks a lot for your help! -----Mensaje original----- De: Dmitry Telegin
Enviado el: martes, 30 de octubre de 2018 5:33 Para: Pablo Bravo ; keycloak-user at lists.jboss.org Asunto: Re: [keycloak-user] RV: How to force login (?best practice?) Hello Pablo, It's a bit unusual to hear people asking for how to *disable* SSO :) but here you go: 1. in admin console, go to Authentication; 2. make a copy of Browser flow; 3. in this new flow, disable or delete Cookie; 4. go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save. After that, the client will always prompt for authentication, despite the previous login state. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:06 +0000, Pablo Bravo wrote: > Hi all, > > We are currently implementing keycloak and we are facing an issue that we are not sure what's the best way to solve it. > > We have different webapps making use of the sso and that's working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp. > > Initially this second webapp does not know which user is coming (and it's not necessary to be logged in to make use of it). When clicking on "login", it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens "transparently" to the user, since the redirection to keycloak is very fast and it's not noticeable. This behaviour is not very user friendly. > > The question is: Taking into account that this second webapp can't know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients. > > What's the best practice for this use case? > > Thanks in advance! > > Pablo > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From uo67113 at gmail.com Tue Oct 30 05:13:37 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Tue, 30 Oct 2018 10:13:37 +0100 Subject: [keycloak-user] =?utf-8?q?RV=3A_How_to_force_login_=28=C2=BFbest_?= =?utf-8?q?practice=3F=29?= In-Reply-To: References: Message-ID: Hello Pablo, If you are using a saml adapter you can set forceAuthentication="true" in your Service Provider configuration [1]: "SAML clients can request that a user is re-authenticated even if they are already logged in at the IdP." Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2 El lun., 29 oct. 2018 a las 16:07, Pablo Bravo () escribi?: > Hi all, > > We are currently implementing keycloak and we are facing an issue that we > are not sure what's the best way to solve it. > > We have different webapps making use of the sso and that's working fine. > The problem we have is when we make log in using the sso in one webapp and > then we do the same in a different webapp. > > Initially this second webapp does not know which user is coming (and it's > not necessary to be logged in to make use of it). When clicking on "login", > it automatically logs in the user (by making a redirection to keycloak and > automatically logging the already logged user in the other webapp). This > second logging happens "transparently" to the user, since the redirection > to keycloak is very fast and it's not noticeable. This behaviour is not > very user friendly. > > The question is: Taking into account that this second webapp can't know > upfront which user is accessing the site (unless actively redirecting to > keycloak), is it possible to force always the users to log in for a > specific keycloak client? By this I mean actually ask the visitor for > user/pw even if keycloak knows already them from other keycloak clients. > > What's the best practice for this use case? > > Thanks in advance! > > Pablo > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From vramik at redhat.com Tue Oct 30 06:24:57 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Tue, 30 Oct 2018 11:24:57 +0100 Subject: [keycloak-user] Multitenant KeycloakConfigResolver In-Reply-To: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> References: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> Message-ID: Hello Vagelis, KeycloakConfigResolver will be always called when the request is processed. Can you check this example if it helps you? https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant If not feel free to contact me and hopefully I can help you set it up. Regards, Vlasta On 10/30/18 8:19 AM, Vagelis Savvas wrote: > Hello, > > in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to > protect I would like some URLs > to not be secured. So I would like my custom KeycloakConfigResolver > implementation > to not be called when those URLs are hit but it is. The reason I don't > want my KeycloakConfigResolver to be called is simply because > I have no clue as to what to return in that case: its a non-secured REST > endpoint so a Keycloak realm doesn't make sense in my understanding. > My setup follows the docs: I've installed the adapter for Wildfly and > the web.xml has the necessary setup for not securing some URLs (no > auth-constraint for those URLs) > Also in jboss-web.xml the security-domain element isn't defined, > although I don't know if that plays any role. > My final goal is to have some URLs secured by using the JBoss specific > @SecurityDomain and the standard @RolesAllowed etc annotations. > Can you please shed some light on this matter? I'd greatly appreciate > any detailed explanation of the mechanisms involved in this area. > > Cheers, > Vagelis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Tue Oct 30 06:55:47 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 30 Oct 2018 11:55:47 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups Message-ID: Hello everyone, Can someone tell me the difference between the dns.DNS_PING and kubernetes.KUBE_PING protocols that we could use to enable keycloak clustering? It seems like both of them could be used in a kubernetes environment but I can't see a documentation clearly explaining the difference between them. I would like to knwo which one is relevant in a openshift environnement which one is in a non openshift environnement. The official githup repo [1] does not say a lot about that? [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ Regards, Meissa From Mattia.Bello at horsa.it Tue Oct 30 08:20:45 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Tue, 30 Oct 2018 12:20:45 +0000 Subject: [keycloak-user] R: R: Need to log in to all realms with unique admin users In-Reply-To: <1540873112.2121.7.camel@acutus.pro> References: <92E1246EF925084F978BEEDBCF3711F10275F1A095@barcellona.horsa.local>, <1540873112.2121.7.camel@acutus.pro> Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F1A39E@barcellona.horsa.local> Dmitrij, thanks for your detailed explanations, I followed them and managed to use the broker. However, I could not use "Automatically Link Brokered Account". I did not understand what I have to do to enable it. First of all I increased the version of the project dependency and the keycloak server to version 4.5.0, so as to have all the features available. Here are my doubts after having said this solution: 1. If you are logged in to the realm master, via the admin console site, when you click on the broker's link, to login the client application with a realm master user, the realm master login is not displayed, because it is used account that is logged in at that time. This implies the limitation of NOT using simultaneously the admin console site and the client application. 2. After logging in, using the broker's link on the client application, if I try to log out, the latter is done on the client application but if I log in to the admin console site it detects my last login. It is as if NOT logged out by all clinets (client application and site admin console) 3. Once logged in, using the broker's link on the client application, the user is duplicated from the realm master to the client application realm. So, I have a question: For the next accesses, will I always have to use the link or will I have to insert only username and password in the client application login form? Any changes to the user on the realm master will be automatically propagated on the duplicates of the other realms? In which cases, only when the broker link is used? 4. Is there not a way to share only the users' databases, without having to have fifteen duplications on the realms other than the master one? For example, as a User Federation. 5. Are there any other possible solutions? Or do you have any suggestion to propose? Thank you Mattia Bello Developer Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 340 36 07 937 www.horsa.it ________________________________________ Da: Dmitry Telegin [dt at acutus.pro] Inviato: marted? 30 ottobre 2018 5.18 A: Mattia Bello; keycloak-user at lists.jboss.org Oggetto: Re: R: [keycloak-user] Need to log in to all realms with unique admin users Ciao Mattia, Let's assume your realm (non-master) is named "foo". Here are the steps: 1. In admin console, go to master realm -> clients -> broker -> Credentials, copy the secret; 2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it an alias (like "master"); 3. set Client ID to "broker" (w/o quotes) and paste the Client Secret; 4. scroll down to "Import from URL", paste the following: https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2F.well-known%2Fopenid-configuration&e=ab6f9afd&h=c3f38a73&f=n&p=y and click Import. The necessary fields will be filled in automatically; 5. scroll up, copy Redirect URI (should be like https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Ffoo%2Fbroker%2Fmaster%2Fendpoint&e=ab6f9afd&h=a808b335&f=n&p=y ); 6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect URIs", click save. After that, your users will be able authenticate on non-master realms via the master realm. Upon the first successful login, the user will be presented with the Update Account Information form. If you want to bypass that, you can enable identity auto-linking. For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered Account" authenticator in your first broker login flow. For Kyecloak <4.5.0, you can use this: https://urlsand.esvalabs.com/?u=https%3A%2F%2Fgithub.com%2Fohioit%2Fkeycloak-link-idp-with-user&e=ab6f9afd&h=7b6ed02e&f=n&p=y Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote: > Dmitry, > > i found that information in master realm settings ->> OpenID Endpoint Configuration link: > > > {"issuer":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fau&e=ab6f9afd&h=281bedc7&f=n&p=y th/realms/master", > > "authorization_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2F&e=ab6f9afd&h=0303bb2c&f=n&p=y realms/master/protocol/openid-connect/auth", > > "token_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flo&e=ab6f9afd&h=b4432751&f=n&p=y calhost:8180/auth/realms/master/protocol/openid-connect/token", > > > "token_i ntrospection_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotoc&e=ab6f9afd&h=407cd3ce&f=n&p=y ol/openid-connect/token/introspect", > > "userinfo_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalho&e=ab6f9afd&h=464e7f61&f=n&p=y st:8180/auth/realms/master/protocol/openid-connect/userinfo", > > > "end_sessi on_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-&e=ab6f9afd&h=baeeb57e&f=n&p=y connect/logout", > > "jwks_uri":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fpr&e=ab6f9afd&h=e1fe7b3f&f=n&p=y otocol/openid-connect/certs", > > > "check_session_iframe":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8&e=ab6f9afd&h=eb373c93&f=n&p=y 180/auth/realms/master/protocol/openid-connect/login-status- iframe.html", > > "grant_types_supported":["authorization_code", "implicit",> "refresh_token", "password", "client_credentials"], > > > "response_types_supp orted":["code","none","id_token","token","id_token token","code> id_token","code token","code id_token token"], > > "subject_types_supported" :["public","pairwise"], > > "id_token_signing_alg_values_supported":["RS256" ], > "userinfo_signing_alg_values_supported":["RS256"], > > "request_object_sig ning_alg_values_supported":["none","RS256"], > > "response_modes_supported": ["query","fragment","form_post"], > > "registration_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalh&e=ab6f9afd&h=057ec6ac&f=n&p=y ost:8180/auth/realms/master/clients-registrations/openid-connect", > > > "toke n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba sic", "client_secret_post","client_secret_jwt"], > > "token_endpoint_auth_si gning_alg_values_supported":["RS256"], > > "claims_supported":["sub","iss"," auth_time","name","given_name", > > "family_name","preferred_username","emai l"], > > "claim_types_supported":["normal"],"claims_parameter_supported":fal se, > > "scopes_supported":["openid","address","email","offline_access","pho ne","profile"], > "request_parameter_supported":true, > > "request_uri_paramete r_supported":true, > "code_challenge_methods_supported":["plain","S256"], > > " tls_client_certificate_bound_access_tokens":true > } > > > I used it to compile> the form, as you can see from the image attached. > > > But, when i click on> the TECNICO link inl ogin form, the keycloak page return this message: > > We're sorry... > Invalid parameter: redirect_uri > > ? Back to Application > > > and> server logs are: > > > > > > 15:57:09,193 WARN [ https://urlsand.esvalabs.com/?u=http%3A%2F%2Forg.keycloak.events&e=ab6f9afd&h=b66b85f6&f=n&p=y ] (default> task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,> userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,> redirect_uri= https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fdefault%2Fbroker%2Fmaster-&e=ab6f9afd&h=98b9caf8&f=n&p=y oidc/endpoint > > What am i doing wrong? > > Thank you > > Inviato da Posta per Windows 10 > > Da: Dmitry Telegin > Inviato: venerd? 26 ottobre 2018 03:29 > A: Mattia Bello; keycloak-user at lists.jboss.org > Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users > > Mattia, > > Thanks for your explanation, the problem is clear now. > > I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials. > > If you're ok with this additional step, this could be an easy solution. > > [1]? https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y > > Dmitry > > On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote: > > Sorry, > > I probably did not explain well. > > I have a client application that is accessible from all realms. > > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm. > > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist. > > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. > > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? > > Thank you > > > > Get Outlook for Android > > > > > > > > > > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
wrote: > > > > > Hello Mattia, answers inline, > > > > > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > > > > We have this situation: > > > >? > > > > master realm -> used to manage other realms > > > >? > > > > realm1, realm2, realm3, .. -> are retailers and contain companies > > > >? > > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > > >? > > > > we have to see all the retailers (realms), the companies (groups) and the users > > > >? > > > > How can I do it? > > > >? > > > > Can i create a master realm user and use it to access all the other realms? > > > > > > Yes you can. In fact, there is already such a user - it's admin that > > > you've created on the first run. If you want more users with such an > > > access in master realm, grant them "admin" realm role. If you look into > > > "admin" role details, you'll see that it automatically includes all the > > > client roles of *-realm clients, that's how it works under the hood. > > > > > > If you don't want to grant that powerful admin role, go to user -> Role > > > mappings and assign the necessary client roles from the *-realm > > > clients. The user will get access to the admin functions for that realm(s). > > > > > > >? > > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? > > > > > > This is possible too. Create a user in the target realm, go to Role > > > mappings and assign the necessary roles from the realm-management > > > client. > > > > > > Good luck, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > >? > > > > Thank to all > > > >? > > > >? > > > >? > > > > Mattia Bello > > > > Developer > > > >? > > > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > > > > Horsa S.p.A. > > > > Via Cadorna, 67 > > > > Vimodrone (MI) > > > > Mobile (+39) 340 36 07 937 > > > >??https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y ; > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > >??https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y > > > > From ndekefa at gmail.com Tue Oct 30 09:12:21 2018 From: ndekefa at gmail.com (Anselme Ndeke) Date: Tue, 30 Oct 2018 14:12:21 +0100 Subject: [keycloak-user] configure adapter using only annotations (without web.xml) Message-ID: Hello. Is there a java OIDC keycloak adapter which I can configure using only annotations? for example @WebServlet and @RolesAllowed on tomcat ? Regards, Anselme From uo67113 at gmail.com Tue Oct 30 10:24:18 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Tue, 30 Oct 2018 15:24:18 +0100 Subject: [keycloak-user] =?utf-8?q?RV=3A_How_to_force_login_=28=C2=BFbest_?= =?utf-8?q?practice=3F=29?= In-Reply-To: References: <1540873957.2121.9.camel@acutus.pro> Message-ID: Hello Pablo, >From your last post description it looks like that you want to check if the user is logged or not. You can have a look at keycloak openid adaptor doc [1]. It seems that openid implements a trick for doing it. Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-vs-saml El mar., 30 oct. 2018 a las 10:16, Pablo Bravo () escribi?: > Hi Dimitry, > > Thanks for answering! I'm trying to follow your steps, but on the last > step, I can't seem to find the way to assign the new flow in the client, I > can't find the "Authentication Flow Overrides" setting. > > We actually would like to not "disable" the SSO, if we could solve the > following use case: > > Step 1 - User opens WEBAPP 1, logs in and starts using the webapp. > Step 2 - User opens WEBAPP 2 on a different tab and he sees the "login" > button because WEBAPP 2 knows nothing about this visitor at this point. > Step 3 - User clicks on "login" button and it automatically gets logged > without seen any login screen (in the background the browser went to > keycloak, got the authentication OK and went back to the WEBAPP 2). > > How can we achieve that the user at the second step already gets logged in > without having to actively click on login? This WEBAPP 2 is usable without > login, so it shouldn't redirect all users to the login screen. > > Thanks a lot for your help! > > -----Mensaje original----- > De: Dmitry Telegin
> Enviado el: martes, 30 de octubre de 2018 5:33 > Para: Pablo Bravo ; keycloak-user at lists.jboss.org > Asunto: Re: [keycloak-user] RV: How to force login (?best practice?) > > Hello Pablo, > > It's a bit unusual to hear people asking for how to *disable* SSO :) but > here you go: > 1. in admin console, go to Authentication; 2. make a copy of Browser flow; > 3. in this new flow, disable or delete Cookie; 4. go to Clients -> (your > client) -> Authentication Flow Overrides, change Browser Flow to your new > flow, click Save. > > After that, the client will always prompt for authentication, despite the > previous login state. > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2018-10-29 at 15:06 +0000, Pablo Bravo wrote: > > Hi all, > > > > We are currently implementing keycloak and we are facing an issue that > we are not sure what's the best way to solve it. > > > > We have different webapps making use of the sso and that's working fine. > The problem we have is when we make log in using the sso in one webapp and > then we do the same in a different webapp. > > > > Initially this second webapp does not know which user is coming (and > it's not necessary to be logged in to make use of it). When clicking on > "login", it automatically logs in the user (by making a redirection to > keycloak and automatically logging the already logged user in the other > webapp). This second logging happens "transparently" to the user, since the > redirection to keycloak is very fast and it's not noticeable. This > behaviour is not very user friendly. > > > > The question is: Taking into account that this second webapp can't know > upfront which user is accessing the site (unless actively redirecting to > keycloak), is it possible to force always the users to log in for a > specific keycloak client? By this I mean actually ask the visitor for > user/pw even if keycloak knows already them from other keycloak clients. > > > > What's the best practice for this use case? > > > > Thanks in advance! > > > > Pablo > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From ronald.demneri at amdtia.com Tue Oct 30 10:44:02 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Tue, 30 Oct 2018 14:44:02 +0000 Subject: [keycloak-user] group mapper per client In-Reply-To: <1540868804.2121.1.camel@acutus.pro> References: <1540868804.2121.1.camel@acutus.pro> Message-ID: Hello Dmitry, Thanks for the advice. I'm trying to use something like in this post http://lists.jboss.org/pipermail/keycloak-user/2017-February/009713.html, but Keycloak throws an error regarding clientSession.client.clientId as follows: 2018-10-30 12:53:32,421 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-1003) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'script_check_groups' problem was: TypeError: Cannot read property "clientId" from undefined in at line number 30 What do I need to use not to receive this error and have the gn variable compare to the clientId? Thanks in advance, Ronald -----Original Message----- From: Dmitry Telegin
Sent: 30.Oct.2018 4:07 AM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] group mapper per client Hello Ronald, If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > Hello everyone, > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > Thanks in advance, > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ronald.demneri at amdtia.com Tue Oct 30 10:47:39 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Tue, 30 Oct 2018 14:47:39 +0000 Subject: [keycloak-user] group mapper per client In-Reply-To: <1540868804.2121.1.camel@acutus.pro> References: <1540868804.2121.1.camel@acutus.pro> Message-ID: Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". Looking forward to hearing from you! Regards, Ronald -----Original Message----- From: Dmitry Telegin
Sent: 30.Oct.2018 4:07 AM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] group mapper per client Hello Ronald, If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > Hello everyone, > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > Thanks in advance, > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From graham.burgess at razer.com Tue Oct 30 11:43:37 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Tue, 30 Oct 2018 15:43:37 +0000 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: Meissa, I believe the difference is in how it gets the data about the instances in the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you will want to setup a headless service for that so it gets all the IPs for all the instances. As for KUBE_PING, well that uses the Kubernetes API directly to determine the IPs of the instances. I run vanilla Kubernetes clusters so I don't know how the difference with OS will effect my beliefs. However, I would probably recommend just using DNS_PING and making sure that there is a headless service as well as a normal service for Keycloak. It would seem to be the more generic method for sure. Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Meissa M'baye Sakho Sent: Tuesday, October 30, 2018 3:56 AM To: keycloak-user Subject: [keycloak-user] kubernetes discovery protocol for JGroups Hello everyone, Can someone tell me the difference between the dns.DNS_PING and kubernetes.KUBE_PING protocols that we could use to enable keycloak clustering? It seems like both of them could be used in a kubernetes environment but I can't see a documentation clearly explaining the difference between them. I would like to knwo which one is relevant in a openshift environnement which one is in a non openshift environnement. The official githup repo [1] does not say a lot about that? [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ Regards, Meissa _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Tue Oct 30 12:05:23 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 30 Oct 2018 17:05:23 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: Thank you graham. In my case, It's working with the DNS_PING, but I wanted to know the options I had with that option. Meissa Le mar. 30 oct. 2018 ? 16:58, Graham Burgess a ?crit : > Meissa, > > I believe the difference is in how it gets the data about the instances in > the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you will > want to setup a headless service for that so it gets all the IPs for all > the instances. As for KUBE_PING, well that uses the Kubernetes API directly > to determine the IPs of the instances. > > I run vanilla Kubernetes clusters so I don't know how the difference with > OS will effect my beliefs. However, I would probably recommend just using > DNS_PING and making sure that there is a headless service as well as a > normal service for Keycloak. It would seem to be the more generic method > for sure. > > Best regards, > Graham Burgess > R?Z?R|stormmore > Sr. DevOps Engineer (USA) > Email: graham.burgess at razer.com > DID: (415) 374 0639 > Razer Inc. Stock Code: 1337.HK > IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or > otherwise protected from disclosure. If you are not an intended recipient, > do not copy, distribute or use its contents. Do inform the sender that you > have received the message in error and delete it from your system. E-mails > are not secure and may suffer errors, computer viruses, delay, interception > and amendment. Razer accepts neither risk nor liability for any damage or > loss caused by this e-mail. To the extent permitted by applicable law, > Razer reserves the right to retain, monitor and intercept e-mails to and > from its systems. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Meissa M'baye Sakho > Sent: Tuesday, October 30, 2018 3:56 AM > To: keycloak-user > Subject: [keycloak-user] kubernetes discovery protocol for JGroups > > Hello everyone, > Can someone tell me the difference between the dns.DNS_PING and > kubernetes.KUBE_PING protocols that we could use to enable keycloak > clustering? > It seems like both of them could be used in a kubernetes environment but I > can't see a documentation clearly explaining the difference between them. > I would like to knwo which one is relevant in a openshift environnement > which one is in a non openshift environnement. > The official githup repo [1] does not say a lot about that? > [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ > Regards, > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From msakho at redhat.com Tue Oct 30 12:12:13 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 30 Oct 2018 17:12:13 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable Message-ID: hello everyone, I'm using the jboss/keycloak:4.5.0.Final docker image. I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment variable as explained in the Jboss/keycloak docker image documentation. I've mounted a volume to the image pointing to the cert file and defined the env variable. I'm running the image with the following command: *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e KEYCLOAK_PASSWORD=meissa \* * -e PROXY_ADDRESS_FORWARDING=true \* * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* * -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* * -e JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* * jboss/keycloak:4.5.0.Final* When The container starts, I've checked that the cert has been corectly mounted to the expected folder /var/run/secrets But I see in the log that the certificat import fails (extract below): *Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..* *HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* *Creating Keycloak truststore..* *Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* *Importing certificates from system's Java CA certificate bundle into Keycloak truststore..* *Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!* *Setting JGroups discovery to dns.DNS_PING with properties {dns_query=>bdf-opengie-test.paas.eclair.local}* I've checked in the script that handle the TLS import [1], but I'm not able to guess why the import is failing. The following extract is a part of the scripts that is used by the image to import the cert. # Import existing system CA certificates into the newly generated truststore local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts") if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.." keytool -importkeystore -noprompt \ -srckeystore "${SYSTEM_CACERTS}" \ -destkeystore "${JKS_TRUSTSTORE_PATH}" \ -srcstoretype jks -deststoretype jks \ -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null if [ "$?" -ne "0" ]; then echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" else echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!" fi Any advice? [1]= https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh Meissa From Mattia.Bello at horsa.it Tue Oct 30 13:44:47 2018 From: Mattia.Bello at horsa.it (Mattia Bello) Date: Tue, 30 Oct 2018 17:44:47 +0000 Subject: [keycloak-user] R: R: Need to log in to all realms with unique admin users In-Reply-To: <92E1246EF925084F978BEEDBCF3711F10275F1A39E@barcellona.horsa.local> References: <92E1246EF925084F978BEEDBCF3711F10275F1A095@barcellona.horsa.local>, <1540873112.2121.7.camel@acutus.pro>, <92E1246EF925084F978BEEDBCF3711F10275F1A39E@barcellona.horsa.local> Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F1A484@barcellona.horsa.local> Dmitrij, I'm continuing the tests to evaluate the solution, I have a question: I used identity broker mappers to assign special roles to users from the realm master. However, on the realm master, I have two types of users, technicians and external technicians. Is it possible to choose a different role based on the fact that the user belongs to a different group (technical group and external technicians)? I tried using the External Role to Role mapper type but I do not understand how to do it. Obviously, using the mapper type hardcoded role I can create roles for users, but I can not distinguish the two different types. Thanks for the help :) Mattia Bello Developer Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 340 36 07 937 www.horsa.it ________________________________________ Da: Mattia Bello Inviato: marted? 30 ottobre 2018 13.20 A: Dmitry Telegin; keycloak-user at lists.jboss.org Oggetto: R: R: [keycloak-user] Need to log in to all realms with unique admin users Dmitrij, thanks for your detailed explanations, I followed them and managed to use the broker. However, I could not use "Automatically Link Brokered Account". I did not understand what I have to do to enable it. First of all I increased the version of the project dependency and the keycloak server to version 4.5.0, so as to have all the features available. Here are my doubts after having said this solution: 1. If you are logged in to the realm master, via the admin console site, when you click on the broker's link, to login the client application with a realm master user, the realm master login is not displayed, because it is used account that is logged in at that time. This implies the limitation of NOT using simultaneously the admin console site and the client application. 2. After logging in, using the broker's link on the client application, if I try to log out, the latter is done on the client application but if I log in to the admin console site it detects my last login. It is as if NOT logged out by all clinets (client application and site admin console) 3. Once logged in, using the broker's link on the client application, the user is duplicated from the realm master to the client application realm. So, I have a question: For the next accesses, will I always have to use the link or will I have to insert only username and password in the client application login form? Any changes to the user on the realm master will be automatically propagated on the duplicates of the other realms? In which cases, only when the broker link is used? 4. Is there not a way to share only the users' databases, without having to have fifteen duplications on the realms other than the master one? For example, as a User Federation. 5. Are there any other possible solutions? Or do you have any suggestion to propose? Thank you Mattia Bello Developer Horsa S.p.A. Via Cadorna, 67 Vimodrone (MI) Mobile (+39) 340 36 07 937 www.horsa.it ________________________________________ Da: Dmitry Telegin [dt at acutus.pro] Inviato: marted? 30 ottobre 2018 5.18 A: Mattia Bello; keycloak-user at lists.jboss.org Oggetto: Re: R: [keycloak-user] Need to log in to all realms with unique admin users Ciao Mattia, Let's assume your realm (non-master) is named "foo". Here are the steps: 1. In admin console, go to master realm -> clients -> broker -> Credentials, copy the secret; 2. go to foo realm -> Identity Providers, add Keycloak OpenID Connect provider, give it an alias (like "master"); 3. set Client ID to "broker" (w/o quotes) and paste the Client Secret; 4. scroll down to "Import from URL", paste the following: https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2F.well-known%2Fopenid-configuration&e=ab6f9afd&h=c3f38a73&f=n&p=y and click Import. The necessary fields will be filled in automatically; 5. scroll up, copy Redirect URI (should be like https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Ffoo%2Fbroker%2Fmaster%2Fendpoint&e=ab6f9afd&h=a808b335&f=n&p=y ); 6. go to master realm -> clients -> broker, paste the URI to "Valid Redirect URIs", click save. After that, your users will be able authenticate on non-master realms via the master realm. Upon the first successful login, the user will be presented with the Update Account Information form. If you want to bypass that, you can enable identity auto-linking. For Keycloak 4.5.0, it's out of the box - just use "Automatically Link Brokered Account" authenticator in your first broker login flow. For Kyecloak <4.5.0, you can use this: https://urlsand.esvalabs.com/?u=https%3A%2F%2Fgithub.com%2Fohioit%2Fkeycloak-link-idp-with-user&e=ab6f9afd&h=7b6ed02e&f=n&p=y Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:09 +0000, Mattia Bello wrote: > Dmitry, > > i found that information in master realm settings ->> OpenID Endpoint Configuration link: > > > {"issuer":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fau&e=ab6f9afd&h=281bedc7&f=n&p=y th/realms/master", > > "authorization_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2F&e=ab6f9afd&h=0303bb2c&f=n&p=y realms/master/protocol/openid-connect/auth", > > "token_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flo&e=ab6f9afd&h=b4432751&f=n&p=y calhost:8180/auth/realms/master/protocol/openid-connect/token", > > > "token_i ntrospection_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotoc&e=ab6f9afd&h=407cd3ce&f=n&p=y ol/openid-connect/token/introspect", > > "userinfo_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalho&e=ab6f9afd&h=464e7f61&f=n&p=y st:8180/auth/realms/master/protocol/openid-connect/userinfo", > > > "end_sessi on_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-&e=ab6f9afd&h=baeeb57e&f=n&p=y connect/logout", > > "jwks_uri":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fmaster%2Fpr&e=ab6f9afd&h=e1fe7b3f&f=n&p=y otocol/openid-connect/certs", > > > "check_session_iframe":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8&e=ab6f9afd&h=eb373c93&f=n&p=y 180/auth/realms/master/protocol/openid-connect/login-status- iframe.html", > > "grant_types_supported":["authorization_code", "implicit",> "refresh_token", "password", "client_credentials"], > > > "response_types_supp orted":["code","none","id_token","token","id_token token","code> id_token","code token","code id_token token"], > > "subject_types_supported" :["public","pairwise"], > > "id_token_signing_alg_values_supported":["RS256" ], > "userinfo_signing_alg_values_supported":["RS256"], > > "request_object_sig ning_alg_values_supported":["none","RS256"], > > "response_modes_supported": ["query","fragment","form_post"], > > "registration_endpoint":" https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalh&e=ab6f9afd&h=057ec6ac&f=n&p=y ost:8180/auth/realms/master/clients-registrations/openid-connect", > > > "toke n_endpoint_auth_methods_supported":["private_key_jwt","client_secret_ba sic", "client_secret_post","client_secret_jwt"], > > "token_endpoint_auth_si gning_alg_values_supported":["RS256"], > > "claims_supported":["sub","iss"," auth_time","name","given_name", > > "family_name","preferred_username","emai l"], > > "claim_types_supported":["normal"],"claims_parameter_supported":fal se, > > "scopes_supported":["openid","address","email","offline_access","pho ne","profile"], > "request_parameter_supported":true, > > "request_uri_paramete r_supported":true, > "code_challenge_methods_supported":["plain","S256"], > > " tls_client_certificate_bound_access_tokens":true > } > > > I used it to compile> the form, as you can see from the image attached. > > > But, when i click on> the TECNICO link inl ogin form, the keycloak page return this message: > > We're sorry... > Invalid parameter: redirect_uri > > ? Back to Application > > > and> server logs are: > > > > > > 15:57:09,193 WARN [ https://urlsand.esvalabs.com/?u=http%3A%2F%2Forg.keycloak.events&e=ab6f9afd&h=b66b85f6&f=n&p=y ] (default> task-21) type=LOGIN_ERROR, realmId=master, clientId=risolvo-app,> userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri,> redirect_uri= https://urlsand.esvalabs.com/?u=http%3A%2F%2Flocalhost%3A8180%2Fauth%2Frealms%2Fdefault%2Fbroker%2Fmaster-&e=ab6f9afd&h=98b9caf8&f=n&p=y oidc/endpoint > > What am i doing wrong? > > Thank you > > Inviato da Posta per Windows 10 > > Da: Dmitry Telegin > Inviato: venerd? 26 ottobre 2018 03:29 > A: Mattia Bello; keycloak-user at lists.jboss.org > Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users > > Mattia, > > Thanks for your explanation, the problem is clear now. > > I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials. > > If you're ok with this additional step, this could be an easy solution. > > [1]? https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y > > Dmitry > > On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote: > > Sorry, > > I probably did not explain well. > > I have a client application that is accessible from all realms. > > I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm. > > I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist. > > Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms. > > Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not? > > Thank you > > > > Get Outlook for Android > > > > > > > > > > On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin"
wrote: > > > > > Hello Mattia, answers inline, > > > > > > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote: > > > > We have this situation: > > > >? > > > > master realm -> used to manage other realms > > > >? > > > > realm1, realm2, realm3, .. -> are retailers and contain companies > > > >? > > > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users > > > >? > > > > we have to see all the retailers (realms), the companies (groups) and the users > > > >? > > > > How can I do it? > > > >? > > > > Can i create a master realm user and use it to access all the other realms? > > > > > > Yes you can. In fact, there is already such a user - it's admin that > > > you've created on the first run. If you want more users with such an > > > access in master realm, grant them "admin" realm role. If you look into > > > "admin" role details, you'll see that it automatically includes all the > > > client roles of *-realm clients, that's how it works under the hood. > > > > > > If you don't want to grant that powerful admin role, go to user -> Role > > > mappings and assign the necessary client roles from the *-realm > > > clients. The user will get access to the admin functions for that realm(s). > > > > > > >? > > > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm? > > > > > > This is possible too. Create a user in the target realm, go to Role > > > mappings and assign the necessary roles from the realm-management > > > client. > > > > > > Good luck, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > >? > > > > Thank to all > > > >? > > > >? > > > >? > > > > Mattia Bello > > > > Developer > > > >? > > > > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0] > > > > Horsa S.p.A. > > > > Via Cadorna, 67 > > > > Vimodrone (MI) > > > > Mobile (+39) 340 36 07 937 > > > >??https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y ; > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > >??https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y > > > > From sthorger at redhat.com Wed Oct 31 01:36:07 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Oct 2018 06:36:07 +0100 Subject: [keycloak-user] Review Latvian translation Message-ID: We have a PR for Latvian translations for Keycloak. Can someone from the community review it please? https://github.com/keycloak/keycloak/pull/5676 From sthorger at redhat.com Wed Oct 31 01:37:51 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Oct 2018 06:37:51 +0100 Subject: [keycloak-user] Turkish translation review needed Message-ID: We have a PR for Turkish translations for Keycloak. Can someone from the community review this please? https://github.com/keycloak/keycloak/pull/5678 From sthorger at redhat.com Wed Oct 31 01:42:36 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Oct 2018 06:42:36 +0100 Subject: [keycloak-user] Review Dutch translation update Message-ID: Can someone from the community please review updates to the Dutch translation? From sthorger at redhat.com Wed Oct 31 01:42:52 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Oct 2018 06:42:52 +0100 Subject: [keycloak-user] Review Dutch translation update In-Reply-To: References: Message-ID: A bit to hasty with clicking send, here's the link: https://github.com/keycloak/keycloak/pull/5677 On Wed, 31 Oct 2018 at 06:42, Stian Thorgersen wrote: > Can someone from the community please review updates to the Dutch > translation? > > From msakho at redhat.com Wed Oct 31 03:59:35 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 31 Oct 2018 08:59:35 +0100 Subject: [keycloak-user] Fwd: setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References: Message-ID: Hi Sebastian, Do you have any advice in this issue. It's related to the x509.sh script and I would really apprecaite an input/help here. Meissa ---------- Forwarded message --------- From: Meissa M'baye Sakho Date: mar. 30 oct. 2018 ? 17:12 Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment variable To: keycloak-user hello everyone, I'm using the jboss/keycloak:4.5.0.Final docker image. I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment variable as explained in the Jboss/keycloak docker image documentation. I've mounted a volume to the image pointing to the cert file and defined the env variable. I'm running the image with the following command: *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e KEYCLOAK_PASSWORD=meissa \* * -e PROXY_ADDRESS_FORWARDING=true \* * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* * -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* * -e JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* * jboss/keycloak:4.5.0.Final* When The container starts, I've checked that the cert has been corectly mounted to the expected folder /var/run/secrets But I see in the log that the certificat import fails (extract below): *Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..* *HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* *Creating Keycloak truststore..* *Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* *Importing certificates from system's Java CA certificate bundle into Keycloak truststore..* *Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!* *Setting JGroups discovery to dns.DNS_PING with properties {dns_query=>bdf-opengie-test.paas.eclair.local}* I've checked in the script that handle the TLS import [1], but I'm not able to guess why the import is failing. The following extract is a part of the scripts that is used by the image to import the cert. # Import existing system CA certificates into the newly generated truststore local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts") if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.." keytool -importkeystore -noprompt \ -srckeystore "${SYSTEM_CACERTS}" \ -destkeystore "${JKS_TRUSTSTORE_PATH}" \ -srcstoretype jks -deststoretype jks \ -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null if [ "$?" -ne "0" ]; then echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" else echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!" fi Any advice? [1]= https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh Meissa From slaskawi at redhat.com Wed Oct 31 04:08:40 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 31 Oct 2018 09:08:40 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References: Message-ID: Hey Meissa, The warning you see does no harm. As you can see here [1], the message is being thrown without stopping the script. Pulling JDK CAs has been implemented somewhat ahead of time. I asked the Cloud Enablement (and also other Red Hat teams) to put Kubernetes and OpenShift CAs into JDK lib directory. This way Keycloak will trust the OpenShift cluster out of the box. The warning you see clearly indicates that this feature hasn't been implemented yet. So the bottom line - please ignore this error. I'm pretty sure it will disappear in the future (and if not, I'll just remove or disable this feature). Thanks, Sebastian [1] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88 On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho wrote: > Hi Sebastian, > Do you have any advice in this issue. It's related to the x509.sh script > and I would really apprecaite an input/help here. > Meissa > ---------- Forwarded message --------- > From: Meissa M'baye Sakho > Date: mar. 30 oct. 2018 ? 17:12 > Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment > variable > To: keycloak-user > > > hello everyone, > I'm using the jboss/keycloak:4.5.0.Final docker image. > I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment > variable as explained in the Jboss/keycloak docker image documentation. > I've mounted a volume to the image pointing to the cert file and defined > the env variable. > I'm running the image with the following command: > *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e > KEYCLOAK_PASSWORD=meissa \* > * -e PROXY_ADDRESS_FORWARDING=true \* > * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* > * -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https > \* > * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* > * -e > JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* > * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* > * jboss/keycloak:4.5.0.Final* > > > When The container starts, I've checked that the cert has been corectly > mounted to the expected folder /var/run/secrets > But I see in the log that the certificat import fails (extract below): > *Creating HTTPS keystore via OpenShift's service serving x509 certificate > secrets..* > *HTTPS keystore successfully created at: > /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* > *Creating Keycloak truststore..* > *Keycloak truststore successfully created at: > /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* > *Importing certificates from system's Java CA certificate bundle into > Keycloak truststore..* > *Failed to import certificates from system's Java CA certificate bundle > into Keycloak truststore!* > *Setting JGroups discovery to dns.DNS_PING with properties > {dns_query=>bdf-opengie-test.paas.eclair.local}* > > I've checked in the script that handle the TLS import [1], but I'm not > able to guess why the import is failing. > > The following extract is a part of the scripts that is used by the image > to import the cert. > # Import existing system CA certificates into the newly generated > truststore > local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which > keytool)))"/../lib/security/cacerts") > if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > > /dev/null; then > echo "Importing certificates from system's Java CA certificate bundle into > Keycloak truststore.." > keytool -importkeystore -noprompt \ > -srckeystore "${SYSTEM_CACERTS}" \ > -destkeystore "${JKS_TRUSTSTORE_PATH}" \ > -srcstoretype jks -deststoretype jks \ > -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null > if [ "$?" -ne "0" ]; then > echo "Successfully imported certificates from system's Java CA certificate > bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" > else > echo "Failed to import certificates from system's Java CA certificate > bundle into Keycloak truststore!" > fi > > Any advice? > > [1]= > https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh > > Meissa > From slaskawi at redhat.com Wed Oct 31 04:11:47 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 31 Oct 2018 09:11:47 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: Hey Meissa, Graham is 100% correct. The only thing I could add is that OpenShift Pods are not allowed to query Kubernetes API by default (you need to create a RoleBinding and a ServiceAccount to do that). Therefore, I recommend DNS_PING for OpenShift and KUBE_PING/DNS_PING (depending whether you'd like to create an additional HeadlessService) for vanilla Kube. Thanks, Sebastian On Tue, Oct 30, 2018 at 5:14 PM Graham Burgess wrote: > Meissa, > > I believe the difference is in how it gets the data about the instances in > the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you will > want to setup a headless service for that so it gets all the IPs for all > the instances. As for KUBE_PING, well that uses the Kubernetes API directly > to determine the IPs of the instances. > > I run vanilla Kubernetes clusters so I don't know how the difference with > OS will effect my beliefs. However, I would probably recommend just using > DNS_PING and making sure that there is a headless service as well as a > normal service for Keycloak. It would seem to be the more generic method > for sure. > > Best regards, > Graham Burgess > R?Z?R|stormmore > Sr. DevOps Engineer (USA) > Email: graham.burgess at razer.com > DID: (415) 374 0639 <(415)%20374-0639> > Razer Inc. Stock Code: 1337.HK > IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or > otherwise protected from disclosure. If you are not an intended recipient, > do not copy, distribute or use its contents. Do inform the sender that you > have received the message in error and delete it from your system. E-mails > are not secure and may suffer errors, computer viruses, delay, interception > and amendment. Razer accepts neither risk nor liability for any damage or > loss caused by this e-mail. To the extent permitted by applicable law, > Razer reserves the right to retain, monitor and intercept e-mails to and > from its systems. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Meissa M'baye Sakho > Sent: Tuesday, October 30, 2018 3:56 AM > To: keycloak-user > Subject: [keycloak-user] kubernetes discovery protocol for JGroups > > Hello everyone, > Can someone tell me the difference between the dns.DNS_PING and > kubernetes.KUBE_PING protocols that we could use to enable keycloak > clustering? > It seems like both of them could be used in a kubernetes environment but I > can't see a documentation clearly explaining the difference between them. > I would like to knwo which one is relevant in a openshift environnement > which one is in a non openshift environnement. > The official githup repo [1] does not say a lot about that? > [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ > Regards, > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kkcmadhu at yahoo.com Wed Oct 31 04:30:08 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Wed, 31 Oct 2018 08:30:08 +0000 (UTC) Subject: [keycloak-user] keycloak not starting up and timing out on HHH000397: Using ASTQueryTranslatorFactory References: <26978704.17718110.1540974608806.ref@mail.yahoo.com> Message-ID: <26978704.17718110.1540974608806@mail.yahoo.com> Any idea whats going wrong here? I have recently set up keycloak in HA and was able to bring up 2 nodes and things were working fine. After a day or two , I stoped one node and was never to bring up keycloak back. The start up of keycloak times out with here [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory Steps tried :stopped the second node in cluster and tried bringing up both nodes again -> did not succeed (same error)tried bring up keycloak on standalone mode (not HA) -> did not succeed (same error)tried increasing the timeout to -Djboss.as.management.blocking.timeout=600? (same error) I have about some 350 odd realms in my db (could that be the reason??)Will keycloak try to validate/migrate data etc on startup ?? I am asking this as i see these lines prior to the timeouts 08:17:25,264 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 58) HHH000412: Hibernate Core {5.1.10.Final}08:17:25,266 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000206: hibernate.properties not found08:17:25,268 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000021: Bytecode provider name : javassist08:17:25,302 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 58) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:17:25,438 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 58) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:17:25,485 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 58) Envers integration enabled? : true08:17:26,026 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 58) HV000001: Hibernate Validator 5.3.5.Final08:17:26,628 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 58) HHH000397: Using ASTQueryTranslatorFactory The actual exceptin is a Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) with different cause each time (possibly based on what thread is doing at? ----------------------------Exception-----------------------------------------------------------------------------------------------------------------08:01:19,392 INFO? [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo [? ? ? ? name: keycloak-default? ? ? ? ...]08:01:19,440 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 57) HHH000412: Hibernate Core {5.1.10.Final}08:01:19,442 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000206: hibernate.properties not found08:01:19,443 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000021: Bytecode provider name : javassist08:01:19,472 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 57) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:01:19,889 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 57) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:01:19,936 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 57) Envers integration enabled? : true08:01:20,425 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 57) HV000001: Hibernate Validator 5.3.5.Final08:01:21,242 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory08:06:16,695 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e in state? RUN08:06:16,702 WARN? [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:16,703 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,093 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 in state? RUN08:06:22,094 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 invoked while multiple threads active within it.08:06:22,095 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 completed with multiple threads - thread ServerService Thread Pool -- 57 was in progress with java.net.SocketInputStream.socketRead0(Native Method)java.net.SocketInputStream.socketRead(SocketInputStream.java:116)java.net.SocketInputStream.read(SocketInputStream.java:171)java.net.SocketInputStream.read(SocketInputStream.java:141)com.mysql.cj.protocol.ReadAheadInputStream.fill(ReadAheadInputStream.java:107)com.mysql.cj.protocol.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:150)com.mysql.cj.protocol.ReadAheadInputStream.read(ReadAheadInputStream.java:180)java.io.FilterInputStream.read(FilterInputStream.java:133)com.mysql.cj.protocol.FullReadInputStream.readFully(FullReadInputStream.java:64)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:63)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:45)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:52)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:41)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:54)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:44)com.mysql.cj.protocol.a.NativeProtocol.readMessage(NativeProtocol.java:557)com.mysql.cj.protocol.a.NativeProtocol.checkErrorMessage(NativeProtocol.java:735)com.mysql.cj.protocol.a.NativeProtocol.sendCommand(NativeProtocol.java:674)com.mysql.cj.protocol.a.NativeProtocol.sendQueryPacket(NativeProtocol.java:966)com.mysql.cj.NativeSession.execSQL(NativeSession.java:1165)com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:937)com.mysql.cj.jdbc.ClientPreparedStatement.executeQuery(ClientPreparedStatement.java:1019)org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504)org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.getResultSet(AbstractLoadPlanBasedLoader.java:434)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:186)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:161)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:146)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.readSize(AbstractPersistentCollection.java:145)org.hibernate.collection.internal.PersistentMap.size(PersistentMap.java:123)java.util.HashMap.putMapEntries(HashMap.java:501)java.util.HashMap.putAll(HashMap.java:785)org.keycloak.models.jpa.ClientScopeAdapter.getAttributes(ClientScopeAdapter.java:309)org.keycloak.models.cache.infinispan.entities.CachedClientScope.(CachedClientScope.java:56)org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147)org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779)org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285)org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:232)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211)org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136)sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)java.lang.reflect.Constructor.newInstance(Constructor.java:423)org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$807/210507936.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)java.util.concurrent.FutureTask.run(FutureTask.java:266)java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)java.lang.Thread.run(Thread.java:748)org.jboss.threads.JBossThread.run(JBossThread.java:320) 08:06:22,096 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 aborting with 1 threads active!08:06:22,098 WARN? [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:22,099 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,101 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) SQL Error: 0, SQLState: null08:06:22,101 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK08:06:22,103 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,129 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,135 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 57) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)? ? ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)? ? ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)? ? ? ? at java.lang.Thread.run(Thread.java:748)? ? ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)? ? ? ? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)? ? ? ? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)? ? ? ? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)? ? ? ? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)? ? ? ? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)? ? ? ? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)? ? ? ? ... 6 moreCaused by: org.hibernate.exception.GenericJDBCException: could not prepare statement? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)? ? ? ? at org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)? ? ? ? at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)? ? ? ? at org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)? ? ? ? at org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)? ? ? ? at org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)? ? ? ? at org.keycloak.models.jpa.ClientScopeAdapter.getProtocolMappers(ClientScopeAdapter.java:104)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedClientScope.(CachedClientScope.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147)? ? ? ? at org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:232)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)? ? ? ? at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)? ? ? ? at org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)? ? ? ? ... 28 moreCaused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:447)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172)? ? ? ? ... 61 more 08:06:22,168 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal08:06:22,196 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement? ? Caused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK"}}08:06:22,218 INFO? [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:/jboss/datasources/KeycloakDS] From msakho at redhat.com Wed Oct 31 05:13:11 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 31 Oct 2018 10:13:11 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: Hello Sebastian, I aggree with both of you and I'm also using DNS_PING. But what's missing is the dns_query property value usage. It's an additionnal propery that is required when using the DNS_PING protocol and I would like to know which value is better suited for it. Meissa Le mer. 31 oct. 2018 ? 09:12, Sebastian Laskawiec a ?crit : > Hey Meissa, > > Graham is 100% correct. > > The only thing I could add is that OpenShift Pods are not allowed to query > Kubernetes API by default (you need to create a RoleBinding and a > ServiceAccount to do that). Therefore, I recommend DNS_PING for OpenShift > and KUBE_PING/DNS_PING (depending whether you'd like to create an > additional HeadlessService) for vanilla Kube. > > Thanks, > Sebastian > > On Tue, Oct 30, 2018 at 5:14 PM Graham Burgess > wrote: > >> Meissa, >> >> I believe the difference is in how it gets the data about the instances >> in the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you >> will want to setup a headless service for that so it gets all the IPs for >> all the instances. As for KUBE_PING, well that uses the Kubernetes API >> directly to determine the IPs of the instances. >> >> I run vanilla Kubernetes clusters so I don't know how the difference with >> OS will effect my beliefs. However, I would probably recommend just using >> DNS_PING and making sure that there is a headless service as well as a >> normal service for Keycloak. It would seem to be the more generic method >> for sure. >> >> Best regards, >> Graham Burgess >> R?Z?R|stormmore >> Sr. DevOps Engineer (USA) >> Email: graham.burgess at razer.com >> DID: (415) 374 0639 <(415)%20374-0639> >> Razer Inc. Stock Code: 1337.HK >> IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or >> otherwise protected from disclosure. If you are not an intended recipient, >> do not copy, distribute or use its contents. Do inform the sender that you >> have received the message in error and delete it from your system. E-mails >> are not secure and may suffer errors, computer viruses, delay, interception >> and amendment. Razer accepts neither risk nor liability for any damage or >> loss caused by this e-mail. To the extent permitted by applicable law, >> Razer reserves the right to retain, monitor and intercept e-mails to and >> from its systems. >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> On Behalf Of Meissa M'baye Sakho >> Sent: Tuesday, October 30, 2018 3:56 AM >> To: keycloak-user >> Subject: [keycloak-user] kubernetes discovery protocol for JGroups >> >> Hello everyone, >> Can someone tell me the difference between the dns.DNS_PING and >> kubernetes.KUBE_PING protocols that we could use to enable keycloak >> clustering? >> It seems like both of them could be used in a kubernetes environment but >> I can't see a documentation clearly explaining the difference between them. >> I would like to knwo which one is relevant in a openshift environnement >> which one is in a non openshift environnement. >> The official githup repo [1] does not say a lot about that? >> [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ >> Regards, >> Meissa >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From slaskawi at redhat.com Wed Oct 31 05:33:19 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 31 Oct 2018 10:33:19 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: The dns_query parameter needs to match your DNS query. Here's an example for A records[1]: jgroups-dns-ping.myproject.svc.cluster.local - svc.cluster.local - tells Kubernetes that this is a service inside its cluster - myproject - this is the namespace I'm using - jgroups-dns-ping - this is the service name I'm using I hope this helps! Thanks, Sebastian [1] https://github.com/slaskawi/jgroups-dns-ping-example/blob/master/src/main/resources/config-test.xml#L30 On Wed, Oct 31, 2018 at 10:13 AM Meissa M'baye Sakho wrote: > Hello Sebastian, > I aggree with both of you and I'm also using DNS_PING. > But what's missing is the dns_query property value usage. It's an > additionnal propery that is required when using the DNS_PING protocol and I > would like to know which value is better suited for it. > Meissa > > Le mer. 31 oct. 2018 ? 09:12, Sebastian Laskawiec a > ?crit : > >> Hey Meissa, >> >> Graham is 100% correct. >> >> The only thing I could add is that OpenShift Pods are not allowed to >> query Kubernetes API by default (you need to create a RoleBinding and a >> ServiceAccount to do that). Therefore, I recommend DNS_PING for OpenShift >> and KUBE_PING/DNS_PING (depending whether you'd like to create an >> additional HeadlessService) for vanilla Kube. >> >> Thanks, >> Sebastian >> >> On Tue, Oct 30, 2018 at 5:14 PM Graham Burgess >> wrote: >> >>> Meissa, >>> >>> I believe the difference is in how it gets the data about the instances >>> in the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you >>> will want to setup a headless service for that so it gets all the IPs for >>> all the instances. As for KUBE_PING, well that uses the Kubernetes API >>> directly to determine the IPs of the instances. >>> >>> I run vanilla Kubernetes clusters so I don't know how the difference >>> with OS will effect my beliefs. However, I would probably recommend just >>> using DNS_PING and making sure that there is a headless service as well as >>> a normal service for Keycloak. It would seem to be the more generic method >>> for sure. >>> >>> Best regards, >>> Graham Burgess >>> R?Z?R|stormmore >>> Sr. DevOps Engineer (USA) >>> Email: graham.burgess at razer.com >>> DID: (415) 374 0639 <(415)%20374-0639> >>> Razer Inc. Stock Code: 1337.HK >>> IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or >>> otherwise protected from disclosure. If you are not an intended recipient, >>> do not copy, distribute or use its contents. Do inform the sender that you >>> have received the message in error and delete it from your system. E-mails >>> are not secure and may suffer errors, computer viruses, delay, interception >>> and amendment. Razer accepts neither risk nor liability for any damage or >>> loss caused by this e-mail. To the extent permitted by applicable law, >>> Razer reserves the right to retain, monitor and intercept e-mails to and >>> from its systems. >>> >>> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org < >>> keycloak-user-bounces at lists.jboss.org> On Behalf Of Meissa M'baye Sakho >>> Sent: Tuesday, October 30, 2018 3:56 AM >>> To: keycloak-user >>> Subject: [keycloak-user] kubernetes discovery protocol for JGroups >>> >>> Hello everyone, >>> Can someone tell me the difference between the dns.DNS_PING and >>> kubernetes.KUBE_PING protocols that we could use to enable keycloak >>> clustering? >>> It seems like both of them could be used in a kubernetes environment but >>> I can't see a documentation clearly explaining the difference between them. >>> I would like to knwo which one is relevant in a openshift environnement >>> which one is in a non openshift environnement. >>> The official githup repo [1] does not say a lot about that? >>> [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ >>> Regards, >>> Meissa >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From msakho at redhat.com Wed Oct 31 05:41:46 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 31 Oct 2018 10:41:46 +0100 Subject: [keycloak-user] kubernetes discovery protocol for JGroups In-Reply-To: References: Message-ID: Thank you Sebastian, That's exactl what I was looking for. Meissa Le mer. 31 oct. 2018 ? 10:33, Sebastian Laskawiec a ?crit : > The dns_query parameter needs to match your DNS query. Here's an example > for A records[1]: > jgroups-dns-ping.myproject.svc.cluster.local > - svc.cluster.local - tells Kubernetes that this is a service inside its > cluster > - myproject - this is the namespace I'm using > - jgroups-dns-ping - this is the service name I'm using > > I hope this helps! > > Thanks, > Sebastian > > [1] > https://github.com/slaskawi/jgroups-dns-ping-example/blob/master/src/main/resources/config-test.xml#L30 > > On Wed, Oct 31, 2018 at 10:13 AM Meissa M'baye Sakho > wrote: > >> Hello Sebastian, >> I aggree with both of you and I'm also using DNS_PING. >> But what's missing is the dns_query property value usage. It's an >> additionnal propery that is required when using the DNS_PING protocol and I >> would like to know which value is better suited for it. >> Meissa >> >> Le mer. 31 oct. 2018 ? 09:12, Sebastian Laskawiec >> a ?crit : >> >>> Hey Meissa, >>> >>> Graham is 100% correct. >>> >>> The only thing I could add is that OpenShift Pods are not allowed to >>> query Kubernetes API by default (you need to create a RoleBinding and a >>> ServiceAccount to do that). Therefore, I recommend DNS_PING for OpenShift >>> and KUBE_PING/DNS_PING (depending whether you'd like to create an >>> additional HeadlessService) for vanilla Kube. >>> >>> Thanks, >>> Sebastian >>> >>> On Tue, Oct 30, 2018 at 5:14 PM Graham Burgess >>> wrote: >>> >>>> Meissa, >>>> >>>> I believe the difference is in how it gets the data about the instances >>>> in the cluster. DNS_PING obviously will use DNS, in a Kubernetes env you >>>> will want to setup a headless service for that so it gets all the IPs for >>>> all the instances. As for KUBE_PING, well that uses the Kubernetes API >>>> directly to determine the IPs of the instances. >>>> >>>> I run vanilla Kubernetes clusters so I don't know how the difference >>>> with OS will effect my beliefs. However, I would probably recommend just >>>> using DNS_PING and making sure that there is a headless service as well as >>>> a normal service for Keycloak. It would seem to be the more generic method >>>> for sure. >>>> >>>> Best regards, >>>> Graham Burgess >>>> R?Z?R|stormmore >>>> Sr. DevOps Engineer (USA) >>>> Email: graham.burgess at razer.com >>>> DID: (415) 374 0639 <(415)%20374-0639> >>>> Razer Inc. Stock Code: 1337.HK >>>> IMPORTANT NOTICE: This e-mail may be confidential, legally privileged >>>> or otherwise protected from disclosure. If you are not an intended >>>> recipient, do not copy, distribute or use its contents. Do inform the >>>> sender that you have received the message in error and delete it from your >>>> system. E-mails are not secure and may suffer errors, computer viruses, >>>> delay, interception and amendment. Razer accepts neither risk nor liability >>>> for any damage or loss caused by this e-mail. To the extent permitted by >>>> applicable law, Razer reserves the right to retain, monitor and intercept >>>> e-mails to and from its systems. >>>> >>>> -----Original Message----- >>>> From: keycloak-user-bounces at lists.jboss.org < >>>> keycloak-user-bounces at lists.jboss.org> On Behalf Of Meissa M'baye Sakho >>>> Sent: Tuesday, October 30, 2018 3:56 AM >>>> To: keycloak-user >>>> Subject: [keycloak-user] kubernetes discovery protocol for JGroups >>>> >>>> Hello everyone, >>>> Can someone tell me the difference between the dns.DNS_PING and >>>> kubernetes.KUBE_PING protocols that we could use to enable keycloak >>>> clustering? >>>> It seems like both of them could be used in a kubernetes environment >>>> but I can't see a documentation clearly explaining the difference between >>>> them. >>>> I would like to knwo which one is relevant in a openshift environnement >>>> which one is in a non openshift environnement. >>>> The official githup repo [1] does not say a lot about that? >>>> [1]=https://github.com/jgroups-extras/jgroups-kubernetes/ >>>> Regards, >>>> Meissa >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> From bojan.milosavljevic95 at gmail.com Wed Oct 31 05:59:15 2018 From: bojan.milosavljevic95 at gmail.com (=?UTF-8?Q?Bojan_Milosavljevi=C4=87?=) Date: Wed, 31 Oct 2018 10:59:15 +0100 Subject: [keycloak-user] PKCE and Keycloak Message-ID: Hello, Is PKCE (if my adapter supports PKCE of course) automatically supported by default by Keycloak or do I have to implement it myself? Thank you. Kind regards, Bojan Milosavljevic. From msakho at redhat.com Wed Oct 31 06:05:44 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 31 Oct 2018 11:05:44 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> Message-ID: Hello Mathieu, did you manage to make it work? If yes, could you tell me how? Meissa Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > Hello Marek. > > I've done that already but looks like it is completely ignored. > I have my custom truststore that have all my CA certificates (2), but I'm > still seeing the same issue. (SPI is enabled on the LDAPS settings on the > admin) > Is there a way to make sure it has been loaded correctly? (I don't see any > error when the application starts but it's not working as expected) > > Thanks. > Mathieu > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > mposolda at redhat.com> wrote ---- > > You can configure the Truststore SPI, which is mentioned in our docs > > here: > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > Some additional notes around LDAP are here: > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > Marek > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > Hello. > > > > > > What would be the recommended way to add a custom CA certificates ? > The documentation has a lot of different ways and so far none of them > worked : > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a > container), I can see the certificates in the JKS store but looks like > they are completely ignored by the app server. > > > - Added custom SPI to load a custom JKS store, same, no error at > server start but they are completely ignored by the app server. > > > > > > This is the error I am getting : > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > at > sun.security.validator.Validator.validate(Validator.java:262) > > > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > ... 99 more > > > Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > ... 105 more > > > > > > > > > Another option would be to disable certificate verification on LDAPS > as it's a trusted environment (last resort but well so far nothing else > worked), would there be a way to do that? > > > Connecting over LDAP is not an option a this prevent some features to > work like password reset. > > > > > > Thanks. > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From me at mpouss.in Wed Oct 31 06:07:44 2018 From: me at mpouss.in (Mathieu Poussin) Date: Wed, 31 Oct 2018 11:07:44 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> Message-ID: <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> Hello Meissa. So far I could not find a way to do it, the project is now in standby, if we can't get it to work we will probably check for another solution, unfortunately. Thanks. Mathieu ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho wrote ---- > Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > Hello Marek. > > I've done that already but looks like it is completely ignored. > I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin) > Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected) > > Thanks. > Mathieu > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda wrote ---- > > You can configure the Truststore SPI, which is mentioned in our docs > > here: > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > Some additional notes around LDAP are here: > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > Marek > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > Hello. > > > > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > > > > > This is the error I am getting : > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > at sun.security.validator.Validator.validate(Validator.java:262) > > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > ... 99 more > > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > ... 105 more > > > > > > > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > > > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > > > > > Thanks. > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jlieskov at redhat.com Wed Oct 31 06:29:07 2018 From: jlieskov at redhat.com (Jan Lieskovsky) Date: Wed, 31 Oct 2018 11:29:07 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> Message-ID: Hey Mathieu, Meissa, (just quickly to double-check,) what's the template name you have deployed RH-SSO for OpenShift image from? (assuming this is issue on OpenShift) If the "*sso72-x509-https*" one (or some of **-x509-** based ones) was used to deploy the RH-SSO server pod, this won't work. Reason being the **-x509-* *are configured in the way, to auto-generate the RH-SSO truststore (use the defaults, and let the user not to need to supply this). Even if custom truststore / cert is supplied, the default one will be used. AFAICT this isn't configurable (since wasn't intended to be). If you want the custom cert / truststore to be actually honoured, you need to deploy the RH-SSO pod from some other (some of the passthrough TLS based templates , not the x509 re-encrypt TLS ones). I will file JIRAs to: - Mention this *-x509-* template deficiency in the templates, - RFE to get the *-x509-* ones to honour custom certificates, if supplied. HTH & Sorry for the inconvenience Thank you && Regards, Jan -- Jan iankko Lieskovsky / Keycloak / RH-SSO Team On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin wrote: > Hello Meissa. > > So far I could not find a way to do it, the project is now in standby, if > we can't get it to work we will probably check for another solution, > unfortunately. > > Thanks. > Mathieu > > > ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho < > msakho at redhat.com> wrote ---- > > Hello Mathieu,did you manage to make it work?If yes, could you tell me > how?Meissa > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > > Hello Marek. > > > > I've done that already but looks like it is completely ignored. > > I have my custom truststore that have all my CA certificates (2), but > I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on > the admin) > > Is there a way to make sure it has been loaded correctly? (I don't see > any error when the application starts but it's not working as expected) > > > > Thanks. > > Mathieu > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > mposolda at redhat.com> wrote ---- > > > You can configure the Truststore SPI, which is mentioned in our > docs > > > here: > > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > > > Some additional notes around LDAP are here: > > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > > > Marek > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > Hello. > > > > > > > > What would be the recommended way to add a custom CA certificates > ? The documentation has a lot of different ways and so far none of them > worked : > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a > container), I can see the certificates in the JKS store but looks like > they are completely ignored by the app server. > > > > - Added custom SPI to load a custom JKS store, same, no error at > server start but they are completely ignored by the app server. > > > > > > > > This is the error I am getting : > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > at > sun.security.validator.Validator.validate(Validator.java:262) > > > > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > > ... 99 more > > > > Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > ... 105 more > > > > > > > > > > > > Another option would be to disable certificate verification on > LDAPS as it's a trusted environment (last resort but well so far nothing > else worked), would there be a way to do that? > > > > Connecting over LDAP is not an option a this prevent some > features to work like password reset. > > > > > > > > Thanks. > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Wed Oct 31 08:43:57 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 31 Oct 2018 13:43:57 +0100 Subject: [keycloak-user] keycloak docker image clustering section is not working as expected In-Reply-To: References: Message-ID: The JGROUPS_DISCOVERY_PROPERTIES is optional but some of the JGroups Discovery protocols (including DNS_PING) require some additional configuration. In case of DNS_PING, it's dns_query that needs to be supplied. The absence of this parameter causes an exception in JGroups [1]. It is probably worth to mention that some of the Discovery protocols do not require any properties. The most common examples could be KUBE_PING or MPING. [1] https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/dns/DNS_PING.java#L63 On Mon, Oct 29, 2018 at 12:05 PM Meissa M'baye Sakho wrote: > Hello everyone, > There a confusing section in the clustering [1] section of the keycloak > docker image. > The documentation states that: > > *JGROUPS_DISCOVERY_PROPERTIES - an optional parameter with the discovery > protocol properties in the following format: * > *PROP1=FOO,PROP2=BAR * > > I can confirm that this parameter is not optional at all. > When I run the image with the JGROUPS_DISCOVERY_PROTOCOL environnement > variable set and without the JGROUPS_DISCOVERY_PROPERTIES set (since it's > said to be optionnal), the container fails to start with the error message > below: > *10:50:11,999 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([* > * ("subsystem" => "jgroups"),* > * ("channel" => "ee")* > *]) - failure description: {"WFLYCTL0080: Failed services" => > {"org.wildfly.clustering.jgroups.channel.ee > " => > "java.lang.IllegalArgumentException: dns_query can not be null or empty* > * Caused by: java.lang.IllegalArgumentException: dns_query can not be > null or empty"}}* > > Setting the JGROUPS_DISCOVERY_PROPERTIES environnement variable fix the > error. So this is not an optional parameter. > [1]=https://hub.docker.com/r/jboss/keycloak/ > > Regards, > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Oct 31 09:20:59 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 31 Oct 2018 14:20:59 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> Message-ID: <8e5e975f-0dd0-a92d-0239-82c50bf1d6c4@redhat.com> Few hints: I would first check if truststore itself is correct. For example you can use this command (replace with your actual truststore): $ keytool -list -keystore /home/mposolda/tmp/dev1xy.truststore Then you should see output like: Your keystore contains 1 entry mykey, 31-Oct-2012, trustedCertEntry, Certificate fingerprint (SHA1): 9E:4E:B2:F2:91:42:D5:5F:17:E0:82:D8:0C:9B:04:A2:91:63:4B:E9 And then you know that alias is "mykey", so you may want to use: $ keytool -exportcert -keystore /home/mposolda/tmp/dev1xy.truststore -alias mykey -file /tmp/cert.crt $ keytool -printcert -file /tmp/cert.crt which should print all the details of your certificate. If any of the above steps fails or certificate doesn't look as expected, you know that issue is in the truststore file itself. Note that you are required to provide the truststore password as well in those commands (keytool will prompt you for it). Another helpful thing can be to enable debug logging by adding this system property to the command line when running Keycloak: -Djavax.net.debug=all That should print lots of debugging info to the server log. You can especially take a look what it's logging when you click "Test Connection" for your LDAP provider in the admin console. Especially if it uses truststore file as expected, if certificate looks as expected etc. Hope it helps, Marek On 31/10/18 11:07, Mathieu Poussin wrote: > Hello Meissa. > > So far I could not find a way to do it, the project is now in standby, if we can't get it to work we will probably check for another solution, unfortunately. > > Thanks. > Mathieu > > > ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho wrote ---- > > Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > > Hello Marek. > > > > I've done that already but looks like it is completely ignored. > > I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin) > > Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected) > > > > Thanks. > > Mathieu > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda wrote ---- > > > You can configure the Truststore SPI, which is mentioned in our docs > > > here: > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > > > Some additional notes around LDAP are here: > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > > > Marek > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > Hello. > > > > > > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > > > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > > > > > > > This is the error I am getting : > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > at sun.security.validator.Validator.validate(Validator.java:262) > > > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > ... 99 more > > > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > ... 105 more > > > > > > > > > > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > > > > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > > > > > > > Thanks. > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From ronald.demneri at amdtia.com Wed Oct 31 09:49:14 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Wed, 31 Oct 2018 13:49:14 +0000 Subject: [keycloak-user] group mapper per client References: <1540868804.2121.1.camel@acutus.pro> Message-ID: Hello everyone, So, thankfully, after some careful reading, I managed to solve the first issue regarding clientSession.client.clientId, which in fact shoud be authenticationSession.client.clientId (there was a mention on using loginSession.client.clientId in place of clientSession.client.clientId on this link https://issues.jboss.org/browse/KEYCLOAK-4505, which I tried to use, without success). Regards, Ronald -----Original Message----- From: Ronald Demneri Sent: 30.Oct.2018 3:48 PM To: 'Dmitry Telegin'
; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] group mapper per client Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". Looking forward to hearing from you! Regards, Ronald -----Original Message----- From: Dmitry Telegin
Sent: 30.Oct.2018 4:07 AM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] group mapper per client Hello Ronald, If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > Hello everyone, > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > Thanks in advance, > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From me at mpouss.in Wed Oct 31 10:31:22 2018 From: me at mpouss.in (Mathieu Poussin) Date: Wed, 31 Oct 2018 15:31:22 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> <166c997d9e2.ad87e437323767.9106919117329394897@mpouss.in> Message-ID: <166ca893a2b.eaf7cffa334686.3233859246883304258@mpouss.in> Hello Jan. Thank you for your message. In my case this is not deployed over OpenShift, but on a single host through Docker, we use our own docker image on top of the official one to add our own theme and .keystore. I confirm that the certificates are in our custom keystore (checked with keytool -list), this is what we do in our Dockerfile : FROM jboss/keycloak:4.5.0.Final ADD themes/xxx /opt/jboss/keycloak/themes/xxx ADD certs/xxx.keystore /opt/jboss/keycloak/standalone/configuration/xxx.keystore ADD configuration/standalone.xml /opt/jboss/keycloak/standalone/configuration/standalone.xml And the SPI we are adding in the standalone.xml : But no luck so far. ---- On Wed, 31 Oct 2018 11:29:07 +0100 Jan Lieskovsky wrote ---- > Hey Mathieu, Meissa, > (just quickly to double-check,) what's the template name you have deployed RH-SSO for OpenShift image from? (assuming this is issue on OpenShift) > If the "sso72-x509-https" one (or some of *-x509-* based ones) was used to deploy the RH-SSO server pod, this won't work. Reason being the *-x509-* are configured in the way, to auto-generate the RH-SSO truststore (use the defaults, and let the user not to need to supply this). Even if custom truststore / cert is supplied, the default one will be used. AFAICT this isn't configurable (since wasn't intended to be). > If you want the custom cert / truststore to be actually honoured, you need to deploy the RH-SSO pod from some other (some of the passthrough TLS based templates, not the x509 re-encrypt TLS ones). > > I will file JIRAs to:Mention this *-x509-* template deficiency in the templates, > RFE to get the *-x509-* ones to honour custom certificates, if supplied. > > HTH & Sorry for the inconvenience > Thank you && Regards, Jan--Jan iankko Lieskovsky / Keycloak / RH-SSO Team > > > > On Wed, Oct 31, 2018 at 11:17 AM Mathieu Poussin wrote: > Hello Meissa. > > So far I could not find a way to do it, the project is now in standby, if we can't get it to work we will probably check for another solution, unfortunately. > > Thanks. > Mathieu > > > ---- On Wed, 31 Oct 2018 11:05:44 +0100 Meissa M'baye Sakho wrote ---- > > Hello Mathieu,did you manage to make it work?If yes, could you tell me how?Meissa > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > > Hello Marek. > > > > I've done that already but looks like it is completely ignored. > > I have my custom truststore that have all my CA certificates (2), but I'm still seeing the same issue. (SPI is enabled on the LDAPS settings on the admin) > > Is there a way to make sure it has been loaded correctly? (I don't see any error when the application starts but it's not working as expected) > > > > Thanks. > > Mathieu > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda wrote ---- > > > You can configure the Truststore SPI, which is mentioned in our docs > > > here: > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > > > Some additional notes around LDAP are here: > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > > > Marek > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > Hello. > > > > > > > > What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. > > > > - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. > > > > > > > > This is the error I am getting : > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > at sun.security.validator.Validator.validate(Validator.java:262) > > > > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > ... 99 more > > > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > > > > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > ... 105 more > > > > > > > > > > > > Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? > > > > Connecting over LDAP is not an option a this prevent some features to work like password reset. > > > > > > > > Thanks. > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wyllys.ingersoll at keepertech.com Wed Oct 31 11:24:28 2018 From: wyllys.ingersoll at keepertech.com (Wyllys Ingersoll) Date: Wed, 31 Oct 2018 11:24:28 -0400 Subject: [keycloak-user] keycloak-client-admin java examples & docs Message-ID: Im trying to write a keystone client for a 3rd party java service that will authenticate to Keycloak using the org.keycloak.admin.client.Keycloak interfaces. There are a couple of snippets of code examples online, such as here: https://www.keycloak.org/docs/4.5/server_development/#example-using-java and others such as https://gist.github.com/thomasdarimont/43689aefb37540624e35 but none of them actually work (at least not for me) I always get the following exception when working with the 4.5.0.Final packages: java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader I've seen this same exception mentioned in several threads, but have not seen a working solution/workaround or even a good explanation of why the error is occurring. The javadocs at https://www.keycloak.org/docs-api/4.5/javadocs/ do not include the docs for the admin.client.Keycloak classes. Can anyone point me to a *working* example of using the Keycloak admin-client java API or some online java docs for those classes? thanks, Wyllys Ingersoll From polochepu at gmail.com Wed Oct 31 12:40:59 2018 From: polochepu at gmail.com (paolo lizarazu) Date: Wed, 31 Oct 2018 12:40:59 -0400 Subject: [keycloak-user] Help Linsting Users Message-ID: Hi All, I am having some issues trying to list Keycloak user from and Spring Boot application(SBA). I want to have the SpringBootApp can be secured by keycloak and if the user has the proper privileges can make the required actions, for my specific case list the users For my Realm(Test) I have created a client System-Management which is configure like Settings * cliente protocol :openid-connect * access Type :confidential * standard flow enabled :true * implicit flow enabled :false * direct access grants enabled :false * service account enalbed :true * authorization enabled :true * valid redirect uris : * * web origins :* Scope * full Sxope Allowed :true the spring boot application has configured the keycloak properties and it is redirecting and to login and after success again redirected to the application, with a second link in the application I want to list the keycloak users but the request fail with 403 response #Keycloak Configuration keycloak.auth-server-url=http://localhost:9080/auth keycloak.realm=test keycloak.resource=system-management keycloak.use-resource-role-mappings=false keycloak.public-client=false keycloak.credentials.secret=964ccde0-888e-4103-86a6-1f90961d6852 keycloak.principal-attribute=preferred_username here my security config class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public KeycloakClientRequestFactory keycloakClientRequestFactory; // Submits the KeycloakAuthenticationProvider to the AuthenticationManager @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean public KeycloakSpringBootConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } // Specifies the session authentication strategy @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Bean @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) public KeycloakRestTemplate keycloakRestTemplate() { KeycloakRestTemplate restTemplate = new KeycloakRestTemplate(keycloakClientRequestFactory); // we should add here the interceptor on debug mode return restTemplate; } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.authorizeRequests() .antMatchers("/customers*","/users*") .authenticated(); } @Bean public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( KeycloakAuthenticationProcessingFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } and finally my service to get users @Service public class KeycloakService { @Value("${keycloak.auth-server-url}") private String SERVER_URL; @Value("${keycloak.realm}") private String REALM; @Value("${keycloak.resource}") private String CLIENT_ID; @Value("${keycloak.credentials.secret}") private String CLIENT_SECRET; @Autowired AccessToken accessToken; private Keycloak getInstance() { return KeycloakBuilder .builder() .serverUrl(SERVER_URL) .authorization(accessToken.getAccessTokenHash()) .grantType(CLIENT_CREDENTIALS) .clientId(CLIENT_ID) .clientSecret(CLIENT_SECRET) .realm(REALM) .build(); } public List getUsers(){ return getInstance().realm(REALM).users().list(); } any help will be grateful. Note. the idea is to have an user administration out of keycloak. From geoff at opticks.io Wed Oct 31 13:01:47 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Wed, 31 Oct 2018 18:01:47 +0100 Subject: [keycloak-user] Keycloak Gatekeeper CORS problem Message-ID: I'm having a problem accessing a REST service protected by Gatekeeper via AJAX. I have tried many different combinations of settings in the config file to no avail. I suspect the Gatekeeper has a bug. I can access the protected endpoint directly (via Gatekeeper) with no issue as there is no CORS. I can use the AJAX method successfully when I use a Chrome plugin to enable CORS for these endpoints. The message from Chrome is: Access to XMLHttpRequest at 'http://domain.com:3001/endpoint.php' from origin 'http://domain2.com:8888' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. I see that Chrome only sends an OPTIONS request to Gatekeeper, which does not respond with a Access-Control-Allow-Origin header at all, despite my config settings below. My config.yml file looks like this: client-id: {id} client-secret: {secret} discovery-url: {keyclock end point} enable-default-deny: true encryption_key: {32characters} listen: 0.0.0.0:3000 redirection-url: http://domain2.com:3001 upstream-url: http://localhost:8888 secure-cookie: false verbose: true #preserve-host: true resources: - uri: /admin* methods: - GET roles: - test-php-api:test1 - client:test2 require-any-role: true groups: - admins - users - uri: /endpoint.php roles: - test-php-api:test1 - uri: /backend* roles: - test-php-api:test1 - uri: /public/* white-listed: true - uri: /favicon white-listed: true - uri: /css/* white-listed: true - uri: /img/* white-listed: true cors-origins: - '*' cors-methods: - GET - POST Any ideas? Geoff From pnalyvayko at agi.com Wed Oct 31 13:48:34 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Wed, 31 Oct 2018 17:48:34 +0000 Subject: [keycloak-user] PKCE and Keycloak In-Reply-To: References: Message-ID: Hi Bojan, We've been using PKCE so yes, PKCE support is enabled by default -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Bojan Milosavljevic Sent: Wednesday, October 31, 2018 5:59 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] PKCE and Keycloak Hello, Is PKCE (if my adapter supports PKCE of course) automatically supported by default by Keycloak or do I have to implement it myself? Thank you. Kind regards, Bojan Milosavljevic. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Oct 31 16:33:46 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 31 Oct 2018 23:33:46 +0300 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> Message-ID: <1541018026.2120.1.camel@acutus.pro> Mathieu, Meissa, Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of standalone.xml by default. I guess this is why your truststore settings are being ignored. I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker deployment - it works pretty well, so definitely not a Keycloak bug per se. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: > Hello Mathieu, > did you manage to make it work? > If yes, could you tell me how? > Meissa > > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > > > Hello Marek. > > > > I've done that already but looks like it is completely ignored. > > I have my custom truststore that have all my CA certificates (2), but I'm > > still seeing the same issue. (SPI is enabled on the LDAPS settings on the > > admin) > > Is there a way to make sure it has been loaded correctly? (I don't see any > > error when the application starts but it's not working as expected) > > > > Thanks. > > Mathieu > > > > > > ?---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > > mposolda at redhat.com> wrote ---- > > ?> You can configure the Truststore SPI, which is mentioned in our docs > > ?> here: > > ?> > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > ?> > > ?> Some additional notes around LDAP are here: > > ?> > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > ?> > > ?> Marek > > ?> > > ?> > > ?> On 01/10/18 13:27, Mathieu Poussin wrote: > > ?> > Hello. > > ?> > > > ?> > What would be the recommended way to add a custom CA certificates ? > > The documentation has a lot of different ways and so far none of them > > worked : > > ?> > > > ?> > - The X509_CA_BUNDLE env variable thing (It's running in a > > container), I can see the certificates in the JKS store??but looks like > > they are completely ignored by the app server. > > ?> > - Added custom SPI to load a custom JKS store, same, no error at > > server start but they are completely ignored by the app server. > > ?> > > > ?> > This is the error I am getting : > > ?> > > > ?> > Caused by: sun.security.validator.ValidatorException: PKIX path > > building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > > valid certification path to requested target > > ?> >??????????at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > ?> >??????????at > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > ?> >??????????at > > sun.security.validator.Validator.validate(Validator.java:262) > > ?> >??????????at > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > ?> >??????????at > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > ?> >??????????at > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > ?> >??????????at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > ?> >??????????... 99 more > > ?> > Caused by: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > > valid certification path to requested target > > ?> >??????????at > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > ?> >??????????at > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > ?> >??????????at > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > ?> >??????????at > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > ?> >??????????... 105 more > > ?> > > > ?> > > > ?> > Another option would be to disable certificate verification on LDAPS > > as it's a trusted environment (last resort but well so far nothing else > > worked), would there be a way to do that? > > ?> > Connecting over LDAP is not an option a this prevent some features to > > work like password reset. > > ?> > > > ?> > Thanks. > > ?> > > > ?> > > > ?> > _______________________________________________ > > ?> > keycloak-user mailing list > > ?> > keycloak-user at lists.jboss.org > > ?> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ?> > > ?> > > ?> > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From smahalingam at anaconda.com Wed Oct 31 17:41:47 2018 From: smahalingam at anaconda.com (Saranya Mahalingam) Date: Wed, 31 Oct 2018 16:41:47 -0500 Subject: [keycloak-user] How to increase logging Message-ID: Hello, Authentication component is not coming up. I don't see any errors in logs. So thought of improving the logs using JAVA_OPTS like: name: JAVA_OPTS value: -Dkeycloak.logging.level=debug But I don't see any changes in the logs even after setting the above value. Tried few other options too without success. Do you have any suggestions here? Let me know if you need any other information. Thanks, Saranya From eric.ramirez.sv at gmail.com Wed Oct 31 17:49:41 2018 From: eric.ramirez.sv at gmail.com (Eric Boyd Ramirez) Date: Wed, 31 Oct 2018 15:49:41 -0600 Subject: [keycloak-user] keycloak-gatekeeper bearer-only Message-ID: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Dear All, I am trying to test Keycloak-gatekeeper, have read the docs I could find (keaycloak-proxy as well) but I still have a few questions: 1- I am trying to secure a number of REST APIs, configured behind bearer-only clients. I think I need to first get a access token trough a confidential client using a 'grant-type=password' request and then do a second request to the REST client resource. Is this the right approach, how would I implement this using Keycloak-Gatekeeper?. 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. Is there a way to use Keycloak's authorization settings to manage access to a client's resource (i.e. policies, permissions, uma-ticket, etc.)? 3- How do I set up multiple clients, do I have to run and configure separate instances of Keycloak-Gatekeeper? Thanks in advance for your time and help. Regards, From orefalo at yahoo.com Fri Oct 5 19:06:56 2018 From: orefalo at yahoo.com (Olivier Refalo) Date: Fri, 05 Oct 2018 23:06:56 -0000 Subject: [keycloak-user] keycloak-user Digest, Vol 58, Issue 18 In-Reply-To: References: Message-ID: <0F4A1372-4BE1-412B-8E47-83147EB13E8C@yahoo.com> unsubscribe > On Oct 5, 2018, at 2:26 PM, keycloak-user-request at lists.jboss.org wrote: > > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak invalid redirect_uri with port 0? (Sebastien Blanc) > 2. Re: Too many redirects with remember me checked (Amritha Amarnath) > 3. Custom password policy - i18n messages (Lukasz Lech) > 4. Re: Keycloak invalid redirect_uri with port 0? (Dean Poulin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 5 Oct 2018 11:37:29 +0200 > From: Sebastien Blanc > > Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port > 0? > To: dean at edgewoodsoftware.com > Cc: keycloak userlist > > Message-ID: > > > Content-Type: text/plain; charset="UTF-8" > > TBH No idea if it helps in your case but there is a config property called > "redirect-rewrite-rules" that may help you : > https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config > > > On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin > > wrote: > >> Hi, >> >> I?ve tried a couple things in that comment so far: >> >> 1) Verified I?m sending through the headers and the spring boot app is >> receiving the headers: >> >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 >> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] >> a.c.u.server.controller.IndexController : host=www.example.com >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: >> x-real-ip=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: >> x-forwarded-for=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: >> x-forwarded-proto=https >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: >> x-forwarded-host=www.example.com >> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: >> x-forwarded-port=443 >> >> I tried setting the spring boot keycloak config setting: >> >> keycloak.ssl-required = none >> >> That did remove the port 0 in the redirect_uri being generated but it also >> set the redirect uri to be http instead of https, which seems like it?d be >> bad. I do have nginx set to redirect all http requests to https anyway. >> >> Is there something else I need to do to get the spring boot app to >> generate the correct redirect_uri with https? There must be like some magic >> config setting I?ve missed somewhere. I?ll keep digging and share what I >> find. >> >> Thanks, >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean at edgewoodsoftware.com >> >> >> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc > wrote: >> >> Hi, >> >> We have a ticket concerning the 0 added as port : >> https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan >> it to work on it. But look at the comments, looks like there are some >> workarounds for now (the last comment). >> >> Sebi >> >> >> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin > >> wrote: >> >>> Hi everyone, >>> >>> First email to the group here. I?ve been heavily underway implementing >>> Keycloak for my app?s auth needs and very impressed with the product. I?ve >>> delayed emailing the group until I?ve spent hours of time trying to figure >>> out this weird issue I?m experiencing. This might not be the best place to >>> post this, but figured I?d start here. >>> >>> For some reason, when I visit my spring boot webapp that?s protected by >>> keycloak it?s redirecting to keycloak as expected but the redirect_uri is >>> being set with a port of 0 which is causing me to get an error on the >>> keycloak login page saying ?invalid redirect_uri.? >>> >>> I?ve googled this and I?ve found some people having similar issues, but >>> couldn?t find solutions (e.g. >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >, >>> >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >>>> ). >>> >>> My prod/test environment uses an nginx reverse proxy in front of my apps. >>> >>> I followed these steps: >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >>> < >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >>>> . >>> >>> The url that was throwing that error looked like this (see the port of 0 >>> in the url): >>> >>> >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >>> < >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com >>>> %3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >>> >>> The keycloak logs contained this error for the above url: >>> >>> Oct 05 02:39:40 sso01.example.com > >>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default >>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, >>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri= >>> https://www.example.com >:0/sso/login >>> >>> As you can see for some reason the redirect_uri is being set with a port >>> of 0. >>> >>> I put in the url with port 0 (https://www.example.com:0/sso/login < >>> https://www.example.com:0/sso/login >) into the keycloak client config >>> under Valid Redirect URIs and that removed the invalid redirect_url issue >>> and the login page was now rendering without an error. >>> >>> However, when the redirect is performed after login, the browser gets >>> screwed up with having port 0 in there? Google Chrome has this error: >>> >>> This site can?t be reached >>> The webpage at >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw >>> < >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw > >>> might be temporarily down or it may have moved permanently to a new web >>> address. >>> ERR_ADDRESS_INVALID >>> >>> Here?s my architecture: >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* >>> ?> SPRING BOOT APP (v2.0.5.RELEASE) >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* >>> ?> KEYCLOAK SERVER (v4.4.0.Final) >>> >>> Spring Boot App: >>> >>> >>> org.keycloak.bom >>> keycloak-adapter-bom >>> 4.4.0.Final >>> pom >>> import >>> >>> >>> ... >>> >>> >>> org.keycloak >>> keycloak-spring-boot-starter >>> >>> >>> Config yaml: >>> >>> keycloak: >>> auth-server-url: https://sso.example.com/auth < >>> https://sso.example.com/auth > >>> realm: my-app >>> public-client: true >>> resource: my-client >>> ssl-required: external >>> >>> >>> >>> Nginx is configured as a reverse proxy with these settings for the spring >>> boot app: >>> >>> upstream app { >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name www.example.com >; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://app >; >>> } >>> } >>> >>> Nginx is configured as a reverse proxy with these settings for the >>> keycloak server: >>> >>> >>> upstream sso { >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name sso.example.com >; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://sso >; >>> } >>> } >>> >>> My keycloak configuration for standalone.xml has these settings: >>> >>> Undertow config: >>> >>> >>> >> redirect-socket="proxy-https" enable-http2="true" >>> proxy-address-forwarding="true"/> >>> >> security-realm="ApplicationRealm" enable-http2="true"/> >>> >>> >>> >>> >>> >>> ? >>> >>> Socket Bindings: >>> >>> >> port-offset="${jboss.socket.binding.port-offset:0}"> >>> >> port="${jboss.management.http.port:9990}"/> >>> >> port="${jboss.management.https.port:9993}"/> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Thanks for your help, I must have missed something somewhere. I just >>> can?t for the life of me find out where that port 0 is coming from. >>> >>> >>> Dean Poulin >>> Owner & Principal Software Engineer >>> edgewood software >>> email: dean at edgewoodsoftware.com > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > > ------------------------------ > > Message: 2 > Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30) > From: Amritha Amarnath > > Subject: Re: [keycloak-user] Too many redirects with remember me > checked > To: Martin Kanis > > Cc: keycloak-user at lists.jboss.org > Message-ID: > <3312779.577271538734530914.JavaMail.root at atmail.amritatech.com > > Content-Type: text/plain; charset="utf-8" > > > Hello , > > > > Application is using keycloak-4.1.0.Final . For keycloak log please find attachment > > > > -- > With Regards, > Amms > > > > ----- Original Message ----- > From: "Martin Kanis" > > To: "amritha amarnath" > > Cc: keycloak-user at lists.jboss.org > Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi > Subject: Re: [keycloak-user] Too many redirects with remember me checked > > > Hello, > > > what version of Keycloak do you have? Can you provide a Keycloak log? > > > Regards, > Martin > > > On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath at amritatech.com > wrote: > > > > > > Hello, > > > My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. > > Wildfly log says: Account was not in session, returning null , there was no code > > > Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. > > > I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? > > -- > With Regards, > Amms > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: keycloak.log > Type: text/x-log > Size: 4017 bytes > Desc: not available > Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/098966fb/attachment-0001.bin > > ------------------------------ > > Message: 3 > Date: Fri, 5 Oct 2018 10:19:14 +0000 > From: Lukasz Lech > > Subject: [keycloak-user] Custom password policy - i18n messages > To: "keycloak-user at lists.jboss.org " > > Message-ID: <5E48B917000C984B86B77170F441903A11D8D731 at exch.ringler.ch > > Content-Type: text/plain; charset="us-ascii" > > Hello, > > I've created my own password policy. > > It gives back PolicyError with i18n key. > > Where should I put the translations for that key? Do I need to append it to themes/base/login/messages/messages_XX.properties or I can provide them in other location (inside the jar, for example)? > > Best regards, > Lukasz Lech > > > > ------------------------------ > > Message: 4 > Date: Fri, 5 Oct 2018 06:26:52 -0400 > From: Dean Poulin > > Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port > 0? > To: Sebastien Blanc > > Cc: keycloak userlist > > Message-ID: > <21D201FB-E437-473E-87D7-6F63E31B8D53 at edgewoodsoftware.com > > Content-Type: text/plain; charset=utf-8 > > After a bit more trial and error the final setting that worked for me was to set: > > keycloak: > ssl-required: external > confidential-port: 443 > > Setting confidential-port to 443 is now generating the correct redirect_uri and having ssl-required set to external is using forcing https correctly. The redirect_uri no longer has port 0. > > https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsso%2Flogin&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid > > > Thanks again for your help pointing me in the right direction. > > Dean Poulin > Owner & Principal Software Engineer > edgewood software > email: dean at edgewoodsoftware.com > > >> On Oct 5, 2018, at 5:37 AM, Sebastien Blanc > wrote: >> >> TBH No idea if it helps in your case but there is a config property called "redirect-rewrite-rules" that may help you : https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config > >> >> >> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin >> wrote: >> Hi, >> >> I?ve tried a couple things in that comment so far: >> >> 1) Verified I?m sending through the headers and the spring boot app is receiving the headers: >> >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: 2018-10-05 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController : host=www.example.com > >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: x-real-ip=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: x-forwarded-for=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: x-forwarded-proto=https >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: x-forwarded-host=www.example.com > >> Oct 05 05:15:27 server01.edgewoodsoftware.com > java[25117]: x-forwarded-port=443 >> >> I tried setting the spring boot keycloak config setting: >> >> keycloak.ssl-required = none >> >> That did remove the port 0 in the redirect_uri being generated but it also set the redirect uri to be http instead of https, which seems like it?d be bad. I do have nginx set to redirect all http requests to https anyway. >> >> Is there something else I need to do to get the spring boot app to generate the correct redirect_uri with https? There must be like some magic config setting I?ve missed somewhere. I?ll keep digging and share what I find. >> >> Thanks, >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean at edgewoodsoftware.com > >> >> >>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc >> wrote: >>> >>> Hi, >>> >>> We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 > but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment). >>> >>> Sebi >>> >>> >>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin >> wrote: >>> Hi everyone, >>> >>> First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here. >>> >>> For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.? >>> >>> I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 > >>, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 > ! > koverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 >>). >>> >>> My prod/test environment uses an nginx reverse proxy in front of my apps. >>> >>> I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > >>. >>> >>> The url that was throwing that error looked like this (see the port of 0 in the url): >>> >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com > >>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >>> >>> The keycloak logs contained this error for the above url: >>> >>> Oct 05 02:39:40 sso01.example.com > >> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com > >>:0/sso/login >>> >>> As you can see for some reason the redirect_uri is being set with a port of 0. >>> >>> I put in the url with port 0 (https://www.example.com:0/sso/login > >>) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. >>> >>> However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error: >>> >>> This site can?t be reached >>> The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw ! > uMw> >> might! > be temporarily down or it may have moved permanently to a new! > web add > ress. >>> ERR_ADDRESS_INVALID >>> >>> Here?s my architecture: >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE) >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final) >>> >>> Spring Boot App: >>> >>> >>> org.keycloak.bom >>> keycloak-adapter-bom >>> 4.4.0.Final >>> pom >>> import >>> >>> >>> ... >>> >>> >>> org.keycloak >>> keycloak-spring-boot-starter >>> >>> >>> Config yaml: >>> >>> keycloak: >>> auth-server-url: https://sso.example.com/auth > >> >>> realm: my-app >>> public-client: true >>> resource: my-client >>> ssl-required: external >>> >>> >>> >>> Nginx is configured as a reverse proxy with these settings for the spring boot app: >>> >>> upstream app { >>> server 1.2.3.4:8042 > max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8042 > max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name www.example.com > >>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://app > >>; >>> } >>> } >>> >>> Nginx is configured as a reverse proxy with these settings for the keycloak server: >>> >>> >>> upstream sso { >>> server 1.2.3.4:8080 > max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8080 > max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name sso.example.com > >>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://sso > >>; >>> } >>> } >>> >>> My keycloak configuration for standalone.xml has these settings: >>> >>> Undertow config: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ? >>> >>> Socket Bindings: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from. >>> >>> >>> Dean Poulin >>> Owner & Principal Software Engineer >>> edgewood software >>> email: dean at edgewoodsoftware.com > >> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 58, Issue 18 > *********************************************